example:
user a (id=10) has created photo resource
photo: (id: 1 user_id = 10, url: "http://...") now, if user b (id=20) go url: /photos/1/edit can edit photo of user a!!!
rails+devise provides default? seems it's common issue
i need allow user can edit/delete resource has created (where current_user == resource.user)
using: rails 4, devise
update:
i think cancan it's advanced. don't need roles or restrict actions users
in photoscontroller:
before_filter :require_permission, only: :edit def require_permission if current_user != photo.find(params[:id]).user redirect_to root_path #or else here end end 
Comments
Post a Comment