ruby-on-rails - Rails 5.2:授权访问 ActiveStorage::BlobsController#show
问题描述
我想授权访问ActiveStorage
附件并查看BlobsController
(https://github.com/rails/rails/blob/master/activestorage/app/controllers/active_storage/blobs_controller.rb)的源代码如下:
# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
expires_in ActiveStorage.service_urls_expire_in
redirect_to @blob.service_url(disposition: params[:disposition])
end
end
但即使上面的注释建议创建一个自定义控制器,我也需要覆盖 ActiveStorage 生成的路由,因为它们指向原始控制器,并且在我的设备上重新定义它们routes.rb
似乎会引发异常。此外,我不想再公开这些路由,因为它们没有被授权,并且有人可以获取signed_id
blob 并使用原始端点获取附件。循环应用程序初始化时的路由并删除旧的 ActiveStorage 路由并插入新的路由似乎是目前最好的解决方案,但我想避免这种情况。
有什么建议么?
解决方案
创建一个新控制器以覆盖原始控制器:app/controllers/active_storage/blobs_controller.rb
然后根据您的需要添加相应的授权方法:
#app/controllers/active_storage/blobs_controller.rb
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
redirect_to @blob.service_url(disposition: params[:disposition])
authorize! :show, @blob # NOT TESTED!
end
end
show
当您单击附件的链接时,将触发该操作。
@blob.class #=> ActiveStorage::Blob