1. 技术文章
  2. return redirect_to in private controller method

return redirect_to in private controller method

余生颓废 提交于 2019-12-23 18:40:25

问题


Preface: I'm using devise for authentication.

I'm trying to catch unauthorized users from being able to see, edit, or update another user's information. My biggest concern is a user modifying the form in the DOM to another user's ID, filling out the form, and clicking update. I've read specifically on SO that something like below should work, but it doesn't. A post on SO recommended moving the validate_current_user method into the public realm, but that didn't work either.

Is there something obvious I'm doing wrong? Or is there a better approach to what I'm trying to do, either using devise or something else?

My UsersController looks like this:

class UsersController < ApplicationController
  before_filter :authenticate_admin!, :only => [:new, :create, :destroy]
  before_filter :redirect_guests

  def index
    redirect_to current_user unless current_user.try(:admin?)

    if params[:approved] == "false"
      @users = User.find_all_by_approved(false)
    else
      @users = User.all
    end
  end

  def show
    @user = User.find(params[:id])
    validate_current_user
    @user
  end

  def new
    @user = User.new
  end

  def edit
    @user = User.find(params[:id])
    validate_current_user
    @user
  end

  def create
    @user = User.new(params[:user])

    respond_to do |format|
      if @user.save
        format.html { redirect_to @user, :notice => 'User was successfully created.' }
      else
        format.html { render :action => "new" }
      end
    end
  end

  def update
    @user = User.find(params[:id])

    validate_current_user

    respond_to do |format|
      if @user.update_attributes(params[:user])
        format.html { redirect_to @user, :notice => 'User was successfully updated.' }
      else
        format.html { render :action => "edit" }
      end
    end
  end

  private

  def redirect_guests
    redirect_to new_user_session_path if current_user.nil?
  end

  def validate_current_user
    if current_user && current_user != @user && !current_user.try(:admin?)
      return redirect_to(current_user)
    end
  end

end

The authenticate_admin! method looks like this:

  def authenticate_admin!
    return redirect_to new_user_session_path if current_user.nil?

    unless current_user.try(:admin?)
      flash[:error] = "Unauthorized access!"
      redirect_to root_path
    end
  end

EDIT -- What do you mean "it doesn't work?"

To help clarify, I get this error when I try to "hack" another user's account:

Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".

If I put the method code inline in the individual controller actions, they do work. But, I don't want to do that because it isn't DRY.

I should also specify I've tried:

def validate_current_user
  if current_user && current_user != @user && !current_user.try(:admin?)
     redirect_to(current_user) and return
  end
end

回答1:


You are trying and you want to authorize users before every action. I would suggest you to use standard gems like CanCan or declarative_authorization.

Going ahead with this approach you might end up reinventing the wheel.

In case you decide on using cancan, all you have to do is add permissions in the ability.rb file(generated by rails cancan:install)

can [:read,:write,:destroy], :role => "admin"

And in the controller just add load_and_authorize_resource (cancan filter). It will check if the user has permissions for the current action. If the user doesnt have persmissions, then it will throw a 403 forbidden expection, which can be caught in the ApplicationController and handled appropriately.




回答2:


If you think about it, return in the private method just exits the method and passes control back to the controller - it doesn't quit the action. If you want to quit the action you have to return again

For example, you could have something like this:

class PostsController < ApplicationController
  def show
    return if redirect_guest_posts(params[:guest], params[:id])
    ...
  end

  private

  def redirect_guest_post(author_is_guest, post_id)
    redirect_to special_guest_post_path(post_id) if author_is_guest
  end
end

If params[:guest] is present and not false, the private method returns something truthy and the #show action quits. If the condition fails then it returns nil, and the action continues.




回答3:


Try,

before_filter :redirect_guests, :except => [:new, :create, :destroy]

should work.

This is because you are using redirect twice, in authenticate_admin! and redirect_guests for new, create and destroy actions.




回答4:


"Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action."

That's the reason of the error. In show method, if you are neither the owner of this account nor the admin, you are facing two actions: redirect_to and render

My suggestion is to put all of the redirect logic into before_filter



来源:https://stackoverflow.com/questions/15990326/return-redirect-to-in-private-controller-method

标签
ruby-on-rails
ruby
ruby-on-rails-3
devise
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!