How do I stop users from editing other user posts in Omniauth (rails)
I have a network where people can write posts, and they have their personal feed of their own posts, and the network feed of everyone's.
The problem is, any omniauth'ed user can edit another user by typing in /edit or delete on the URL.
Cannot have this for a live site!
Does anyone have a quick answer to how this can be blocked? I have:
before_filter :authenticate_user!, :except => [:index, :show]
but I can't figure out without errors how to lock down edit to the user who created the post.
class User has_many :posts end
Model - post.rb
class Post belongs_to :user end
Let me know if you want to see more- thanks for the help! -D
If I read you correctly, your users are authenticated via OmniAuth, but now you're looking for a way to 'Authorize' them for specific resources/actions based on permissions or ownership.
The most popular gem for authorization of resources/actions for users, groups, roles, and in-between is CanCan.
There is also a railscast video that helped me understand the application of the gem in my applications.
Once you know how to write abilities in CanCan, take a look here for an ability that solves your original question on post editing based on the parent user.
If you have developed your application from scratch without the CanCan Gem then use this method
def logged_in_user unless current_user?(@model.user) flash[:danger] = "You do not have authorization to edit this post" #if not logged in as the owner of the post redirect_to login_url end end
and make sure you have your before action set
before_action :logged_in_user, only: [:edit, :update, :delete]