I have a rails app that users can create projects. One user cannot see the other user's projects. However, if i copy the url of a project that user 1 created (e.g. `localhost:3000/projects/23/edit) and log into user 2 and paste the direct url, I can still edit the information. What would be the best way to cross reference the user that created the project to only allow that user to see/edit the param linked page?
EDIT In my projects controller I have:
def index
@projects = Project.where(user_id: current_user)
@default_working_project = current_user.default_working_prodject
unless production.user == current_user
redirect_to dashboard_index_path
end
Aucun commentaire:
Enregistrer un commentaire