Reputation: 1566
how to only edit and destroy my own content only?
Have a basic blog (it's actually edgeguide's blog: http://edgeguides.rubyonrails.org/getting_started.html)
Then I integrated Devise into it. So, user can only log in and see their own information.
Now trying to change it somewhat.
I'd like the users to see all content, but only edit and destroy their own only.
Trying to use before_action filter like this:
`before_action :authorize, :only => [:edit, :destroy]`
And this is the authorize method that I wrote:
def authorize
@article = Article.find(params[:id])
if [email protected]_id = current_user.id then
flash[:notice] = "You are not the creator of this article, therefore you're not permitted to edit or destroy this article"
end
end
But it doesn't work. Everything acts as normal, and I can delete mine and everyone's else content.
How do I get it that I can destroy ONLY my own content, and not everyone's else?
Not using CanCan, nor do I want to.
Not sure if this is worth including or not, but originally when I had everyone see their own content, that was via create action:
def create
@article = Article.new(article_params)
@article.user_id = current_user.id if current_user
if @article.save
redirect_to @article
else
render 'new'
end
end
Upvotes: 0
Views: 267
Answers (1)
Reputation: 20878
You're having several problems
first, look at that :
if [email protected]_id = current_user.id then
You're only using one = instead of == so you are doing an assignation that will evaluate to current_user.id
Also, in your condition, you're only setting a flash message but not doing anything to really prevent the user.
Here's a corrected version :
def authorize
@article = Article.find(params[:id])
unless @article.user_id == current_user.id
flash[:notice] = "You are not the creator of this article, therefore you're not permitted to edit or destroy this article"
redirect_to root_path # or anything you prefer
return false # Important to let rails know that the controller should not be executed
end
end
Upvotes: 2
Related Questions
- how to let users only edit/delete their own items? Ruby on Rails
- Best way to restrict actions (edit/delete) with Ruby on Rails and Devise
- How do I make it so that a user can only edit/view items belonging to them Using Devise?
- Only allow a user to edit their own content
- How to allow users to delete or update non-user resources and only there own?
- How to permit creator to destroy his own record with Devise on Rails3
- Allow users to edit/destroy their own profiles only from the index
- how to restrict users to only edit their records
- Setup Devise to only allow editing of own records?
- Restricting Edit and Delete