Rails在link_中传递params如何使其安全

时间:2015-08-10 19:30:15

标签: ruby-on-rails ajax params

我正在尝试在rails中创建一个喜欢和不喜欢的函数,因为我使用lin_to帮助程序来传递params但是当有人试图复制粘贴更新数据库的链接时会出现问题。我使用ajax使这个函数在这里工作是我的方法的代码。

控制器代码:

class FeedLikesController < ApplicationController
  before_action :authenticate_user! ,only: [:create, :destroy]
  before_action :get_feed ,only: [:create, :destroy]

  def index
    @fees = FeedLike.all

    respond_to do |format|
      format.html 
      format.js
    end
  end

  def update
    @feed_likes = FeedLike.find_or_create_by(feed_like_params)

    respond_to do |format|
      if @feed_likes.save
        format.html { redirect_to root_url, notice: 'Like ' }
      end
    end
  end

  def create
    @feed_like_counter = Feed.find(params[:feed_id])
    @feed_likes = FeedLike.find_or_create_by(:feed_id => params[:feed_id],:user_id =>params[:user_id])

    @f = @feed_like_counter.like_count
    @feed_like_counter.like_count = @f+1
    @feed_like_counter.save

    respond_to do |format|
      if @feed_likes.save 
        format.html { redirect_to root_url, notice: 'Like ' }
        format.js
      end
    end
  end


  def delete

  end

  def destroy
    @feed_like_counter = Feed.find(params[:feed_id])
    @feed_likes = FeedLike.where(feed_like_params)

    @f = @feed_like_counter.like_count
    @feed_like_counter.like_count = @f-1
    @feed_like_counter.save

    respond_to do |format|
      if @feed_likes.destroy_all
        format.html { redirect_to root_url, notice: 'Unlike ' }
        format.js
      end
    end
  end

  def feed_like_params
    params.permit(:user_id, :feed_id)
    #params[:market_place]
  end

  def get_feed
    @feed = Feed.find(params[:feed_id])
  end

end

在观看中我的链接是这样的:

<div class="feed-like-<%= @feed %> " >
  <%= link_to "like",{ :action => 'create', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, method: :post,class: "btn btn-primary"   %>
</div>

不喜欢链接是这样的:

<div class="feed-like-<%= @feed %> " >
  <%= link_to "Dislike",{ :action => 'destroy', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, class: "btn btn-primary" %>          
</div>

我的路线就像:

get "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#destroy"
post "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#create"

这里的问题是,当我通过url direclty时,每当有人想要提取数据时,它更新了数据库,我怎样才能限制这一点,只有当用户点击按钮然后它才更新数据库而不是url:

还有另一个问题我正在使用ajax onclick事件它更新了数据库但是当我快速点击like按钮时它会在不喜欢部分出现之前更新数据库2或3次。我有什么方法可以用它。

0 个答案:

没有答案
相关问题
最新问题