除了与当前用户的before_filter [英] before_filter with exception for current user
问题描述
我有过滤器前,此电流在我users_controller
的before_filter:authenticate_usergroup,:除了=>
它只是允许用户编辑自己的信息但不能够看到所有用户的伟大工程,但我心中已经发现,只是在URL改变他们的'身份证',他们还可以编辑其他用户的信息。
我怎么能只允许:编辑:秀:更新功能,为自己的唱片当前用户。我有这个方法在我application_controller能够访问当前用户
高清CURRENT_USER
除非回报会话[:USER_ID]
@current_user || = User.find_by_id(会话[:USER_ID])
结束从users_controller.rb #UPDATE
DEF更新
@user = User.find(PARAMS [:ID])做的respond_to |格式|
如果@ user.update_attributes(PARAMS [:用户])
format.html {redirect_to的@user,:通知=> 用户已成功更新。 }
format.json {头:NO_CONTENT}
其他
format.html {渲染:行动=> 编辑}
format.json {渲染:JSON => @ user.errors,:状态=> :unprocessable_entity}
结束
结束
结束
如果你的范围,只有 CURRENT_USER
可以访问他们的信息,那么也没关系
所以在显示和编辑
@user = CURRENT_USER
在更新动作有点像 current_user.update_attributes(PARAMS [:用户])
应该做的伎俩。
I have this current before filter in my users_controller
before_filter :authenticate_usergroup, :except => [:edit, :update, :show]
It works great for just allowing a user to edit their information but not being able to see all the users, but i'v found that by just changing their 'id' in the url they could also edit other users information.
How can i only allow :edit, :show and :update functions to the current user for their own record. i have this method in my application_controller to be able to access the current user
def current_user
return unless session[:user_id]
@current_user ||= User.find_by_id(session[:user_id])
end
#update from users_controller.rb
def update
@user = User.find(params[:id])
respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to @user, :notice => 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render :action => "edit" }
format.json { render :json => @user.errors, :status => :unprocessable_entity }
end
end
end
if you "scope" that only the current_user
can access their information, then it doesn't matter.
so in show and edit
@user = current_user
in update action something like
current_user.update_attributes(params[:user])
should do the trick.
这篇关于除了与当前用户的before_filter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!