I am currently trying to create private user profiles using the Devise gem. So far I have the sign up, login, sign out and edit profile functionality working. The problem is that when 开发者_如何转开发a user signs in he is able to see all other users by typing into the url users/[username]. I am relatively new to rails so I am still figuring out how to work with sessions.
So the quesiton is how do I limit a user's access to parts of a site that are specific to other users? And even better, is this easily done with the Devise gem?
In other words if i sign is as user john. I should be able to see the site /users/john (which is my profile) but not see the site /user/greg.
thanks
Devise will not do this, but CanCan will, as someone mentioned. CanCan may be a little heavy for a beginner just to do what you are trying to do. All you need to do is add a before_filter that checks who the user is.
For example:
class UserProfilesController < ApplicationController
before_filter :verify_owner
def show
@user_profile = current_user.user_profile
# or maybe this way, not sure how you have your relations set up
# @user_profile = UserProfile.where(:user => current_user)
end
private
def verify_owner
# assume the route looks like this /user/:username
redirect_to root_url unless current_user.username == params[:username]
end
end
Use CanCan to help for authorization. Devise + CanCan nothing else!
There is a great RailsCast on CanCan to get started with.
精彩评论