问题
I have this current before filter in my users_controller
before_filter :authenticate_usergroup, :except => [:edit, :update, :show]
It works great for just allowing a user to edit their information but not being able to see all the users, but i'v found that by just changing their 'id' in the url they could also edit other users information.
How can i only allow :edit, :show and :update functions to the current user for their own record. i have this method in my application_controller to be able to access the current user
def current_user
return unless session[:user_id]
@current_user ||= User.find_by_id(session[:user_id])
end
#update from users_controller.rb
def update
@user = User.find(params[:id])
respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to @user, :notice => 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render :action => "edit" }
format.json { render :json => @user.errors, :status => :unprocessable_entity }
end
end
end
回答1:
if you "scope" that only the current_user can access their information, then it doesn't matter.
so in show and edit
@user = current_user
in update action something like
current_user.update_attributes(params[:user])
should do the trick.
回答2:
I did it this way:
in #show action in the controller:
if current_user.id == Certificate.find(params[:id]).user_id
@certificate = Certificate.find(params[:id])
else
redirect_to certificates_url, notice: 'You can only view your own certificates'
end
I know its not using a 'before_filter', but it seems to have the same effect of blocking users from simply typing in different urls to view other users information.
来源:https://stackoverflow.com/questions/13784285/before-filter-with-exception-for-current-user