[英]Showing edit button to current_user only (Rails 4)
I'm trying to allow users to show the edit button only if the profile belongs to them. 我试图允许用户只有在个人资料属于他们时才显示编辑按钮。 Currently, they're only allowed to edit the profile if it belongs to them but I can't seem to hide the button. 目前,他们只允许编辑配置文件,如果它属于他们但我似乎无法隐藏按钮。 I have this so far 到目前为止我有这个
<% if request.original_url == request.base_url + "current_user.id" %>
<%= link_to "Edit Profile", edit_user_path(current_user), class: "btn btn-primary btn-xs" %>
<% end %>
This is what I'm trying to compare: 这就是我想要比较的内容:
request.original_url => localhost:3000/users/random_user request.original_url => localhost:3000 / users / random_user
request.base_url + "users/" + current_user.id => localhost:3000/users/current_user request.base_url +“users /”+ current_user.id => localhost:3000 / users / current_user
Thanks in advance. 提前致谢。
Authorization 授权
To give you some perspective, you'll be looking for something called authorization . 为了给你一些观点,你将寻找一种叫做授权的东西。
This is different from authentication because it deals with permissions , rather than identifying your identity . 这与身份验证不同,因为它处理权限 ,而不是识别您的身份 。 I'll get into how this works in a minute. 我将在一分钟内了解它的工作原理。
To solve your problem, here's what you need to do: 要解决您的问题,这是您需要做的:
<%= link_to "Edit Profile", edit_user_path(current_user), class: "btn btn-primary btn-xs", if user_signed_in? && current_user == @user %>
I'm guessing you're showing this on a user#show
action, which can be invoked using the following code: 我猜你是在user#show
action上显示这个,可以使用以下代码调用它:
#app/controllers/users_controller.rb
class UsersController < ApplicationController
def show
@user = User.find params[:id]
end
end
This means that if you have the following routes: 这意味着如果您有以下路线:
#config/routes.rb
resources :users
you'll have access to @user
and current_user
. 您将有权访问@user
和current_user
。 It's important to note that current_user
!= @user
. 重要的是要注意current_user
!= @user
。 Although weezing
's answer is succinct, it does not validate whether the user is the one which owns the page authorized ; 尽管weezing
的回答很简洁,但它并不验证用户是否拥有授权页面的用户; just that the user is authenticated 只是用户已通过身份验证
Thus, you have several specifications: 因此,您有几个规格:
- You need to know if the user is actually logged in 您需要知道用户是否确实已登录
- You need to make sure your
logged-in
user has the authorization to edit the profile (IE is it theirs) 您需要确保您的logged-in
用户具有编辑配置文件的权限 (IE是他们的)
I would highly recommend looking into the use of gems
such as CanCanCan
or Pundit
. 我强烈建议您考虑使用CanCanCan
或Pundit
等gems
。 I'll show you CanCanCan: 我会告诉你CanCanCan:
#app/models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
can :edit, Article, id: user.id
end
end
#app/views/users/show.html.erb
<%= link_to "Edit", edit_user_path(@user) if can? :edit, @user %>
There is a great resource here . 这里有很好的资源 。
This should work (little bit simpler): 这应该工作(稍微简单一些):
<% if current_user %>
<%= link_to "Edit Profile", edit_user_path(current_user), class: "btn btn-primary btn-xs" %>
<% end %>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.