Hi All, I want to handle the id parameter for social networking site For example: If the user logins to the site having id=1, he can show his profile as http://localhost:3000/users/1 http://localhost:3000/users/1/edit for editing Scenario is that the logged in user having id=1 is able to see the and edit the profile details of another user say id=2 just by changing the url. http://localhost:3000/users/2 http://localhost:3000/users/2/edit for editing Continuing the same user having id=1 is also be able to copy and paste any url of user id=2 but some urls can only be accessed by user id=2 Problem: One user must not able to access another user details, Please let me know how to handle url parameters. Thanks in advance, Saurabh -- Posted via http://www.ruby-forum.com/.
Saurabh Peshkar wrote:> Hi All, > > I want to handle the id parameter for social networking site > > For example: > > If the user logins to the site having id=1, he can show his profile as > > http://localhost:3000/users/1 > http://localhost:3000/users/1/edit for editing > > Scenario is that the logged in user having id=1 is able to see the and > edit the profile details of another user say id=2 just by changing the > url. > > http://localhost:3000/users/2 > http://localhost:3000/users/2/edit for editing > > Continuing the same user having id=1 is also be able to copy and paste > any url of user id=2 but some urls can only be accessed by user id=2 > > Problem: > One user must not able to access another user details, Please let me > know how to handle url parameters. > > Thanks in advance, > SaurabhAssuming you have a current_user method, or something similar- #in users controller before_filter :user_is_current_user def user_is_current_user redirect_to :action => "index" unless current_user.id == params[:id].to_i end Something like that anyway. This will make it so that a user can only be edited, created, updated or viewed by themselves. If you wanted to change it so that admin users could edit others details you could change it like def user_is_current_user redirect_to :action => "index" unless current_user.admin? || current_user.id == params[:id].to_i end -- Posted via http://www.ruby-forum.com/.
Thanks Max, Do you have any idea about url hiding Example: My current url: http://localhost:3000/users/buying_history I want to display it as http://localhost:3000/# or uneditable Thanks Saurabh -- Posted via http://www.ruby-forum.com/.
Saurabh Peshkar wrote:> Thanks Max, > > Do you have any idea about url hiding > > Example: > > My current url: http://localhost:3000/users/buying_history > > I want to display it as http://localhost:3000/# or uneditable > > > Thanks > SaurabhI don''t know how you could do this, best post in a new thread i think, since it''s a different question. -- Posted via http://www.ruby-forum.com/.
On Oct 27, 10:39 am, Saurabh Peshkar <rails-mailing-l...@andreas- s.net> wrote:> Thanks Max, > > Do you have any idea about url hiding > > Example: > > My current url:http://localhost:3000/users/buying_history > > I want to display it ashttp://localhost:3000/#or uneditableDon''t do this. You''re going to have to put the path someplace, and sufficiently determined attackers will mess with that place, wherever it is. The better approach is to design your app so that users can''t do things they aren''t supposed to, URL-trickery aside. --Matt Jones
why? make sure users know where they are~~ url trickery is not a smart way~ On Oct 27, 10:39 pm, Saurabh Peshkar <rails-mailing-l...@andreas- s.net> wrote:> Thanks Max, > > Do you have any idea about url hiding > > Example: > > My current url:http://localhost:3000/users/buying_history > > I want to display it ashttp://localhost:3000/#or uneditable > > Thanks > Saurabh > -- > Posted viahttp://www.ruby-forum.com/.
> #in users controller > before_filter :user_is_current_user > > def user_is_current_user > redirect_to :action => "index" unless current_user.id == > params[:id].to_i > end >Actually, a correction, i just noticed that i made this redirect to somewhere that is blocked, so it will go into an infinite loop. Just change the redirect to somewhere people can get to, like the home page for example. def user_is_current_user redirect_to "/" unless current_user.id == params[:id].to_i -- Posted via http://www.ruby-forum.com/.