我隐藏了向未授权用户添加任务的形式,但是他们仍然可以通过地址栏创建任务,如何防止这种情况发生?
谢谢。
class Api::V1::HolidaysController < Api::V1::BaseController
skip_before_action :doorkeeper_authorize!, only: :index
expose :holiday, -> { Holiday.find(params[:id]) }
expose :holidays, -> { Holiday.all }
def create
return render_api(holidays, :created) if holidays.create(holiday_params)
render json: { errors: holidays.errors.messages }, status: :unprocessable_entity
end
private
def holiday_params
params.require(:holiday).permit(:name, :date)
end
end