Reputation:
Rails 3.1 Deny editing other users images
I have a web app which uses Devise for authentication. It is a site which allows the user to upload images so the url would be /images/2. There is a separate image controller.
I have found that a user could edit an image they didn't upload by changing then URL, e.g. /images/4/edit. Is there a way to block them from editing other users images and only allowing them to edit their own?
The images controller, model, etc was created using rails g scaffold if that helps.
Upvotes: 1
Views: 104
Answers (1)
Reputation: 40333
There are many different solutions for this, but the simplest is when running edit/update/destroy load the image from the current user instead of from all images:
def edit
@image = current_user.images.find( params[:id] )
end
def update
@image = current_user.images.find( params[:id] )
# do whatever has to be done
end
def destroy
@image = current_user.images.find( params[:id] )
# do whatever has to be done
end
Also, using scaffolds is a really bad practice, you should just write our own code, it's simpler, more productive and will lead you to understand how the framework is supposed to work.
You could also use nested controllers for this, but you would have to research a bit to understand how they work and why they might be a better solution.
Upvotes: 3
Related Questions
- How to implement access-control for uploaded assets in Rails?
- ActiveAdmin - Allow non-logged-in users to view but not edit resources
- rails 3 limiting access
- Restrict access to images in Rails app
- How do I prevent access to records that belong to a different user
- Preventing other signed-in users from accessing 'edit' page
- Rails - HowTo - Handle Users w/o Images
- Rails - restrict URL access to images?
- How to secure images with Rails?
- How do I control user assets, but let admins see everything?