Reputation: 339
Devise logged in user persisting to other accounts
I'm running into a problem with devise on rails 3.2
On heroku, I'll have somebody (X) log in using their twitter account, which works fine and authenticates them. User's are restricted from certain pages if they aren't logged in via twitter. My problem then, is that once X logs in, another person Y, using a different computer and without logging in via twitter, will access those pages and be already logged in as X automatically. Any ideas why this would happen? I'm not sure which code to post but here is the method in the controller for the page.
before_filter :authenticate_user!
def show
@donater = Donater.find(params[:id])
twitter_id_str = current_user.authentications.find_by_provider(:twitter).uid
@current_user_twitter_handle = get_twitter_handle_from_id(twitter_id_str.to_i).screen_name
end
Upvotes: 1
Views: 67
Answers (1)
Reputation: 7810
If you want the user to only be able to find the Donater model associated with the user's account, you need to retrieve that Donater model through the currently logged in user's account.
Here is your code:
def show
@donater = Donater.find(params[:id])
twitter_id_str = current_user.authentications.find_by_provider(:twitter).uid
@current_user_twitter_handle = get_twitter_handle_from_id(twitter_id_str.to_i).screen_name
end
You are checking to see if the user is logged in, but then you are just grabbing the information from the url and providing whatever Donater model you find. This allows anyone who is signed in to access any Donater model.
Hopefully you have an association set up between the User and Donater. Then you can change your code to this:
def show
@donater = Donater.find(params[:id]).where(user_id: current_user.id) # modify for your specific situation
if @donater.empty?
render text: "Not Found or Access Denied" # replace this with a redirect or whatever based on your needs
return
end
twitter_id_str = current_user.authentications.find_by_provider(:twitter).uid
@current_user_twitter_handle = get_twitter_handle_from_id(twitter_id_str.to_i).screen_name
end
Upvotes: 1
Related Questions
- User is getting session from other logged in user with Rails / Devise
- Rails, Devise, Heroku deleting user account from Console
- Rails: Devise Login as another user issues
- Devise user owns account, account has many users
- Devise new sessions issue with Heroku
- Devise only logs in when I select "remember me", and log out link doesn't work
- Heroku Rails App not allowing to Login/Logout via Devise
- Rails Devise adding user when log in
- heroku uninitialized constant user
- Managing User Accounts with Rails 3 and Devise