Pallav_bfs
2012-Feb-07 16:15 UTC
how to assign edit/remove privileges for only own details and not on others?
Hello,I am quite new on rails. Currently making CRUD apps in rails 3.0 in windows. I''ve used devise [1.1.rc0] for authentication.In those apps any logged in user can change other user''s details. How can I design the app, so that any logged in user can edit/remove his details only if he wishes to do so and can only view others'' records. After logging in he should be directed to his own page,where his details are stored.He can only Update and Delete any of his details there.But can only View the main page where his record will be kept with other records.He should be able to remove or edit others'' records. Thanks, Pallav -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Walker
2012-Feb-07 21:55 UTC
Re: how to assign edit/remove privileges for only own details and not on others?
Pallav_bfs wrote in post #1044557:> Hello,I am quite new on rails. Currently making CRUD apps in rails 3.0 > in windows. > I''ve used devise [1.1.rc0] for authentication.In those apps any logged > in user can change other user''s details. > > How can I design the app, so that any logged in user can edit/remove > his details only if he wishes to do so and can only view others'' > records. > > After logging in he should be directed to his own page,where his > details are stored.He can only Update and Delete any of his details > there.But can only View the main page where his record will be kept > with other records.He should be able to remove or edit others'' > records.Take a look at one of the authorization frameworks such as CanCan: https://github.com/ryanb/cancan -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Dave Aronson
2012-Feb-09 21:08 UTC
Re: how to assign edit/remove privileges for only own details and not on others?
On Tue, Feb 7, 2012 at 11:15, Pallav_bfs <spallav88-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> How can I design the app, so that any logged in user can edit/remove > his details only if he wishes to do so and can only view others'' > records.In addition to using authorization gems like CanCan, you can also do these things yourself. Before each action in each controller, get the current user. Before any action that would modify, or show in such a way as to allow modifying, any records, check if the current user is the owner of those records. If not, redirect to an error page. Also don''t give him any *links* to such things! For instance, on the pages where he can *view* other people''s records, don''t put an "Edit" link. -Dave -- Dave Aronson: Available Cleared Ruby on Rails Freelancer (NoVa/DC/Remote) -- see www.DaveAronson.com, and blogs at www.Codosaur.us, www.Dare2XL.com, www.RecruitingRants.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.