我希望任何人(甚至那些没有登录的人)能够查看帖子,但只有帖子的所有者能够编辑或销毁帖子。但是,目前,任何用户都可以编辑或销毁任何帖子。如果我改变
def set_pin
@pin = Pin.find(params[:id])
end
到
def set_pin
@pin = current_user.pins.find(params[:id])
end
当前用户无法编辑其他用户的帖子,也无法查看他们。请帮帮我。感谢。
class PinsController < ApplicationController
before_action :set_pin, only: [:show, :edit, :update, :destroy]
before_filter :authenticate_user!, except: [:index]
# GET /pins
# GET /pins.json
def index
@pins = Pin.all
end
# GET /pins/1
# GET /pins/1.json
def show
end
# GET /pins/new
def new
@pin = current_user.pins.new
end
# GET /pins/1/edit
def edit
end
# POST /pins
# POST /pins.json
def create
@pin = current_user.pins.new(pin_params)
respond_to do |format|
if @pin.save
format.html { redirect_to @pin, notice: 'Pin was successfully created.' }
format.json { render action: 'show', status: :created, location: @pin }
else
format.html { render action: 'new' }
format.json { render json: @pin.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /pins/1
# PATCH/PUT /pins/1.json
def update
respond_to do |format|
if @pin.update(pin_params)
format.html { redirect_to @pin, notice: 'Pin was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: @pin.errors, status: :unprocessable_entity }
end
end
end
# DELETE /pins/1
# DELETE /pins/1.json
def destroy
@pin.destroy
respond_to do |format|
format.html { redirect_to pins_url }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_pin
@pin = Pin.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def pin_params
params.require(:pin).permit(:description)
end
end
答案 0 :(得分:0)
用于编辑和销毁使用
def set_pin
@pin = current_user.pins.find(params[:id])
end