Solved

Prevent users from editing other users articles

Posted on 2010-08-12
2
549 Views
Last Modified: 2013-11-13
so i have restful_authentication, currently any logged in user can edit any users article by entering the correct url eg. /articles/18/edit, how do i allow only the user who created the article to edit and update it.
#articles_controller.rb

class ArticlesController < ApplicationController

	before_filter :login_required, :only =>[:new, :edit, :destroy, :create, :update]

	before_filter :tag_cloud

  



  def search

  	@search = params[:search]

  	if @search.blank?

  		redirect_to articles_url

  		else

  	@articles = Article.search params[:search], :page => params[:page], :per_page => 10

  	respond_to do |format|

  		format.html 

      format.xml  { render :xml => @articles }

  			end

  		end				

  end

  



  def index

    @page_title = "NDT Articles"

    @articles = Article.paginate :per_page => 20, :page => params[:page],

    				 :order => "created_at DESC"	 

       respond_to do |format|

      format.html

      format.rss 

    end

  end



  def show

    @page_title = "NDT Articles"

  	if params[:permalink]

    @article = Article.find_by_permalink(params[:permalink])

    raise ActiveRecord::RecordNotFound, "Page not found." if @article.nil?

    respond_to do |format|

      format.html # show.html.erb

      format.xml  { render :xml => @article }

    end

  else

    @article = Article.find(params[:id])

        respond_to do |format|

        format.html # show.html.erb

        format.xml { render :xml => @article }

        

      end

    end

  end 



  def new

    @article = Article.new

    1.upto(3) {@article.assets.build}

    respond_to do |format|

      format.html # new.html.erb

      format.xml  { render :xml => @article }

    end

  end



  def edit

    @article = Article.find(params[:id])

    if @article.assets.first.nil?

        1.upto(3) {@article.assets.build }

    end

  end  

    

    def tag_cloud 

  	    @tags = Article.tag_counts # returns all the tags used 

  	end

  

  def create

	@article = current_user.articles.build params[:article]

    respond_to do |format|

      if @article.save

        flash[:notice] = 'Article was successfully created.'

        format.html { redirect_to(@article) }

        format.xml  { render :xml => @article, :status => :created, :location => @article }

      else

        format.html { render :action => "new" }

        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }

      end

    end

  end



  def update

   params[:asset_ids] ||= []

    @article = Article.find(params[:id])

    unless params[:asset_ids].empty?

    Asset.destroy_pics(params[:id], params[:asset_ids])

  end



    respond_to do |format|

      if @article.update_attributes(params[:article])

        flash[:notice] = 'Article was successfully updated.'

        format.html { redirect_to(@article) }

        format.xml  { head :ok }

      else

        format.html { render :action => "edit" }

        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }

      end

    end

  end



  

  def destroy

    @article = Article.find(params[:id])

    @article.destroy



    respond_to do |format|

      format.html { redirect_to(articles_url) }

      format.xml  { head :ok }

    end

  end

end

Open in new window

0
Comment
Question by:depassion
2 Comments
 
LVL 12

Accepted Solution

by:
cminear earned 500 total points
Comment Utility
First, Article needs to be associated with User, in order to represent which user is the owner of the article.  (You don't include the code from 'article.rb', so I don't know if you've done this already or not.)

If that's in place, simply add a check of the session's user_id value and compare it with the Article's owner.  See the examples below.  I've just added a redirection to the 'index' action; add the appropriate flash message.  And note that I added the check to both 'edit' and 'update'; you don't want anyone trying to skirt around the 'edit' page and directly updating an article, do you?

I don't see the page which presents the 'edit' links, but you could also add code to those templates to hide the 'edit' link to articles for which they are not the owner.

def edit
    @article = Article.find(params[:id])
    if session[:user_id] == @article.user_id
      if @article.assets.first.nil?
        1.upto(3) {@article.assets.build }
      end
    else
      redirect_to :action => 'index'
    end
  end  
    
...

  def update
   params[:asset_ids] ||= []
    @article = Article.find(params[:id])
    unless session[:user_id] == @article.user_id
      redirect_to :action => 'index'
      return
    end
    unless params[:asset_ids].empty?
    Asset.destroy_pics(params[:id], params[:asset_ids])
  end

    respond_to do |format|
      if @article.update_attributes(params[:article])
        flash[:notice] = 'Article was successfully updated.'
        format.html { redirect_to(@article) }
        format.xml  { head :ok }
      else
        format.html { render :action => "edit" }
        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }
      end
    end
  end

Open in new window

0
 

Author Comment

by:depassion
Comment Utility
thanks, that works, i also added
 || current_user.has_role?('administrator')

to allow the admins ro still edit any article.


def edit

    @article = Article.find(params[:id])

    if session[:user_id] == @article.user_id || current_user.has_role?('administrator')

      if @article.assets.first.nil?

        1.upto(3) {@article.assets.build }

      end

    else

      redirect_to :action => 'index'

      flash[:error] = 'Your not authorized'

    end

  end  



def update

   params[:asset_ids] ||= []

    @article = Article.find(params[:id])

    unless session[:user_id] == @article.user_id || current_user.has_role?('administrator')

      redirect_to :action => 'index'

      flash[:error] = 'Your not authorized'

    end  

    unless params[:asset_ids].empty?

    Asset.destroy_pics(params[:id], params[:asset_ids])

  end

Open in new window

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently rediscovered rails when I needed a holiday project and decided to build a management dashboard for the company where I work.  With it being a project done in my free time, I could focus my time on learning the basics rather than trying to…
Recently I spent hours debugging an issue in a Rails project where ActiveRecord was causing MySQL errors trying to create a User object of a class at the top level of a Single Table Inheritance model structure.  It turns out `.create` behaves differ…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now