检查CURRENT_USER是一个资源的所有者,并允许编辑/删除操作 [英] Check if current_user is the owner of a resource and allow edit/delete actions
问题描述
示例:
用户的 A (n = 10),创造了一个照片资源
User A (id=10) has created a photo resource
photo: (id: 1 user_id = 10, url: "http://...")
现在,如果用户的 B (n = 20),去这个网址: /照片/ 1 /编辑
它可以编辑照片的用户 A !
Now, if User B (id=20) go to this url: /photos/1/edit
it can edit photo of user A!!!
的Rails +制订提供的东西这个默认?现在看来,这是一个非常普遍的问题。
Rails+Devise provides something for this by default? It seems it's a very common issue
我只需要允许任何用户都可以编辑/删除唯一的资源已创建(其中CURRENT_USER == resource.user)
I just need to allow that any user can edit/delete ONLY resource it has created (where current_user == resource.user)
使用:轨道4,制订
更新:
我觉得惨惨它的东西太超前了。我不需要角色或限制某些行动,以特定的用户
I think CanCan it's something too advanced. I don't need roles or restrict some actions to certain users
推荐答案
在你PhotosController:
In your PhotosController:
before_filter :require_permission, only: :edit
def require_permission
if current_user != Photo.find(params[:id]).user
redirect_to root_path
#Or do something else here
end
end
这篇关于检查CURRENT_USER是一个资源的所有者,并允许编辑/删除操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!