Adding security on routes in Rails

问题

In Rails 2, how can I prevent a user from just changing the id # and accessing other Objects?

For example :

website.com/users/1231/edit

How do I prevent a user from changing the 1231 and accessing another account?

回答1:

Use a before_filter in your controllers.

class Users < ApplicationController
  before_filter :require_user, :only => [:show]

  private

  def require_user
    @user = User.find_by_id(params[:id])
    redirect_to root_url if @user.nil?
  end

end

回答2:

@user = User.find params[:id]
redirect_to :back unless current_user == @user

回答3:

Use a permissions-checking gem like CanCan or Aegis. Both have conventions that add permissions checking to every method on every controller automatically.

来源：https://stackoverflow.com/questions/6820796/adding-security-on-routes-in-rails

标签

ruby-on-rails

security

routes

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!