问题
I realize a gem might be the best answer to my situation, but I really want to program it manually if possible. But I will still accept any suggestions for a gem to cover what I want. Anyway, on to the question...
I have a model Device and the normal model Users (devise gem) that has a join table devices_users. Device has a field "user_ids", which is an integer to represent the user ids of who has access (which is an array if I have multiple, but that's not really relevant to the question).
I want to restrict access to Device entirely if the user_ids field is not their user id. When I say entirely, I mean I have a lot of places they could theoretically access it:
1) I have multiple methods in my models that are called in views, and access Device data directly - such as:
if Device.all.where(:device_guid => model.device_id).first == nil
2) Views sometimes directly call upon Device, such as a collection select. It should not show up as a viable option.
3) They should have no controller access at all. No show, no index, nothing. (This seemed the easiest to implement, just a before_filter).
My big thing though - there has to be one simple way to restrict access entirely. Anything I did in the application controller only restricts controller access. Nothing I've tried seems to prevent access to the methods in the models (unless I individually restrict each one - and I have a lot of them), nor the views (again, unless I restrict each instance, which I have a lot of).
Is there a simple way to restrict it entirely?
回答1:
Just qualify the initial lookup by the relevant user, like this:
user.devices
you can still do things like:
user.devices.where(something: true)
来源:https://stackoverflow.com/questions/31394098/restricting-any-access-to-a-model-in-rails