The before_action :set_rotum is where you want to put the access control.
Despite what I said earlier, you don't actually need cancan, but as an
alternative to this implementation you can use something like cancan for access
control.
In your example, you would do something like this (obviously this example
assumes you have the rotem object belonging to the user object)
def set_rotem
@rotem = current_user.rotems.find(params[:id])
if @rotem.nil?
render :html => "Not authorized", :status => 401
end
end
or something like this:
def set_rotem
@rotem = Rotem.find(params[:id])
if @rotem.user != current_user
render :html => "Not authorized", :status => 401
end
end
-Jason
On Oct 6, 2014, at 1:03 PM, Mohammed Rashid <[email protected]> wrote:
> Jason Fb wrote in post #1159167:
>> What does the controller look like?
>
>
>
> class RotaController < ApplicationController
> before_filter :authenticate_user!, except: ( :Welcome)
> before_action :set_rotum, only: [:show, :edit, :update, :destroy]
>
> # GET /rota
> # GET /rota.json
> def index
> @rota = Rotum.all
> @is_admin = current_user.try(:admin?)
> end
>
>
>
> # GET /rota/1
> # GET /rota/1.json
> def show
> end
>
> # GET /rota/new
> def new
> @rotum = Rotum.new
> end
>
> # GET /rota/1/edit
> def edit
> end
>
> # POST /rota
> # POST /rota.json
> def create
> @rotum = Rotum.new(rotum_params)
>
> respond_to do |format|
> if @rotum.save
> format.html { redirect_to @rotum, notice: 'Rotum was
> successfully created.' }
> format.json { render :show, status: :created, location: @rotum }
> else
> format.html { render :new }
> format.json { render json: @rotum.errors, status:
> :unprocessable_entity }
> end
> end
> end
>
> # PATCH/PUT /rota/1
> # PATCH/PUT /rota/1.json
> def update
> respond_to do |format|
> if @rotum.update(rotum_params)
> format.html { redirect_to @rotum, notice: 'Rotum was
> successfully updated.' }
> format.json { render :show, status: :ok, location: @rotum }
> else
> format.html { render :edit }
> format.json { render json: @rotum.errors, status:
> :unprocessable_entity }
> end
> end
> end
>
> # DELETE /rota/1
> # DELETE /rota/1.json
> def destroy
> @rotum.destroy
> respond_to do |format|
> format.html { redirect_to rota_url, notice: 'Rotum was
> successfully destroyed.' }
> format.json { head :no_content }
> end
> end
>
> private
> # Use callbacks to share common setup or constraints between
> actions.
> def set_rotum
> @rotum = Rotum.find(params[:id])
> end
>
> # Never trust parameters from the scary internet, only allow the
> white list through.
> def rotum_params
> params.require(:rotum).permit(:name, :mobile, :email, :category,
> :other)
> end
> end
>
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/rubyonrails-talk/7457774d8710957cef70c7fcfa5040fd%40ruby-forum.com.
> For more options, visit https://groups.google.com/d/optout.
>
----
Jason Fleetwood-Boldt
[email protected]
http://www.jasonfleetwoodboldt.com/writing
All material © Jason Fleetwood-Boldt 2014. Public conversations may be turned
into blog posts (original poster information will be made anonymous). Email
[email protected] with questions/concerns about this.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/D9F04E14-0EFE-45E4-AACF-90AFAC3D0EA3%40datatravels.com.
For more options, visit https://groups.google.com/d/optout.
