发表新帖
发表新帖

Check if current_user is the owner of a resource and allow edit/delete actions

后端 未结
关注
9 589
鱼传尺愫
鱼传尺愫 2021-02-02 00:02

Example:

User A (id=10) has created a photo resource

photo: (id: 1 user_id = 10, url: \"http://...\")
相关标签:
9条回答
  • 灰色年华
    2021-02-02 00:43

    Check this railscasts,

    http://railscasts.com/episodes/192-authorization-with-cancan

    Complications you will run into,

    1. When you want cancan authorization on User Model that Devise gem is using for authentication

    2. When you want to store your Roles in the Database

    3. When you want to assign Permissions to the Roles as an Admin from the webUI

    4. and more ..

    Please comment if you want any of those features, I will be happy to help, because I recently did them with great help from others and its always amazing to pass it on.

    A sample Ability for your resources can be like as follows,

    class Ability
  include CanCan::Ability

  def initialize(user)

      user ||= User.new # guest users
      send(user.role.name)

        if user.role.blank?
          can :read, User #for guest without roles
        end

  end

  def man
    can :manage, Photo
  end


  def boy
    can :read, Photo
  end

  def kid
    can :read, Article
  end

end
    0 讨论(0)
  • 借酒劲吻你
    2021-02-02 00:44

    If CanCan is too advanced, you should loon into checking the id of the accessor in the controller using...

    if @user.id == @photo.user_id
  # edit photo details
else
  redirect_to root_path, notice: "You! Shall! Not! Edit!"

    ...or something like that

    0 讨论(0)
  • 半阙折子戏
    2021-02-02 00:51

    You can make use of Rails' associations and write it like this:

    def edit
  @photo = current_user.photos.find(params[:id])

  # ... do everything else
end

    This will only find a record when the photo with the supplied ID belongs to the current user. If it doesn't, Rails will raise a ActiveRecord::RecordNotFound exception.

    Of course, I'm assuming the current_user method is available and your User model contains the statement has_many :photos.

    0 讨论(0)
  • 死守一世寂寞
    2021-02-02 00:52

    The simplest would be to to modify routes.rb.

    Assign photos to live in the current_user path.

    For example, 

    devise_for :users

resources 'users' do 
  resources 'photos'
end
    0 讨论(0)
  • 佛祖请我去吃肉
    2021-02-02 00:53

    I captured the exception from within a before_filter action:

    before_action :set_photo, only: [:edit, :update, :destroy]

def set_photo
  @photo = current_user.photos.find(params[:id])

  rescue ActiveRecord::RecordNotFound
    redirect_to(root_url, :notice => 'Record not found')
end

    Hope this helps someone. I'm using Rails 4 and Ruby 2.

    0 讨论(0)
  • 被撕碎了的回忆
    2021-02-02 00:56

    In your PhotosController:

    before_filter :require_permission, only: :edit

def require_permission
  if current_user != Photo.find(params[:id]).user
    redirect_to root_path
    #Or do something else here
  end
end
    0 讨论(0)
 看不清?
提交回复
热议问题