只有 Rails 3.1 用户可以编辑他们的个人资料
[英]Rails 3.1 only user can edit their profile
问题描述
I am slowly learning rails by doing and testing things, but i have run into a block.
我正在通过做和测试事情来慢慢学习 Rails,但我遇到了障碍。 I have a simple rails 3.1 app and have a simple user register/sign in process working.我有一个简单的 rails 3.1 应用程序,并且有一个简单的用户注册/登录过程正常工作。 I am not using devise because i would rather learn how to do it myself.我没有使用 devise 因为我宁愿自己学习如何做。
Currently a user can register, sign in and sign out.目前,用户可以注册、登录和退出。 But I want them to be able to edit their profile.但我希望他们能够编辑他们的个人资料。 At present any user can go to users/1/edit/ even if their ID isn't set to 1. How do i check to see if the current_user matches that of the url?目前任何用户都可以 go 到 users/1/edit/,即使他们的 ID 未设置为 1。我如何检查 current_user 是否与 url 的匹配? I know i need some sort of before filter on the edit action of my users_controller.我知道我需要对我的 users_controller 的编辑操作进行某种前置过滤。
Here is what i have at present这是我目前拥有的
users_controller.rb users_controller.rb
before_filter :is_owner, :only => [:edit, :update, :destroy]
application_controller.rb application_controller.rb
helper_method :is_owner
def is_owner
end
What should be in my is_owner function?我的 is_owner function 中应该有什么?
2 个解决方案
解决方案1
3 已采纳 2011-07-08 10:43:06
I'm guessing your problem resides in getting the parameter from the URL.我猜你的问题在于从 URL 获取参数。 This could be done with the params array:这可以通过 params 数组来完成:
params[:id]
With that (depending on your routing configuration,), you could do something like有了它(取决于您的路由配置),您可以执行类似的操作
def is_owner?
current_user.id == params[:id]
end
解决方案2
2 2011-07-08 11:01:44
Fuzzyalej is apparently a faster typer than me;-), so I can only suggest you some more verbose form of the function. Fuzzyalej 显然是比我更快的打字机;-),所以我只能建议您使用更详细的 function 形式。 (His answer is absolutely correct) (他的回答绝对正确)
You have defined the filter method in ApplicationController, but in this case comparing just the 'id' parameter may be misleading, since in other actions the 'id' may describe a document (for example) instead of an user.您已经在 ApplicationController 中定义了过滤器方法,但在这种情况下,仅比较“id”参数可能会产生误导,因为在其他操作中,“id”可能描述的是文档(例如)而不是用户。 It may be safer if you define the filter function in the UsersController (just make it a private function)如果您在 UsersController 中定义过滤器 function 可能会更安全(只需将其设为私有函数)
Personally, I often put similar rules directly in the actions, but using a filter may be more DRY.就个人而言,我经常将类似的规则直接放在操作中,但使用过滤器可能会更 DRY。
I would define the methods 'edit', 'update' and 'destroy' in this way: (maybe you will like it)我会以这种方式定义“编辑”、“更新”和“销毁”方法:(也许你会喜欢它)
def edit # and 'update', and 'destroy'
@user = User.find(params[:id])
render_forbidden and return unless can_edit?
# ...and the rest of the action
end
private
def can_edit?
current_user.is_admin? || current_user == @user
end
# This one usually is defined in ApplicationController, as I use it often
def render_forbidden
respond_to do |format|
format.html { render :action => "errors/forbidden", :status => 403 }
#...
end
true
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.