CODEWITHSUNDEEP
ruby-on-rails-3devise
Robbie Done
Robbie Done

Reputation: 1157

Devise and user profiles

I have set up a test applications and have setup devise to take care of the authentication, additionally I have set up a component where they are sent to a create profile page after registration which works well.

The problem I have is when a logged in user goes to edit they're profile it is easy for then to change the query string and access another users data - 

http://localhost:3000/profiles/1/edit

the question i have is how do I lock this down to the current user so that can only edit they're data?

Robbie

Upvotes: 0

Views: 793

Answers (2)

shime
shime

Reputation: 9008

I would go for a before_filter.

# in profiles controller
class ProfilesController < ApplicationController

  before_filter :find_profile
  before_filter :check_if_authorized 

  def find_profile
    @profile = Profile.find(params[:id])
  end

  def check_if_authorized
    render :status => 404 and return unless current_user == @profile.user
  end

end

Assumptions:

  • devise model is named User
  • user has one profile
  • you're already checking if a user is logged in

Upvotes: 1

user1428016
user1428016

Reputation: 117

You can use token authentication along with session for more precise and secure authentication.

Add devise :token_authenticatable to the model User This will create an authentication token into the field authentication_token field of users table every time a user is created.

Then go for a before_filter :verify_auth_token

def verify_auth_token
  if current_user.authentication_token == params[:auth_token]
   return true 
  else
   return false
  end
end

Also the edit request should be http:///profiles/1/edit?auth_token=12wqaasaeaad

Upvotes: 1

Related Questions