我正在尝试执行以下操作: 我有一个用户过滤记录的页面:
这是我的控制者:
def index
if current_user.role? "producer"
@ search = Victim.joins (: producer). where (: producers => {: email => current_user.email}.) search (params [: search])
@ @ search.paginate victims = (: page => params [: page],: per_page => 10)
elsif
@ search = Victim.search (params [: search])
@ @ search.paginate victims = (: page => params [: page],: per_page => 10)
end
end
它可以过滤仅与当前用户相关的索引记录。 但是如果当前用户在导航中输入记录的id,他可以看到不包含当前用户的电子邮件的记录的数据。想知道如何绕过这种访问,并允许当前用户访问页面“只显示”包含您的电子邮件的记录,就像在“索引”中一样。
我可以帮助任何人!
答案 0 :(得分:0)
没有看到您当前的show方法,路线或模型:
def show
if Branch.exists?(params[:id])
@branch = Branch.find(params[:id])
@branches = Victim.where (:branch_id => @branch.id)
else
if @branch.nil? || @branch.email != current_user.email
log_message = "Current User #{current_user.email} was blocked from viewing a branch "
log_message += "owned by #{@branch.email}" if @branch
log_message += "#{params[:id]} that does not exist" if @branch.nil?
logger.warn log_message
redirect_to action: "index"
else
logger.debug "Current User #{current_user.email} was allowed to view a branch with the email #{@branch.email}"
end
end
基本上,在show方法中,您所要做的就是验证用户确实有权查看该记录。如果没有,请将它们重定向到其他地方