0

我正在尝试执行以下操作:我有一个按用户过滤记录的页面:

这是我的控制器:

def index
  if current_user.role? "producer"
    @ search = Victim.joins (: producer). where (: producers => {: email => current_user.email}.) search (params [: search])
    @ @ search.paginate victims = (: page => params [: page],: per_page => 10)
  elsif
    @ search = Victim.search (params [: search])
    @ @ search.paginate victims = (: page => params [: page],: per_page => 10)
  end
end

它可以过滤只属于当前用户的索引记录。但是如果当前用户在导航中输入记录的ID,他可以看到不包含当前用户电子邮件的记录的数据。想知道如何绕过此访问并允许当前用户访问页面“显示”仅包含您的电子邮件的记录,就像在“索引”中所做的那样。

我任何可以帮助的人!

4

1 回答 1

0

在没有看到您当前的show方法、路线或模型的情况下:

def show
    if Branch.exists?(params[:id])
        @branch = Branch.find(params[:id])
        @branches = Victim.where (:branch_id => @branch.id)
    else

    if @branch.nil? || @branch.email != current_user.email
        log_message = "Current User #{current_user.email} was blocked from viewing a branch "
        log_message += "owned by #{@branch.email}" if @branch
        log_message += "#{params[:id]} that does not exist" if @branch.nil?
        logger.warn log_message 
        redirect_to action: "index"
    else
        logger.debug "Current User #{current_user.email} was allowed to view a branch with the email #{@branch.email}"
    end
end

基本上,在您的 show 方法中,您所要做的就是验证用户确实有权查看该记录。如果没有,请将它们重定向到其他地方

于 2013-08-20T20:16:09.793 回答