阻止其他登录用户访问“编辑"页面 [英] Preventing other signed-in users from accessing 'edit' page

问题描述

我正在构建一个小型网络应用，允许用户列出他们的目标.我希望用户只能编辑他们自己的内容.我已经有一个作为 before_filter 的身份验证功能，它检查以确保有人登录，但它不检查用户是否是内容的创建者.我尝试创建第二个名为correct_user 的before_filter，其代码如下:

I'm building a small web app that allows users to list their goals. I want the users to only be able to edit their own content. I've already got an authenticate function as a before_filter which checks to make sure someone is signed in, but it doesn't check if the user is the creator of the content. I tried creating a second before_filter called correct_user that has the code as follows:

def correct_user
  @user = User.find(params[:id])
  redirect_to(user_path(current_user)) unless current_user?(@user)
end 

此外，这里是运行获取请求以编辑我自己的内容的服务器输出

In addition here is the server output from running a get request to edit my own content

Started GET "/goals/31/edit" for 127.0.0.1 at 2011-05-18 15:22:38 -0400
  Processing by GoalsController#edit as HTML
  Parameters: {"id"=>"31"}
  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE ("users"."id" = 101) LIMIT 1
  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE ("users"."id" = 31) LIMIT 1
Redirected to http://localhost:3000/users/101 Completed 302 Found in 49ms
Completed 302 Found in 49ms

为清楚起见，我使用的 user_id 是 101，而我尝试编辑的目标_id 是 31.有人能解释一下到底发生了什么吗?

For clarity, the user_id I'm using is 101, and the goal_id I'm trying to edit is 31. Could someone explain exactly what is going on?

另外，我知道您可以使用名为 CanCan 的 gem 来解决这个问题(因为有人回答了类似的问题)，但是有没有不使用 gem 的方法来解决这个问题?看起来我的简单小功能应该可以工作，但有人可以解释为什么不可以吗?

Also, I'm aware you can navigate this problem by using a gem called CanCan (as a similar question was answered about this), but is there a way to do it without using a gem? It seems like my simple little function should work, but could someone explain why it doesn't?

推荐答案

params 是(通过 url 或表单字段等)发送到您的操作的所有参数的哈希值.参数的名称(如果存在于 URL 中)在您的路由文件中定义.对于您的目标控制器路由，您可能(大概)有:

params is the hash of all parameters being sent (via url or form fields, etc) to your action. The name of the parameter, if present in the URL, is defined in your routes file. For your goals controller routes, you probably (presumably) have:

goals_path: /goals/
goal_path: /goals/:id
edit_goal_path: /goals/:id/edit

因为您正在获取 /goals/31/edit，params[:id] 是 31，即您正在编辑的目标的 id.correct_user 中的第一行是查找 id 与 params 哈希 (goal_id) 中的 id 匹配的用户.所以真的，你应该做这样的事情:

Because you are getting /goals/31/edit, params[:id] is 31, the id of the goal you are editing. The first line in correct_user is finding the User whose id matches the id in the params hash (goal_id). So really, you should be doing something like this:

def correct_user
  user = Goal.find(params[:id]).user if params[:id]
  redirect_to user_path(current_user) unless current_user?(user)
end

这就是说，找到某人想要编辑的目标(来自 params[:id])，并给我与之关联的用户(你没有发布你的目标模型，我假设目标属于 :user 但你可能已将其命名为创建者"或所有者").如果用户与当前登录的用户不同，则重定向.您之前的代码试图找到与正在编辑的目标具有相同 ID 的用户.

This says, find the goal that somebody wants to edit (from params[:id]), and give me the user associated with it ( you didn't post your goal model, I am assuming Goal belongs_to :user but you may have named it "creator" or "owner" instead). Redirect if the user is not the same as the current user logged in. Your previous code was attempting to find a User with the same id as the goal being edited.

这篇关于阻止其他登录用户访问“编辑"页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！