Adding security on routes in Rails
In Rails 2, how can I prevent a user from just changing the id # and accessing other Objects?
For exampl开发者_运维技巧e :
website.com/users/1231/edit
How do I prevent a user from changing the 1231
and accessing another account?
@user = User.find params[:id]
redirect_to :back unless current_user == @user
Use a before_filter
in your controllers.
class Users < ApplicationController
before_filter :require_user, :only => [:show]
private
def require_user
@user = User.find_by_id(params[:id])
redirect_to root_url if @user.nil?
end
end
Use a permissions-checking gem like CanCan or Aegis. Both have conventions that add permissions checking to every method on every controller automatically.
精彩评论