ruby-on-rails - Authority Ruby Gem 可以与注销的用户一起使用吗？

Question

我收到以下错误:

  undefined method `can_read?' for nil:NilClass

..当尝试使用已注销的用户访问产品页面时。目前我有

class ProductAuthorizer < ApplicationAuthorizer

  def self.readable_by?(user)
    true
  end

end

我希望即使是未登录的用户也能看到该页面。这可能吗？

我尝试将默认用户方法更改为:

config.user_method = :current_user ||= User.new

但是，这会导致问题，我的服务器甚至无法启动。

Answer 1

好的，我在 https://github.com/nathanl/authority/pull/32 找到了这个:

OK! For the sake of anyone else reading this issue, Chris and I chatted and agreed about the best way to proceed. Here's the gist of it.

Authority won't specially handle nil users or give a specific option to do so. We want to limit Authority to authorization and keep authentication totally separate. If there's no user signed in, that's an authentication concern; Authority can't meaningfully answer the question "can this user do X?" if it isn't given a user or something that quacks like one.

Besides the philosophical point, having authentication handle this is a better user experience. If an admin has forgotten to sign in and attempts some admin-only action, it would be confusing to them to say "access denied". It would be much more helpful to say "please sign in".

What developers using Authority can do is:

Have something like Devise's before_filter :authenticate_user! running prior to any Authority checks on the request (since any action that requires authorization clearly requires authentication). Have their user method return a NullUser object that quacks like a user, then have their authorizers know what to do with those What Authority can do is improve the error it gives you if you pass nil or anything else that doesn't quack like a user. Chris is going to implement this.

嗨，我刚刚放了这个

  class ApplicationController < ActionController::Base
      def current_or_null_user
        if current_user == nil
          User.new
        else
          current_user
        end
     end
  end

...

Authority.configure do |config|
   config.user_method = :current_or_null_user
end