Reputation: 371
Devise: How to prevent users from seeing other users information
When a user is logged in he has the ability to see which events he is attending. The action in the Users Controllers is the following
class UsersController < ApplicationController
before_filter :authenticate_user!
def events
@title = "Events"
@event = User.find(params[:id])
@events = @event.event_presence.paginate(page: params[:page])
render 'show_events'
end
end
However the User(2) is able to see the events of User(3) just by changing the http adress from: /users/2/events to users/3/events
So my question is, how can I make sure that the User(2) is only able to see the events of User(2) and not of User(3).
Thanks
Upvotes: 0
Views: 271
Answers (2)
Reputation: 14900
Filter on the current_user.id in your events method instead of params[:id]
@event = User.find(current_user.id)
However, an even better way would be to have a special route that doesn't include the id
get 'events' => 'users#events', as: :users_events
and use it like so
= link_to 'Events', users_events_path
Upvotes: 1
Reputation: 2519
Cancan is a gem that helps you define what users can and cannot do.
https://github.com/ryanb/cancan
It works well with devise, so don't worry about implementation.
You can also try The role:
https://github.com/the-teacher/the_role
Personally, I think its documentation is better.
Upvotes: 0
Related Questions
- How do you configure Devise so that only one user can have access to CRUD?
- Rails: Current user should only be able to view their own users#show page (Devise)?
- Rails: Using Devise So User Can Only See Their Content
- Private profile for users | rails 4 | devise
- How do I make it so that a user can only edit/view items belonging to them Using Devise?
- Limit users to only access their profiles using Devise
- devise and multiple users
- Restrict devise users to their own view/association
- Show user name on Devise
- Devise public user page only if user is pro