我使用Ruby on rails构建了登录,注册和注销功能,似乎所有这些功能都运行良好。
当我使用sign_up函数创建新用户时,也会创建user_id,当我退出时,我仍然可以使用包含user_id的网址进入用户页面。
我的节目功能有什么问题吗?我该如何解决这个问题?
route.rb
是:
Rails.application.routes.draw do
get 'users/new'
get 'home/index'
resources :users
resources :sessions
resources :courses
match '/about', to: 'home#about', via: 'get'
match '/signup', to: 'users#new', via: 'get'
match '/signin', to: 'sessions#new', via: 'get'
match '/signout', to: 'sessions#destroy', via: 'delete'
match '/main', to: 'users#show', via: 'get'
end
而users_controller.rb
是:
class UsersController < ApplicationController
def new
@user = User.new
end
def create
@user = User.new(user_params)
if @user.save
redirect_to @user, notice: 'User was sucessfully created!'
else
render action: "new"
end
end
def show
@user = User.find(params[:id])
end
private
def user_params
params.require(:user).permit(:name, :email, :password, :password_confirmation)
end
end
sessions.controller.rb
是:
class SessionsController < ApplicationController
def new
end
def create
user = User.authenticate(params[:session][:email], params[:session][:password])
if user.nil?
flash.now[:error] = "Invalid email or password."
render :new
else
sign_in user
redirect_to user
end
end
def destroy
sign_out
redirect_to signin_path
end
end
sessions.helper.rb
是:
module SessionsHelper
def sign_in(user)
session[:user_id] = user.id
self.current_user = user
end
def current_user=(user)
@current_user = user
end
def current_user
@current_user ||= User.find(session[:user_id]) if session[:user_id]
end
def signed_in?
!current_user.nil?
end
def sign_out
session[:user_id] = nil
self.current_user = nil
end
def current_user?(user)
user == current_user
end
def deny_access
redirect_to signin_path, :notice => "Please sign in first."
end
end
例如,我创建了一个帐户,并且user_id为1,在我退出后,我可以使用网址进入帐户显示页面:http://localhost:3000/users/1
我的工作有什么问题吗?
答案 0 :(得分:2)
您需要在控制器中添加before_filter
# application_controller.rb
def check_if_logged_in
deny_access unless signed_in?
end
# users_controller.rb
before_filter :check_if_logged_in, only: [:show, :edit, :update, :delete]
此外,show
方法是应该通过id或当前登录用户的个人资料页面显示用户吗?如果是后一种情况,则需要将其修改为
@user = User.find(current_user.id)
答案 1 :(得分:0)
您似乎没有限制访问/ users / show - 您的意思是?它按ID加载User对象并显示它,就像你去任何其他:resource
路径一样。
答案 2 :(得分:0)