开发者

Adding security on routes in Rails

问答 作者:

In Rails 2, how can I prevent a user from just changing the id # and accessing other Objects?

For exampl开发者_运维技巧e :

website.com/users/1231/edit

How do I prevent a user from changing the 1231 and accessing another account?

@user = User.find params[:id]
redirect_to :back unless current_user == @user

Use a before_filter in your controllers.

class Users < ApplicationController
  before_filter :require_user, :only => [:show]

  private

  def require_user
    @user = User.find_by_id(params[:id])
    redirect_to root_url if @user.nil?
  end

end

Use a permissions-checking gem like CanCan or Aegis. Both have conventions that add permissions checking to every method on every controller automatically.

继续阅读:routesruby-on-railssecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9