Manny 777 wrote in post #1003216:
Hello,
I am struggling with the problem, when I have controller ‘Registraces’
and data stored in table ‘Registraces’. This controller + view + DB
table I am using for work with registrations of users - new
registration, edit currently registration etc.
If the user is logged to system, I want give him an option to edit his
registrations informations as name, email etc.
For this reason I created controller ‘Account’, where in method ‘index’
I am loading data from table ‘Registraces’ for currently signup user and
this data I am putting to _form.html.erb – to this point everything
works fine.
But now I looks to generated HTML source, I see in tag ‘form’ the value
fo attribute action: ‘action="/registraces/23"’ – how is is possible?
I’ll be expect this “/accounts/23” – I have no idea, why is the
controller ‘registraces’ there…
I tried a lot of ways to change name controller from ‘registraces’ to
‘account’, but unfortunately, without success…
So I would like to ask you for hint, where could be a problem… Is any
important part, which I don’t understand or something to forgot?
Thanks in advance,
Manny
I’m not sure how you’ve setup your controllers, but you can do something
as simple as this:
users_controller.rb
Add a before_filter and add your own exceptions
In this example, I’m just saying that the user has to
be authenticated for everything except new and create
actions…
before_filter :authenticate_user!, :except => [:new, :create]
GET /users/1/edit
def edit
check to ensure that the ID being requested matches the current user
unless params[:id] == @current_user.id.to_s
# if not then redirect them to their page
redirect_to(edit_users_path(@current_user.id))
else
# give them the right to edit their own information
@user = User.find(params[:id])
end
end
application_controller.rb
In application_controller you then define your current_user
and authenticate! methods
this method is used for pages that require authentication
def authenticate_user!
if !current_user
redirect_to login_path, :notice => ‘You need to sign in before
accessing this page!’ and return false
end
end
Find the current_user
def current_user
@current_user ||= User.find_by_id(session[:user_id])
end
This is just a simple version of checking to ensure that the user
accessing your edit method is authenticated and signed in, and you add
some simple checking to ensure that they are trying to access their
“own” ID and not someone elses.
Granted, I have a ton of extra things in my authentication and
authorization controllers, but this is just a bare bones example of
something you could do.
Thanks.