ruby on rails - RoR help protecting my CRUD links in the views -

-

i have 4 models: 

class country < activerecord::base   has_many :postcards end  class postcard < activerecord::base   belongs_to :country   has_many :photos   has_many :tips end  class photos < activerecord::base   belongs_to :postcard end  class tips < activerecord::base   belongs_to :postcard end

the routes nested this: 

rails.application.routes.draw     resources :countrys     resources :postcards        resources :photos, :tips     end   end end

i followed crud architecture , working fine, controllers working. used private / country_params create , update controllers method. but....

now realise if deploy app, can click links in views create/edit/destroy database.

what "good practice" solution limit access?

  1. building user model me , take admin-right ?
  2. creating new set of view without crud access ?(is possible?)
  3. using admin gem (railsadmin or activeadmin) ?

to limit content on application accessed you, must implement simple authentication (who can see what) , authorization (what can see).

follow steps in tutorial implement simple authentication user model. when creating user model want add role field.

https://gist.github.com/thebucknerlife/10090014

this role field should validated such can role array of role types. include array of roles in user model , validate role of user in array. 

roles = [['admin', :admin], ['guest',:guest]]   validates :role, inclusion: { in: %w[admin guest] }

once have authentication in place (with login/sign views), can work on implementing authorization. use cancancan gem.

https://github.com/cancancommunity/cancancan

you want give access "admin" users, can define "abilities" of each user role type using gem. example: 

class ability   include cancan::ability    def initialize(user)     user ||= user.new # guest user (not logged in)     if user.admin?       can :manage, :all  # can action on objects     else       can :read, :all  # can read things can't edit them     end   end end

this give admin users rights in app, guest users read information. see cancancan docs more ways define abilities.

now, because have set abilities different roles, in controller can limit access functionality. can limit users sees. 

<% if can? :update, @item %>   <%= link_to "edit", edit_article_path(@article) %>  <% end %>

this code show "edit" button if user allowed edit item based on abilities have defined.


Comments

Post a Comment

Popular posts from this blog

android - Gradle sync Error:Configuration with name 'default' not found -

-
i want add external library guillotinemenu-android in application. followed steps given in upvoted answer existing question how add library project android studio? facing error when try build project after step 6 i.e. when added dependency in app/build.gradle compile project(":guillotinemenu") . tried stackoverflow links related error not working out. have made folder named libs in app directory , copied project folder guillotine menu there. here build.gradle(module:app) file apply plugin: 'com.android.application' android { compilesdkversion 22 buildtoolsversion "22.0.1" defaultconfig { applicationid "com.sunshine.bbreaker.appet_i" minsdkversion 14 targetsdkversion 22 versioncode 1 versionname "1.0" } buildtypes { release { minifyenabled false proguardfiles getdefaultproguardfile('proguard-android.txt'), 'proguard-rules.p
Read more

java - Andrioid studio start fail: Fatal error initializing 'null' -

-
i don't know happened android studio,when start ,it shows me error message below. , try uninstall/reinstall it,but doesn't work.who can me!!! internal error. please report https://code.google.com/p/android/issues java.lang.runtimeexception: com.intellij.ide.plugins.pluginmanager$startupabortedexception: fatal error initializing 'null' @ com.intellij.idea.ideaapplication.run(ideaapplication.java:178) @ com.intellij.idea.mainimpl$1$1$1.run(mainimpl.java:52) @ java.awt.event.invocationevent.dispatch(invocationevent.java:209) @ java.awt.eventqueue.dispatcheventimpl(eventqueue.java:715) @ java.awt.eventqueue.access$400(eventqueue.java:82) @ java.awt.eventqueue$2.run(eventqueue.java:676) @ java.awt.eventqueue$2.run(eventqueue.java:674) @ java.security.accesscontroller.doprivileged(native method) @ java.security.accesscontrolcontext$1.dointersectionprivilege(accesscontrolcontext.java:86) @ java.awt.eventqueue.dispatchevent(eventqu
Read more

html - jQuery UI Sortable - Remove placeholder after item is dropped -

-
i'm trying nested sortable , i'm kind'a succeeding, there's 1 small little inconvenience bugs me. i want placeholder disappear after i've dropped dragged item (on mouseup) , can't quite figure out how it. i want because when sort downwards, deletion of placeholder affects parent's height, in turn creates small bug, check jsfiddle here. html <div class="container"> <h1>menu</h1> <ul class="list-group striped nest"> <li class="list-group-item">home <ul class="list-group striped nest"></ul></li> <li class="list-group-item">about <ul class="list-group striped nest"></ul></li> <li class="list-group-item"> services <ul class="list-group striped nest"> <li class="list-group-item">design <ul class=
Read more