Hi All,
I want to handle the id parameter for social networking site
For example:
If the user logins to the site having id=1, he can show his profile as
http://localhost:3000/users/1
http://localhost:3000/users/1/edit for editing
Scenario is that the logged in user having id=1 is able to see the and
edit the profile details of another user say id=2 just by changing the
url.
http://localhost:3000/users/2
http://localhost:3000/users/2/edit for editing
Continuing the same user having id=1 is also be able to copy and paste
any url of user id=2 but some urls can only be accessed by user id=2
Problem:
One user must not able to access another user details, Please let me
know how to handle url parameters.
Thanks in advance,
Saurabh
Saurabh P. wrote:
Hi All,
I want to handle the id parameter for social networking site
For example:
If the user logins to the site having id=1, he can show his profile as
http://localhost:3000/users/1
http://localhost:3000/users/1/edit for editing
Scenario is that the logged in user having id=1 is able to see the and
edit the profile details of another user say id=2 just by changing the
url.
http://localhost:3000/users/2
http://localhost:3000/users/2/edit for editing
Continuing the same user having id=1 is also be able to copy and paste
any url of user id=2 but some urls can only be accessed by user id=2
Problem:
One user must not able to access another user details, Please let me
know how to handle url parameters.
Thanks in advance,
Saurabh
Assuming you have a current_user method, or something similar-
#in users controller
before_filter :user_is_current_user
def user_is_current_user
redirect_to :action => “index” unless current_user.id ==
params[:id].to_i
end
Something like that anyway. This will make it so that a user can only
be edited, created, updated or viewed by themselves. If you wanted to
change it so that admin users could edit others details you could change
it like
def user_is_current_user
redirect_to :action => “index” unless current_user.admin? ||
current_user.id == params[:id].to_i
end
Thanks Max,
Do you have any idea about url hiding
Example:
My current url: http://localhost:3000/users/buying_history
I want to display it as http://localhost:3000/# or uneditable
Thanks
Saurabh
Saurabh P. wrote:
Thanks Max,
Do you have any idea about url hiding
Example:
My current url: http://localhost:3000/users/buying_history
I want to display it as http://localhost:3000/# or uneditable
Thanks
Saurabh
I don’t know how you could do this, best post in a new thread i think,
since it’s a different question.
why? make sure users know where they are~~
url trickery is not a smart way~
On Oct 27, 10:39 pm, Saurabh P. <rails-mailing-l…@andreas-
#in users controller
before_filter :user_is_current_user
def user_is_current_user
redirect_to :action => “index” unless current_user.id ==
params[:id].to_i
end
Actually, a correction, i just noticed that i made this redirect to
somewhere that is blocked, so it will go into an infinite loop. Just
change the redirect to somewhere people can get to, like the home page
for example.
def user_is_current_user
redirect_to “/” unless current_user.id == params[:id].to_i
On Oct 27, 10:39 am, Saurabh P. <rails-mailing-l…@andreas-
s.net> wrote:
Thanks Max,
Do you have any idea about url hiding
Example:
My current url:http://localhost:3000/users/buying_history
I want to display it ashttp://localhost:3000/#or uneditable
Don’t do this. You’re going to have to put the path someplace, and
sufficiently determined attackers will mess with that place, wherever
it is. The better approach is to design your app so that users can’t
do things they aren’t supposed to, URL-trickery aside.
–Matt J.