我正在研究审查申请。在这个应用程序中,用户可以发布他们自己的项目和其他用户审查它。但是当其他用户尝试编辑自己的评论时,我遇到了这个错误。编辑项目只允许项目所有者。但是编辑评论应该允许编写评论的用户。
如何划分此身份验证?
/controllers/projects_controller.rb
class ProjectsController < ApplicationController
before_action :signed_in_user, only: [:new, :create, :edit, :update, :destroy]
before_action :set_project, only: [:show, :edit, :update]
before_action :correct_user, only: [:edit, :update]
def edit
end
def update
@project.attributes = create_params
if @project.save
redirect_to @project
else
render edit_project_path(id: @project.id)
end
end
private
def signed_in_user
unless user_signed_in?
redirect_to root_path
end
end
def set_project
@project = Project.find_by_id(params[:id])
end
def correct_user
unless current_user.projects.include?(@user)
redirect_to root_path
end
end
end
/controllers/reviews_controller.rb
class ReviewsController < ApplicationController
before_action :set_projectct, only: [:new, :create, :edit, :update]
before_action :set_review, only: [:edit, :update, :destroy]
before_action :correct_user, only: [:edit, :update]
def edit
end
def update
@review.attributes = create_params
if @reviews.save
redirect_to prokect_path(id: @review.project_id)
else
redirect_to project_path(id: @review.project_id)
end
end
def set_project
@project = Project.find_by_id(params[:project_id])
end
def set_review
@review = Review.find_by_id(params[:id])
end
def correct_user
unless current_user.review.include?(@review)
redirect_to root_path
end
end
end
routes.rb
resources :projects do
resources :reviews
end
如果您想验证用户是否已撰写评论,为什么不这样比较:
@review.user == current_user
顺便说一下,这是授权验证,因此如果用户无权编辑评论,则应返回403(禁止)而不是重定向。
像专家或cancancan这样的宝石可以帮助你做到这一点