Solved

Prevent users from editing other users articles

Posted on 2010-08-12
2
554 Views
Last Modified: 2013-11-13
so i have restful_authentication, currently any logged in user can edit any users article by entering the correct url eg. /articles/18/edit, how do i allow only the user who created the article to edit and update it.
#articles_controller.rb
class ArticlesController < ApplicationController
	before_filter :login_required, :only =>[:new, :edit, :destroy, :create, :update]
	before_filter :tag_cloud
  

  def search
  	@search = params[:search]
  	if @search.blank?
  		redirect_to articles_url
  		else
  	@articles = Article.search params[:search], :page => params[:page], :per_page => 10
  	respond_to do |format|
  		format.html 
      format.xml  { render :xml => @articles }
  			end
  		end				
  end
  

  def index
    @page_title = "NDT Articles"
    @articles = Article.paginate :per_page => 20, :page => params[:page],
    				 :order => "created_at DESC"	 
       respond_to do |format|
      format.html
      format.rss 
    end
  end

  def show
    @page_title = "NDT Articles"
  	if params[:permalink]
    @article = Article.find_by_permalink(params[:permalink])
    raise ActiveRecord::RecordNotFound, "Page not found." if @article.nil?
    respond_to do |format|
      format.html # show.html.erb
      format.xml  { render :xml => @article }
    end
  else
    @article = Article.find(params[:id])
        respond_to do |format|
        format.html # show.html.erb
        format.xml { render :xml => @article }
        
      end
    end
  end 

  def new
    @article = Article.new
    1.upto(3) {@article.assets.build}
    respond_to do |format|
      format.html # new.html.erb
      format.xml  { render :xml => @article }
    end
  end

  def edit
    @article = Article.find(params[:id])
    if @article.assets.first.nil?
        1.upto(3) {@article.assets.build }
    end
  end  
    
    def tag_cloud 
  	    @tags = Article.tag_counts # returns all the tags used 
  	end
  
  def create
	@article = current_user.articles.build params[:article]
    respond_to do |format|
      if @article.save
        flash[:notice] = 'Article was successfully created.'
        format.html { redirect_to(@article) }
        format.xml  { render :xml => @article, :status => :created, :location => @article }
      else
        format.html { render :action => "new" }
        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }
      end
    end
  end

  def update
   params[:asset_ids] ||= []
    @article = Article.find(params[:id])
    unless params[:asset_ids].empty?
    Asset.destroy_pics(params[:id], params[:asset_ids])
  end

    respond_to do |format|
      if @article.update_attributes(params[:article])
        flash[:notice] = 'Article was successfully updated.'
        format.html { redirect_to(@article) }
        format.xml  { head :ok }
      else
        format.html { render :action => "edit" }
        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }
      end
    end
  end

  
  def destroy
    @article = Article.find(params[:id])
    @article.destroy

    respond_to do |format|
      format.html { redirect_to(articles_url) }
      format.xml  { head :ok }
    end
  end
end

Open in new window

0
Comment
Question by:depassion
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 12

Accepted Solution

by:
cminear earned 500 total points
ID: 33431135
First, Article needs to be associated with User, in order to represent which user is the owner of the article.  (You don't include the code from 'article.rb', so I don't know if you've done this already or not.)

If that's in place, simply add a check of the session's user_id value and compare it with the Article's owner.  See the examples below.  I've just added a redirection to the 'index' action; add the appropriate flash message.  And note that I added the check to both 'edit' and 'update'; you don't want anyone trying to skirt around the 'edit' page and directly updating an article, do you?

I don't see the page which presents the 'edit' links, but you could also add code to those templates to hide the 'edit' link to articles for which they are not the owner.

def edit
    @article = Article.find(params[:id])
    if session[:user_id] == @article.user_id
      if @article.assets.first.nil?
        1.upto(3) {@article.assets.build }
      end
    else
      redirect_to :action => 'index'
    end
  end  
    
...

  def update
   params[:asset_ids] ||= []
    @article = Article.find(params[:id])
    unless session[:user_id] == @article.user_id
      redirect_to :action => 'index'
      return
    end
    unless params[:asset_ids].empty?
    Asset.destroy_pics(params[:id], params[:asset_ids])
  end

    respond_to do |format|
      if @article.update_attributes(params[:article])
        flash[:notice] = 'Article was successfully updated.'
        format.html { redirect_to(@article) }
        format.xml  { head :ok }
      else
        format.html { render :action => "edit" }
        format.xml  { render :xml => @article.errors, :status => :unprocessable_entity }
      end
    end
  end

Open in new window

0
 

Author Comment

by:depassion
ID: 33435132
thanks, that works, i also added
 || current_user.has_role?('administrator')

to allow the admins ro still edit any article.


def edit
    @article = Article.find(params[:id])
    if session[:user_id] == @article.user_id || current_user.has_role?('administrator')
      if @article.assets.first.nil?
        1.upto(3) {@article.assets.build }
      end
    else
      redirect_to :action => 'index'
      flash[:error] = 'Your not authorized'
    end
  end  

def update
   params[:asset_ids] ||= []
    @article = Article.find(params[:id])
    unless session[:user_id] == @article.user_id || current_user.has_role?('administrator')
      redirect_to :action => 'index'
      flash[:error] = 'Your not authorized'
    end  
    unless params[:asset_ids].empty?
    Asset.destroy_pics(params[:id], params[:asset_ids])
  end

Open in new window

0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently rediscovered rails when I needed a holiday project and decided to build a management dashboard for the company where I work.  With it being a project done in my free time, I could focus my time on learning the basics rather than trying to…
Article by: narshlob
If you've ever programmed in Ruby and have come across either a proc or a lambda, you might have been wondering what the difference is between the two and when you would use one over the other. This article will try to explain the difference between…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question