Home/ Questions/Q 8020763
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T21:46:53+00:00

I have set up a test applications and have setup devise to take care

  • 0

I have set up a test applications and have setup devise to take care of the authentication, additionally I have set up a component where they are sent to a create profile page after registration which works well.

The problem I have is when a logged in user goes to edit they’re profile it is easy for then to change the query string and access another users data – 

http://localhost:3000/profiles/1/edit

the question i have is how do I lock this down to the current user so that can only edit they’re data?

Robbie

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would go for a before_filter.

    # in profiles controller
class ProfilesController < ApplicationController

  before_filter :find_profile
  before_filter :check_if_authorized 

  def find_profile
    @profile = Profile.find(params[:id])
  end

  def check_if_authorized
    render :status => 404 and return unless current_user == @profile.user
  end

end

    Assumptions:

    • devise model is named User
    • user has one profile
    • you’re already checking if a user is logged in
    • 0