Reputation: 109
how to not let a user open any other users page?
In my app, when a user logins he/she is redirected to the users profile page. Say he/she is redirected to http://localhost:3000/users/1
If he/she replaces 1 with any other number I want them to redirect to there current profile no matter if users exits in the database or not
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by_email(params[:email])
if user && user.authenticate(params[:password])
log_in user
redirect_to user
else
flash.now[:danger] = 'Invalid email/password combination'
render 'new'
end
end
def destroy
@current_user = nil
reset_session
redirect_to root_path
end
end
User Controller:
class UsersController < ApplicationController
before_action :logged_in_user, only: [:new, :show, :edit, :update]
before_action :correct_user, only: [:new, :show, :edit, :update]
def index
@users = User.all
end
def new
@user = User.new
end
def create
@user = User.new(set_params)
if @user.save
redirect_to new_sessions_path
else
render 'new'
end
end
def show
@user = User.find(params[:id])
@posts = @user.posts
end
def edit
@user = User.find(params[:id])
end
def update
@user = User.find(params[:id])
if @user.update(update_params)
redirect_to @user
else
render 'edit'
end
end
private
def set_params
params.require(:user).permit(:name, :email, :password, :password_confirmation)
end
def update_params
params.require(:user).permit(:name, :email, :password, :password_confirmation)
end
def correct_user
@user = User.find(params[:id])
redirect_to(root_url) unless current_user?(@user)
end
end
Currenty if user type in search bar localhost:3000/users/5 and user with id 5 does not exists in database it shows error
ActiveRecord::RecordNotFound in UsersController#show Couldn't find User with 'id'=3
but I want to simply redirect to currently logged in users profile page.
If users type in search bar localhost:3000/users/3 and user with this id exists in db , currenty it show an error that firefox is not able to process this request but i want it redirect to its default page i.e,,user's profile page.
Upvotes: 0
Views: 51
Answers (3)
Reputation: 1307
Just change your UsersController#correct_user to catch ActiveRecord NotFound exception:
class UsersController < ApplicationController
...
def correct_user
@user = User.find(params[:id])
redirect_to(root_url) unless current_user?(@user)
rescue ActiveRecord::RecordNotFound
redirect_to(root_url)
end
end
Upvotes: 0
Reputation: 66
I would use "where" and ".take" in Users show method. The find method brakes the code when it does not find anything
def show
@user = User.where("id" => params[:id]).take
if @user.present?
@posts = @user.posts
else
redirect_to(root_url)
end
end
Or you can redirect instead of root_url to a more friendly error view that shows User not found
Upvotes: 0
Reputation: 631
Create another controller call it UserController and don't depend on id. Instead figure out the current user from the session and display that user. So the show method for this controller would look like this:
def show
@user = User.find(session["user_id]")
@posts = @user.posts
end
Also, you might want to protect your UsersController by validating if the current user has access to view / update the user being queried for.
Upvotes: 1
Related Questions
- How can I prevent user access?
- Ruby on Rails: How to stop users changing url to view another user's page?
- Keep users from accessing pages in Rails app if they're not logged in
- How to restrict access to different pages in Rails?
- Rails: Current user should only be able to view their own users#show page (Devise)?
- How to Hide "Private" Show Pages from Other Users?
- How can I restrict a user from viewing a page that they don't have access to?
- Prevent user from accessing page if not current user
- Rails Way to Restrict Page Access Without Sessions
- How to restrict user access page in RoR?