开发者

require_owner code to limit controller actions not recognizing current user as owner [duplicate]

问答 作者:
This question already has answers here: Closed 10 years ago.

Possible Duplicate:

before_filter :require_owner

I am trying to restrict access to certain actions using a before_filter which seems easy enough. Somehow the ApplicationController is not recognizing that the current_user is the owner of the user edit action. When I take the filter off the controller correctly routes the current_user to their edit view information. Here is the code.

Link to call edit action from user controller (views/questions/index.html.erb):

<%= link_to "Edit Profile", edit_user_path(:current) %>

ApplicationController (I am only posting the code that I think is affecting this but can post the whole thing if needed).

 class ApplicationController < ActionController::Base

    def require_owner
          obj = instance_variable_get("@#{controller_name.singularize.camelize.underscore}") # LineItem becomes @line_item
          return true if current_user_is_owner?(obj)
          render_error_message("You must be the #{controller_name.singularize.ca开发者_运维问答melize} owner to access this page", root_url)
          return false
        end
 end

and the before_filter

class UsersController < ApplicationController

before_filter :require_owner, :only => [:edit, :update, :destroy]

#...

end

I simply get the rendering of the error message from the ApplicationController#require_owner action.

UPDATE: the link_to provides this address: localhost:3000/users/current/edit

Ok, this is the second bounty question that I have posted and then answered myself. Both times I have found the answer within an hour of my bounty post. Ha.

I simply changed the before filter method to get this to work. I left the application controller as it is in the code above but in the UsersController (the only one that wasn't cooperating) I did the following:

    before_filter :require_user, :only => [:edit, :update, :destroy]  # all actions require user to be logged in
    before_filter :init_data     # create a member variable called @post, initialized based on the action
    before_filter :require_user_owner, :only => [:edit, :update, :destroy] #edit, update, and destroy actions require ownership

and then 

private

    def require_user_owner
      obj = instance_variable_get("@#{controller_name.singularize.camelize.underscore}") # LineItem becomes @line_item
      return true if current_user.id == @user.id
      render_error_message("You must be the #{controller_name.singularize.camelize} owner to access this page", root_url)
      return false
    end

That seemed to do it.

Seems to me that the current_user_is_owner?(obj) call have an issue. To prove it, modify the code to:

def require_owner
  # LineItem becomes @line_item
  obj = instance_variable_get("@#{controller_name.singularize.camelize.underscore}") 
  if current_user_is_owner?(obj)
    return true
  else
    render_error_message("You must be the #{controller_name.singularize.camelize} owner to access this page", root_url)
    return false
  end
end

You might want to paste the current_user_is_owner? method.

Hopefully it helps.

继续阅读:authorizationrubyruby-on-rails

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9