熱門精品專業我們的系統往往并不只是靠登錄這么簡單來控制權限,今天我們來看看基于角色的授權
假設我們的系統已經建立了昨天的users表
1,migration
2,model
3,application.rb
4,layout
如果我們的某一個controller或者action不想要check_authentication和check_authorization這兩個filter,我們可以skip掉:
但這只能精確到controller和action級別的權限控制
如果我們想控制對models實例的訪問權限,可以參考Bruce Perens的ModelSecurity
假設我們的系統已經建立了昨天的users表
1,migration
Java代碼 
- class AddRolesAndRightsTables < ActiveRecord::Migration
- def self.up
- create_table :users_roles, :id => false do |t|
- t.column :user_id, :integer
- t.column :role_id, :integer
- end
- create_table :roles, :do |t|
- t.column :name, :string
- end
- create_table :roles_rights, :id => false do |t|
- t.column :role_id, :integer
- t.column :right_id, :integer
- end
- create_table :rights do |t|
- t.column :name, :string
- t.column :controller, :string
- t.column :action, :string
- end
- end
- def self.down
- drop_table :users_roles
- drop_table :roles
- drop_table :rights
- drop_table :rights_roles
- end
- end
2,model
Java代碼
- class User < ActiveRecord::Base
- has_and_belongs_to_many :roles
- end
- class Role < ActiveRecord::Base
- has_and_belongs_to_many :users
- has_and_belongs_to_many :rights
- end
- class Right < ActiveRecord::Base
- has_and_belongs_to_many :roles
- end
3,application.rb
Java代碼
- class ApplicationController < ActionController::Base
- layout 'standard'
- before_filter :check_authentication,
- :check_authorization,
- :except => [:signin_form, :signin]
- def check_authentication
- unless session[:user]
- session[:intended_action] = action_name
- redirect_to :controller => :admin, :action => signin_form
- return false
- end
- end
- def check_authorization
- user = User.find(session[:user])
- unless user.roles.detect{|role|
- role.rights.detect{|right|
- right.action == action_name && right.controller == controller_name
- }
- }
- flash[:notice] = "You are not authorized to view the page you requested"
- request.env["HTTP_REFERER"] ? (redirect_to :back) : (redirect_to home_url)
- return false
- end
- end
- end
- end
4,layout
Java代碼
- <% if flash[:notice] %>
- <div class="errors">
- <% flash[:notice] %>
- </div>
- <% end %>
如果我們的某一個controller或者action不想要check_authentication和check_authorization這兩個filter,我們可以skip掉:
Java代碼
- class HomeController < ApplicationController
- skip_before_filter :check_authentication, :check_authorization
- def index
- render :text => "A page that doesn't require a signin or any rights"
- end
- end
但這只能精確到controller和action級別的權限控制
如果我們想控制對models實例的訪問權限,可以參考Bruce Perens的ModelSecurity
安徽新華電腦學校專業職業規劃師為你提供更多幫助【在線咨詢】
