Rails 5.2:授权访问ActiveStorage::BlobsController#show

Question

我想授权访问ActiveStorage附件，并查看BlobsController (https://github.com/rails/rails/blob/master/activestorage/app/controllers/active_storage/blobs_controller.rb)的源代码，声明如下：

# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
class ActiveStorage::BlobsController < ActiveStorage::BaseController
  include ActiveStorage::SetBlob

  def show
    expires_in ActiveStorage.service_urls_expire_in
    redirect_to @blob.service_url(disposition: params[:disposition])
  end
end

但即使是上面的注释也建议创建一个自定义控制器，我还需要覆盖ActiveStorage生成的路由，因为它们指向原始控制器，并且在我的routes.rb上重新定义它们似乎会抛出异常。此外，我不想再公开这些路由，因为它们未被授权，并且有人可能会获取blob的signed_id并使用原始端点获取附件。在应用程序初始化时循环路由，删除旧的ActiveStorage路由并插入新的路由似乎是目前最好的解决方案，但我想避免这种情况。

有什么建议吗？?

Answer 1

创建一个新的控制器来覆盖原来的：app/controllers/active_storage/blobs_controller.rb，然后根据您的需要添加相应的授权方法：

#app/controllers/active_storage/blobs_controller.rb
class ActiveStorage::BlobsController < ActiveStorage::BaseController
  include ActiveStorage::SetBlob

  def show
    redirect_to @blob.service_url(disposition: params[:disposition])
    authorize! :show, @blob # NOT TESTED!
  end

end

当您单击指向附件的链接时，将触发show操作。

@blob.class #=> ActiveStorage::Blob