[Rails] Re: Rails 3, help controlling access to a record based on the user id

Ruby on Rails Monday, September 6, 2010

please check the post "Use scope access" on rails-bestpractices.com,
http://rails-bestpractices.com/posts/3-use-scope-access, it tells you
how to use the Ed's way to strict access and rescue the exceptions.

On 9月6日, 上午11时38分, nobosh <bhellm...@gmail.com> wrote:
> Thanks for the reply, I do have the relationships declared above in
> the models... I've been learning and following the rails 3 book here:http://railstutorial.org/chapters/a-demo-app#sec:microposts_resource
>
> I tried your suggestion "@note = @user ?
> @user.notes.find(params[:id]) : nil " and while it didn't error which
> was good, it didn't work, it ended up redirecting... Full code:
>
> class NotesController < ApplicationController
> before_filter :correct_user, :only => :show
> .
> .
> .
> def show
> @note = Note.find(params[:id])
>
> respond_to do |format|
> format.html # show.html.erb
> format.xml { render :xml => @note }
> end
> end
>
> private
> def correct_user
> #@note = Note.find(params[:id])
> #@note_userid = @note.user_id
> @note = @user ? @user.notes.find(params[:id]) : nil
> @current_userid = current_user.id
> redirect_to(root_path) unless @current_userid == @note_userid
> end
> end
>
> ---
>
> Any ideas? I want to learn the right way to Rails
>
> On Sep 5, 8:26 pm, Ed <haywood...@gmail.com> wrote:
>
> > On Sep 5, 10:53 pm, nobosh <bhellm...@gmail.com> wrote:
>
> > > Ed thanks for the reply. I'd love to hear more... I tried your
> > > suggestion but it error'd:
>
> > > "undefined method `Notes' for nil:NilClass"
>
> > Two possible issues:
>
> > 1. Do you have the relationship declared in the models?
>
> > class Note < ActiveRecord
> > belongs_to :user
> > end
>
> > class User < ActiveRecord
> > has_many :notes
> > end
>
> > 2. If @user is a nil object, it will throw an error. Set @user to
> > the current_user in your before_filter. If there is a possibility of
> > hitting that point with a nil user, then change the line to read
> > something like this:
>
> > @note = @user ? @user.notes.find(params[:id]) : nil
>
> > which is a shorter way of saying
>
> > if @user.nil?
> > @note = nil
> > else
> > @note = @user.notes.find(params[:id])
> > end

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Posted by Ruby on Rails at 1:18 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)