[英]Rails 4 : Current user can only edit their post
User is only able to edit when they are logged in but the problem is any user logged in can edit other users content. 用户只能在登录时进行编辑,但问题是任何登录的用户都可以编辑其他用户的内容。 How to make user specific edit, only the current user can only edit their content?
如何进行用户特定的编辑,只有当前用户只能编辑他们的内容?
class JobsController < ApplicationController
before_action :find_job, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!,except:[:index]
def show
end
def update
if @job.update(jobs_params)
redirect_to @job
else
render "Edit"
end
end
private
def jobs_params
params.require(:job).permit(:title, :description, :company, :url, :jobcategory_id)
end
def find_job
@job = Job.find(params[:id])
end
end
show.html.haml
- if user_signed_in?
= link_to "Back", root_path, class: "btn btn-sm btn-default"
= link_to "Edit", edit_job_path(@job), class: "btn btn-sm btn-default"
You have not associate Job
with User
. 您尚未将
Job
与User
关联。 without it how you can identify which Job
is posted by which User
? 没有它如何识别哪个
User
发布了哪个Job
?
For that associate Job
with User
对于该员工与
User
Job
in user.rb 在user.rb中
has_many :jobs
in job.rb 在job.rb
belongs_to :user
then add user_id
column to Job
table and also add user_id
in your strong parameter. 然后将
user_id
列添加到Job
表,并在strong参数中添加user_id
。
To add user_id
column in your Job
table: 要在
Job
表中添加user_id
列:
rails g migration AddUseridToJob user_id:integer
rake db:migrate
In your template: jobs/_form.html.haml assign user_id
在您的模板中: jobs / _form.html.haml指定
user_id
= f.hidden_field :user_id , :value => current_user.id
by this when user create the job
in data it will be associated with that particular User
So you can identify and restrict some actions. 当用户在数据中创建
job
,它将与该特定User
相关联,因此您可以识别和限制某些操作。
After follow the above steps Try this: 按照上述步骤试试这个:
- if (user_signed_in? && (current_user.id == @job.user_id))
= link_to "Edit", edit_job_path(@job), class: "btn btn-sm btn-default"
Note: 注意:
edit
action link will be not seen to any other user. edit
操作链接是否会被任何其他用户看不到。 If you do not want to allow anyother user to edit
/ update
/ delete
job and redirect them to index page then implement job_owner
method like this: 如果您不想让任何其他用户
edit
/ update
/ delete
作业并将其重定向到索引页面,则实现job_owner
方法,如下所示:
class JobsController < ApplicationController
before_action :find_job, only: [:show, :edit, :update, :destroy, :job_owner]
before_action :authenticate_user!,except:[:index]
before_action :job_owner, only: [:edit, :update, :destroy]
....
# add this method
def job_owner
unless @job.user_id == current_user.id
flash[:notice] = 'Access denied as you are not owner of this Job'
redirect_to jobs_path
end
end
....
end
I suggest to use cancancan gem and define your ability as below: 我建议使用cancancan gem并定义你的能力如下:
can [ :edit, :update, :delete ], Job do |job|
job.user_id == user.id
end
You can create a helper method: 您可以创建一个辅助方法:
def user_allowed
user_signed_in? && (current_user.id == @job.user_id)
end
And then call it before your actions: 然后在你的行动之前调用它:
<% if user_allowed %>
You probably want something like this? 你可能想要这样的东西?
= link_to "Edit", edit_job_path(@job), class: "btn btn-sm btn-default" if @current_user.id == @job.owner_id
Note that owner_id is something I made up. 请注意,owner_id是我编写的。 You haven't given enough context around what a user can/can't edit.
您没有提供有关用户可以/不能编辑的内容的足够上下文。 How do you determine if a job belongs to a user or is editable by them.
如何确定作业是属于用户还是可由他们编辑。 That should give you something to go on though.
这应该会给你一些事情。
You probably want to investigate some sort of authorization gem like pundit . 您可能想要调查某些授权宝石,如专家 。 Pundit will allow you to setup policies per controller and allow you to manage access with fine granularity.
Pundit将允许您为每个控制器设置策略,并允许您以精细的粒度管理访问。 The documentation describes how to set it up and use before_action's to validate authorization prior to the action being run.
该文档描述了如何设置它并使用before_action来在运行操作之前验证授权。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.