GrégoireC
Reputation: 279
Authorise user to edit only their account with Rails
I would like to allow user to edit their account, and only their account, without using Devise and / or Cancan.
I have the following in application_controller :
helper_method :current_user
helper_method :require_proprio
private
def current_user
@current_user ||= User.find(session[:user_id]) if session[:user_id]
end
def require_proprio
unless current_user == (params[:id])
render :file => "#{Rails.root}/public/422", :status => 500
end
end
Here's the users_controller :
before_filter :require_proprio , :only => [ :edit, :update]
But when I'm connected with the user.id = 10, for example, I can't access to the page http://localhost:3000/users/10/edit. The page public/422 appears. I tried also to access http://localhost:3000/users/11/edit, and the result is the same (public/422).
Does someone have an idea of the way I can resolve it ? Thanks
Upvotes: 0
Views: 36
Answers (1)
Jesse Wolgamott
Reputation: 40277
unless current_user == (params[:id])
current_user is an object, so this will never be true. Try:
unless current_user.id == params.fetch(:id).to_i
Upvotes: 2
Related Questions
- Rails - I want to allow a user to change only their profile
- Only allow logged in/current users to edit their own post
- Manage the edit users in rails 4
- Only allow a user to edit their own content
- Allow users to edit their account without providing a password | Rails4
- How to ensure that a user in Rails can update/insert/delete only his/her record in a database
- Using Devise, how do I make it so that a user can only edit/view items belonging to them
- Preventing other signed-in users from accessing 'edit' page
- how to restrict users to only edit their records
- Ruby on rails more elegant way to authenticate that users can edit only their own content