如何隐藏“私人”显示其他用户的页面?
换句话说,如果用户输入例如:
http://0.0.0.0:3000/goals/3 即使用户将其提交为“私人”,他们也能够看到该用户的目标。 这是我忽略的,因为它通过“私人”提交通过用户的个人资料和订阅源隐藏目标,但如果另一个用户通过url直接搜索它,则不会。
我们该如何解决这个问题?
goals_controller
class GoalsController < ApplicationController before_action :set_goal, only: [:show, :edit, :update, :destroy, :like, :user_goals] before_action :logged_in_user, only: [:create, :destroy] before_action :correct_user, only: [:edit, :update, :destroy] def index if params[:tag] @goals = Goal.tagged_with(params[:tag]) elsif params[:user_id] @accomplished_goals = User.find(params[:user_id]).goals.accomplished.order("deadline") @unaccomplished_goals = User.find(params[:user_id]).goals.unaccomplished.order("deadline") else @accomplished_goals = current_user.goals.accomplished.order("deadline") @unaccomplished_goals = current_user.goals.unaccomplished.order("deadline") end end def user_goals @goals = Goal.find_by({user_id: params[:user_id]}) render :index # or some other view end def show @goal = Goal.find(params[:id]) @commentable = @goal @comments = @commentable.comments @comment = Comment.new @notable = @goal @notes = @notable.notes @note = Note.new @correct_user = current_user.goals.find_by(id: params[:id]) end def new @goal = current_user.goals.build end def edit end def create @goal = current_user.goals.build(goal_params) if (params[:commit] == 'conceal') @goal.conceal = true @goal.save redirect_to @goal, notice: 'Goal was successfully created' elsif @goal.save track_activity @goal redirect_to @goal, notice: 'Goal was successfully created' else flash.now[:danger] = 'Required Field: "Enter Goal"' render 'new' end end def update if @goal.update(goal_params) redirect_to goals_url, notice: 'Goal was successfully updated' else render action: 'edit' end end def destroy @goal.destroy redirect_to goals_url end def like @goal = Goal.find(params[:id]) @goal_like = current_user.goal_likes.build(goal: @goal) if @goal_like.save @goal.increment!(:likes) flash[:success] = 'Thanks for liking!' else flash[:error] = 'Two many likes' end redirect_to(:back) end private def set_goal @goal = Goal.find(params[:id]) end def correct_user @goal = current_user.goals.find_by(id: params[:id]) redirect_to root_url, notice: "Not authorized to edit this goal" if @goal.nil? end def goal_params params.require(:goal).permit(:name, :like, :deadline, :accomplished, :tag_list, :comment, :private_submit) end end
goal.rb
class Goal { where(:conceal => false) } belongs_to :user scope :accomplished, -> { where(accomplished: true) } scope :unaccomplished, -> { where(accomplished: false) } end
private_submit是一个布尔字段吗?
如果是这样,如果private_submit字段的值为“true”,则可以快速将显示页面设为私有。
class GoalsController < ApplicationController # Remove :edit, :update, destroy, and :user_gmails from below as the action is duplicated before_action :set_goal, only: [:show, :like] def show ## Remove: @goal = Goal.find(params[:id]) end def like # Remove this as it's being called ready in set_goal: # @goal = Goal.find(params[:id]) ... end ... def set_goal @goal = Goal.find(params[:id]) redirect_to(:back) unless @goal.user_id == current_user.id or @goal.private_submit == false end end
请考虑其中一个铁路授权gem。 专家认为,最简单的一个就是专家 。 在使用pundit的情况下,您需要执行以下步骤:
# Goals controller def set_goal @goal = Goal.find(params[:id]) authorize @goal end # GoalPolicy def show? (goal.private? and goal.user == current_user) or not goal.private? end
流行的ruby授权gem的完整列表