Ruby on Rails

The before_action :set_rotum is where you want to put the access control.

Despite what I said earlier, you don't actually need cancan, but as an alternative to this implementation you can use something like cancan for access control.

In your example, you would do something like this (obviously this example assumes you have the rotem object belonging to the user object)

def set_rotem
@rotem = current_user.rotems.find(params[:id])
if @rotem.nil?
render :html => "Not authorized", :status => 401
end
end


or something like this:

def set_rotem
@rotem = Rotem.find(params[:id])
if @rotem.user != current_user
render :html => "Not authorized", :status => 401
end
end


-Jason






On Oct 6, 2014, at 1:03 PM, Mohammed Rashid <lists@ruby-forum.com> wrote:

> Jason Fb wrote in post #1159167:
>> What does the controller look like?
>
>
>
> class RotaController < ApplicationController
> before_filter :authenticate_user!, except: ( :Welcome)
> before_action :set_rotum, only: [:show, :edit, :update, :destroy]
>
> # GET /rota
> # GET /rota.json
> def index
> @rota = Rotum.all
> @is_admin = current_user.try(:admin?)
> end
>
>
>
> # GET /rota/1
> # GET /rota/1.json
> def show
> end
>
> # GET /rota/new
> def new
> @rotum = Rotum.new
> end
>
> # GET /rota/1/edit
> def edit
> end
>
> # POST /rota
> # POST /rota.json
> def create
> @rotum = Rotum.new(rotum_params)
>
> respond_to do |format|
> if @rotum.save
> format.html { redirect_to @rotum, notice: 'Rotum was
> successfully created.' }
> format.json { render :show, status: :created, location: @rotum }
> else
> format.html { render :new }
> format.json { render json: @rotum.errors, status:
> :unprocessable_entity }
> end
> end
> end
>
> # PATCH/PUT /rota/1
> # PATCH/PUT /rota/1.json
> def update
> respond_to do |format|
> if @rotum.update(rotum_params)
> format.html { redirect_to @rotum, notice: 'Rotum was
> successfully updated.' }
> format.json { render :show, status: :ok, location: @rotum }
> else
> format.html { render :edit }
> format.json { render json: @rotum.errors, status:
> :unprocessable_entity }
> end
> end
> end
>
> # DELETE /rota/1
> # DELETE /rota/1.json
> def destroy
> @rotum.destroy
> respond_to do |format|
> format.html { redirect_to rota_url, notice: 'Rotum was
> successfully destroyed.' }
> format.json { head :no_content }
> end
> end
>
> private
> # Use callbacks to share common setup or constraints between
> actions.
> def set_rotum
> @rotum = Rotum.find(params[:id])
> end
>
> # Never trust parameters from the scary internet, only allow the
> white list through.
> def rotum_params
> params.require(:rotum).permit(:name, :mobile, :email, :category,
> :other)
> end
> end
>
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/7457774d8710957cef70c7fcfa5040fd%40ruby-forum.com.
> For more options, visit https://groups.google.com/d/optout.
>

----

Jason Fleetwood-Boldt
tech@datatravels.com
http://www.jasonfleetwoodboldt.com/writing

All material © Jason Fleetwood-Boldt 2014. Public conversations may be turned into blog posts (original poster information will be made anonymous). Email jason@datatravels.com with questions/concerns about this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/D9F04E14-0EFE-45E4-AACF-90AFAC3D0EA3%40datatravels.com.
For more options, visit https://groups.google.com/d/optout.