我知道之前有人问过,但我仔细检查并确保其他问题解决方案对我没有用,但无论如何,用户可以编辑其他用户。您所要做的就是更改地址栏中的值id,然后直接在人员帐户中签名。我需要修复它并重定向到他们的编辑页面。我没有运气就尝试了多件事!我没有使用Devise。
这是我的users_controller.rb,
class UsersController < ApplicationController
before_action :set_user, only: [:edit, :update, :destroy]
before_action :correct_user, only: [:edit, ]
after_action :signed_in_after_register, only: :create
def index
@users = User.all
@user = User.find(session[:user_id])
end
def dashboard
@user = User.find(session[:user_id]) unless session[:user_id] == ""
redirect_to login_path, notice: "You're not logged in" unless @user
@posts = @user.posts.order("created_at DESC").limit(3)
@comment = Comment.new
@post = Post.new
end
def newsfeed
@user = User.find(session[:user_id]) unless session[:user_id] == nil
redirect_to login_path, notice: "You're not logged in" unless @user
@posts = @user.posts.order("created_at DESC").limit(3)
end
def nav
@user = User.find(session[:user_id])
end
def posts
@user = User.find(session[:user_id])
@posts = @user.posts
end
def destroy
@user = User.find(session[:user_id]) unless session[:user_id] == ""
redirect_to login_path, notice: "You're not logged in" unless @user
end
def welcome
@user = User.find(params[:user_id]) unless session[:user_id] == ""
redirect_to login_path, notice: "You're not logged in" unless @user
end
def show
@user = User.find(params[:user_id]) unless session[:user_id] == ""
redirect_to login_path, notice: "You're not logged in" unless @user
@posts = @user.posts.order("created_at DESC").limit(3)
@comment = Comment.new
@post = Post.new
end
def new
@user = User.new
@post = Post.new(params[:post_id])
end
def edit
@user = User.find(params[:user_id]) if params[:user_id]
redirect_to @dashboard_path unless @user
end
def create
@user = User.new(user_params)
respond_to do |format|
if @user.save
format.html { redirect_to dashboard_path, notice: 'User was successfully created!' }
format.json { render :profile, status: :created, location: @user }
else
format.html { render :new }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if @user.update(user_params)
format.html { redirect_to dashboard_path, notice: 'User was successfully updated.' }
format.json { render :profile, status: :ok, location: @user }
else
format.html { render :edit }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
def destroy
@user.destroy
respond_to do |format|
format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_user
@user = User.find(params[:id])
end
def correct_user
@user = User.find(params[:id]) unless session[:user_id] == ""
end
def signed_in_after_register
session[:user_id] = @user.id
end
def user_params
params.require(:user).permit(:first_name, :last_name, :bio, :password, :password_confirmation, :email, :age, :profile_picture, :post, :body)
end
end
不确定您可能需要看到的其他代码,这是一个控制器问题,如果您确实需要我的任何其他代码只是评论和生病编辑我的问题立即!提前谢谢!
答案 0 :(得分:0)
您可以通过实施current_user辅助方法并在edit和update方法中对其进行检查来阻止用户编辑彼此的个人资料。
将以下方法添加到app / controllers / application_controller.rb
def current_user
@current_user ||= User.find(session[:user_id]) if session[:user_id]
end
此帮助程序将返回表示任何视图或控制器中当前用户的User对象。
现在在app/controllers/users_controller.rb中,将update方法替换为以下内容:
def update
if @user == current_user
respond_to do |format|
if @user.update(user_params)
format.html { redirect_to dashboard_path, notice: 'User was successfully updated.' }
format.json { render :profile, status: :ok, location: @user }
else
format.html { render :edit }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
else
redirect_to some_other_path, notice: 'You do not have permission to edit the profile of another user.'
end
end
您还必须设置users_controller#edit方法以使用类似的逻辑,但我会将此练习留给您,因为您需要学习一些东西。