I am currently doing a project for uploading pics. There are users, albums, and pics. I added a friendship model so that people can friend each other like a social network. However, I noticed that I put a lot of <% if current_user.friends.include?(@user) %> in the view to check if the user of the page I’m showing is a friend of the logged in client, and therefore allowing them to have certain privileges and forms and etc.. Is there a better way or place to do this than to pollute my views with if/else statements ? Also, I don’t feel like my method is very secure since someone could always manually enter the url and mess with info that they’re not supposed to.
I am currently doing a project for uploading pics. There are users, albums, and
Share
You want an authorization framework such as CanCan.
In an ability file, you configure it that a user
can, say, view something or edit some other thing, only if the user is a friend of the owner. Then in the view or the controller, you can just check that the user is authorized to do the appropriate action.For specific details about setting up an ability based on details of the models (i.e. whether the owner is a friend of the current user), go to this documentation and look for “Hash of Conditions”.