开发者

Adding security on routes in Rails

In Rails 2, how can I prevent a user from just changing the id # and accessing other Objects?

For exampl开发者_运维技巧e :

website.com/users/1231/edit

How do I prevent a user from changing the 1231 and accessing another account?


@user = User.find params[:id]
redirect_to :back unless current_user == @user


Use a before_filter in your controllers.

class Users < ApplicationController
  before_filter :require_user, :only => [:show]

  private

  def require_user
    @user = User.find_by_id(params[:id])
    redirect_to root_url if @user.nil?
  end

end


Use a permissions-checking gem like CanCan or Aegis. Both have conventions that add permissions checking to every method on every controller automatically.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜