Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Following Hartl’s Railstutorial on Chapter 10 where we protect user edit pages so that users can only edit their info. http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users#sec:protecting_pages
Is there a way to deny access to a user’s home page (http://localhost:3000/users/1) if the user ID does not match the ID from the page being accessed or if the user is not signed in? Essentially, this only allows the user to view the page if his id matches the user page’s id.
The tutorial already defines a
correct_userbefore_filter which checks if the current logged in user is equal to the user found fromparams[:id].You’re already using it to make sure the user can only edit/update his or her info.
before_filter :correct_user, :only => [:edit, :update]All you have to do is add that filter to the
showaction.before_filter :correct_user, :only => [:show, :edit, :update]edit: I forgot to add that
@user = User.find(params[:id])is no longer needed in theshowaction since it’ll be set by the before filter.