How do I stop users from editing other user posts in Omniauth (rails)

I have a network where people can write posts, and they have their personal feed of their own posts, and the network feed of everyone's.

The problem is, any omniauth'ed user can edit another user by typing in /edit or delete on the URL.

Cannot have this for a live site!

Does anyone have a quick answer to how this can be blocked? I have:

before_filter :authenticate_user!, :except => [:index, :show]

but I can't figure out without errors how to lock down edit to the user who created the post.

Model- user.rb

class User
  has_many :posts
end

Model - post.rb

class Post
  belongs_to :user
end

Let me know if you want to see more- thanks for the help! -D

Answers


If I read you correctly, your users are authenticated via OmniAuth, but now you're looking for a way to 'Authorize' them for specific resources/actions based on permissions or ownership.

The most popular gem for authorization of resources/actions for users, groups, roles, and in-between is CanCan.

Can, can you do the CanCan?

There is also a railscast video that helped me understand the application of the gem in my applications.

Once you know how to write abilities in CanCan, take a look here for an ability that solves your original question on post editing based on the parent user.


If you have developed your application from scratch without the CanCan Gem then use this method

def logged_in_user
   unless current_user?(@model.user)
     flash[:danger] = "You do not have authorization to edit this post" #if not logged in as the owner of the post
     redirect_to login_url
   end
  end

and make sure you have your before action set

before_action :logged_in_user, only: [:edit, :update, :delete]


Need Your Help

Verification Process of Paypal transactions

android paypal

I have integrated PayPal SDK in my android app and done transaction successfully in sandbox environment.Now the second step mentioned in docs is verification . I tried to hit rest Api with payment...