我在rails应用程序中安装了devise。如果用户登录,他可以访问其他所有用户编辑页面。
例如,我是user_id 2,我可以编辑用户的个人资料1/3/4/5 .....当我在路线中手动修改参数时。
这是我的App Controller:
class ApplicationController < ActionController::Base
protect_from_forgery
before_action :authenticate_user!
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
# For additional fields in app/views/devise/registrations/new.html.erb
devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :company, :position, :office_phone, :mobile_phone, :address, :description, :radius, :photo_company_logo, :photo_presentation, photos_projet_1: [], photos_projet_2: [], photos_projet_3: [], photos_projet_4: []])
# For additional in app/views/devise/registrations/edit.html.erb
devise_parameter_sanitizer.permit(:account_update, keys: [:first_name, :last_name, :company, :position, :office_phone, :mobile_phone, :address, :description, :radius, :photo_company_logo, :photo_presentation, photos_projet_1: [], photos_projet_2: [], photos_projet_3: [], photos_projet_4: []])
end
end
这是我的用户控制器:
class UsersController < ApplicationController
skip_before_action :authenticate_user!, only: [:index, :show]
before_action :set_user, only: [:show, :edit, :update]
def index
@client = Client.new
@users = User.all
@users = User.where.not(latitude: nil, longitude: nil)
@hash = Gmaps4rails.build_markers(@users) do |user, marker|
marker.lat user.latitude
marker.lng user.longitude
end
end
def show
@client = Client.new
@user = User.find(params[:id])
end
def new
@user = User.new
end
def create
@user = User.new(user_params)
@user.save
redirect_to users_path
end
def edit
@user = User.find(params[:id])
end
def update
@user = User.find(params[:id])
@user.update(user_params)
redirect_to user_path(@user)
end
private
def user_params
params.require(:user).permit(:company, :first_name, :last_name, :position, :mobile_phone, :office_phone, :email, :address, :description, :radius, :nettoyage_toiture, :photo_company_logo, :photo_presentation, photos_projet_1: [], photos_projet_2: [], photos_projet_3: [], photos_projet_4: [])
end
def set_user
@user = User.find(params[:id])
end
end
这里mu用户模型:
class User < ApplicationRecord
has_attachment :photo_presentation
has_attachment :photo_company_logo
has_many :projects, dependent: :nullify
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
#geocoder for google maps
geocoded_by :address
after_validation :geocode, if: :address_changed?
end
这是我的路线:
Rails.application.routes.draw do
ActiveAdmin.routes(self)
devise_for :users
root to: 'pages#home'
resources :users do
resources :projects
end
resources :clients, only: [:new, :create, :show]
mount Attachinary::Engine => "/attachinary"
# For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
end
非常感谢!
答案 0 :(得分:1)
Devise是一个身份验证库。你有授权问题。所以,你应该使用一些东西进行授权。我使用CanCan。有了它,您可以定义这样的权限:
can :edit, User, id: current_user.id
如果您不想学习其他图书馆,您可以随时在控制器中进行隔离区授权。
class UsersController
before_action :can_edit_only_self, only: [:edit, :update, :destroy]
private
def can_edit_only_self
redirect_to root_path unless params[:id] == current_user.id
end
end
*身份验证 - 我知道你是谁
*授权 - 我知道你可以做什么
答案 1 :(得分:1)
问题在于:
def edit
@user = User.find(params[:id])
end
def update
@user = User.find(params[:id])
@user.update(user_params)
redirect_to user_path(@user)
end
如果您不希望用户能够编辑其他用户,那么您就不需要这两种方法。您还可以将路径文件更改为:
resources :users, except: [:edit, :update] do
resources :projects
end
<强>更新
如果您进行了以前的编辑并在终端中键入rake routes,您应该会看到Devise为编辑用户提供了控制器操作。没有users/edit参数,它应该是:id。在Devise :: RegistrationsController中,编辑方法应该只使用current_user帮助程序方法来编辑当前登录用户的帐户信息。
如果您确实希望管理员用户能够编辑其他用户,那么您将要阅读以下某个宝石