Block Users from Accessing Other Users Accounts

Question

I have a general question...

I have build my user model using Michael Hartl's tutorial example. What I am having troubles with is the altering of the url with yield others users information. I am using Friendly_id which changes from id -> name but if I change the name at the top to another user, it will display their home page. I want to restrict my users from being able to do that.

Is this possible without the implementation of Devise or CanCan or the such? Trying to throw a validation that checks if user tries to change name on url bar, that is checks if the name is the current user logged in and if not, redirect back to current user.

If you need an model info, please let me know.

TIA

Answer 1

You can put a before_filter on your UsersController that validate this scenario like this:

# Each time you make an action on your UsersController this filter will run
before_filter :validate_url_hack

def validate_url_hack
  # Check the params hash to see if the passed :id matches the current user's id
  # (note the .to_i on params[:id], as you are comparing against a Fixnum)
  unless params[:id].to_i == current_user.id
    # This line redirects the user to the previous action
    redirect_to request.referer
  end
end

This is just a guess, but I believe that something like this should work.

Answer 2

All the models that you want to restrict to a specific user should have a belong_to association to your User model, so that in your controllers you do

current_user.cars

and you should never pass the user id in the URL. This assusmes you are using devise.