Home/ Questions/Q 8971759
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T18:02:31+00:00

I have this current before filter in my users_controller before_filter :authenticate_usergroup, :except => [:edit,

  • 0

I have this current before filter in my users_controller

before_filter :authenticate_usergroup, :except => [:edit, :update, :show]

It works great for just allowing a user to edit their information but not being able to see all the users, but i’v found that by just changing their ‘id’ in the url they could also edit other users information.

How can i only allow :edit, :show and :update functions to the current user for their own record. i have this method in my application_controller to be able to access the current user

def current_user
 return unless session[:user_id]
 @current_user ||= User.find_by_id(session[:user_id])
end

#update from users_controller.rb
def update
@user = User.find(params[:id])

respond_to do |format|
  if @user.update_attributes(params[:user])
    format.html { redirect_to @user, :notice => 'User was successfully updated.' }
    format.json { head :no_content }
  else
    format.html { render :action => "edit" }
    format.json { render :json => @user.errors, :status => :unprocessable_entity }
  end
end
end
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    if you “scope” that only the current_user can access their information, then it doesn’t matter.

    so in show and edit

    @user = current_user

    in update action something like
    current_user.update_attributes(params[:user])
    should do the trick.

    • 0