I have created an admin user in my app by adding a giving admin a boolean value. The problem is when i set a user to be admin , they can't delete or edit the post in the app although i have set a condition in the show page of the post. Note that i am using the Deivse gem for user authentication. Here's my code:
BurgersController.rb
class BurgersController < ApplicationController
before_action :authenticate_user! , except: [:index,:show,:search]
before_action :set_burger, only: [:show, :edit, :update, :destroy,:upvote]
before_action :check_user , only: [:edit,:update,:destroy]
# GET /burgers
# GET /burgers.json
def search
if params[:search].present?
@burgers = Burger.search(params[:search])
else
@burgers = Burger.all
end
end
def index
if params[:tag]
@burgers = Burger.tagged_with(params[:tag])
else
@burgers = Burger.all
end
end
# GET /burgers/1
# GET /burgers/1.json
def show
end
# GET /burgers/new
def new
@burger = Burger.new
end
# GET /burgers/1/edit
def edit
end
# POST /burgers
# POST /burgers.json
def create
@burger = Burger.new(burger_params)
@burger.user_id = current_user.id
respond_to do |format|
if @burger.save
format.html { redirect_to @burger, notice: 'Burger was successfully created.' }
format.json { render :show, status: :created, location: @burger }
else
format.html { render :new }
format.json { render json: @burger.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /burgers/1
# PATCH/PUT /burgers/1.json
def update
respond_to do |format|
if @burger.update(burger_params)
format.html { redirect_to @burger, notice: 'Burger was successfully updated.' }
format.json { render :show, status: :ok, location: @burger }
else
format.html { render :edit }
format.json { render json: @burger.errors, status: :unprocessable_entity }
end
end
end
# DELETE /burgers/1
# DELETE /burgers/1.json
def destroy
@burger.destroy
respond_to do |format|
format.html { redirect_to burgers_url, notice: 'Burger was successfully destroyed.' }
format.json { head :no_content }
end
end
def upvote
@burger.upvote_by current_user
redirect_to :back
end
private
# Use callbacks to share common setup or constraints between actions.
def set_burger
@burger = Burger.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def burger_params
params.require(:burger).permit(:name, :resturant, :place, :price,:image,:tag_list)
end
def check_user
unless @burger.user == current_user || current_user.admin?
redirect_to root_url , alert: "Sorry this listing belongs to someone else"
end
end
end
views/burger/show.html.erb
<div class="row">
<div class="col-md-12">
<div class="thumbnail">
<%= image_tag @burger.image_url.to_s, class: 'center-block'%>
</div>
</div>
<div class="col-md-6">
<h2><%= @burger.name %><br></h2>
<%= @burger.resturant %><br>
<%= @burger.place %><br>
<%= number_to_currency(@burger.price, raise: true) %><br>
<p>Tags: <%= @burger.tag_list %></p>
</div>
</div>
<% if user_signed_in? && current_user == @burger.user || current_user.try(:admin?) %>
<%= link_to 'Edit', edit_burger_path(@burger) %> |
<%= link_to 'Back', burgers_path %>
<%= link_to 'Delete', @burger, method: :delete, data: {confirm: "Are you Sure ?"} %>
<%end%>
</div>
</div>
schema.rb
create_table "users", force: :cascade do |t|
t.string "email", default: "", null: false
t.string "encrypted_password", default: "", null: false
t.string "reset_password_token"
t.datetime "reset_password_sent_at"
t.datetime "remember_created_at"
t.integer "sign_in_count", default: 0, null: false
t.datetime "current_sign_in_at"
t.datetime "last_sign_in_at"
t.string "current_sign_in_ip"
t.string "last_sign_in_ip"
t.datetime "created_at", null: false
t.datetime "updated_at", null: false
t.string "name"
t.boolean "admin", default: false
t.index ["email"], name: "index_users_on_email", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
end
Aucun commentaire:
Enregistrer un commentaire