换句话说,例如,用户输入:
http://0.0.0.0:3000/goals/3
他们将能够看到该用户的目标,即使该用户以“私人”身份提交了该目标。我忽略了这一点,因为就目前而言,通过“私人”提交目标会将目标隐藏在用户的个人资料和Feed中,但如果其他用户通过url直接搜索目标,则不会。
我们该如何解决呢?
Goals_Controller
class GoalsController < ApplicationController
before_action :set_goal, only: [:show, :edit, :update, :destroy, :like, :user_goals]
before_action :logged_in_user, only: [:create, :destroy]
before_action :correct_user, only: [:edit, :update, :destroy]
def index
if params[:tag]
@goals = Goal.tagged_with(params[:tag])
elsif params[:user_id]
@accomplished_goals = User.find(params[:user_id]).goals.accomplished.order("deadline")
@unaccomplished_goals = User.find(params[:user_id]).goals.unaccomplished.order("deadline")
else
@accomplished_goals = current_user.goals.accomplished.order("deadline")
@unaccomplished_goals = current_user.goals.unaccomplished.order("deadline")
end
end
def user_goals
@goals = Goal.find_by({user_id: params[:user_id]})
render :index # or some other view
end
def show
@goal = Goal.find(params[:id])
@commentable = @goal
@comments = @commentable.comments
@comment = Comment.new
@notable = @goal
@notes = @notable.notes
@note = Note.new
@correct_user = current_user.goals.find_by(id: params[:id])
end
def new
@goal = current_user.goals.build
end
def edit
end
def create
@goal = current_user.goals.build(goal_params)
if (params[:commit] == 'conceal')
@goal.conceal = true
@goal.save
redirect_to @goal, notice: 'Goal was successfully created'
elsif
@goal.save
track_activity @goal
redirect_to @goal, notice: 'Goal was successfully created'
else
flash.now[:danger] = 'Required Field: "Enter Goal"'
render 'new'
end
end
def update
if @goal.update(goal_params)
redirect_to goals_url, notice: 'Goal was successfully updated'
else
render action: 'edit'
end
end
def destroy
@goal.destroy
redirect_to goals_url
end
def like
@goal = Goal.find(params[:id])
@goal_like = current_user.goal_likes.build(goal: @goal)
if @goal_like.save
@goal.increment!(:likes)
flash[:success] = 'Thanks for liking!'
else
flash[:error] = 'Two many likes'
end
redirect_to(:back)
end
private
def set_goal
@goal = Goal.find(params[:id])
end
def correct_user
@goal = current_user.goals.find_by(id: params[:id])
redirect_to root_url, notice: "Not authorized to edit this goal" if @goal.nil?
end
def goal_params
params.require(:goal).permit(:name, :like, :deadline, :accomplished, :tag_list, :comment, :private_submit)
end
end
Goal.rb
class Goal < ActiveRecord::Base
scope :publish, ->{ where(:conceal => false) }
belongs_to :user
scope :accomplished, -> { where(accomplished: true) }
scope :unaccomplished, -> { where(accomplished: false) }
end
被private_submit一个布尔字段?
如果是这样,如果private_submit字段的值为“ true”,这是一种将显示页面设为私有的快速方法。
class GoalsController < ApplicationController
# Remove :edit, :update, destroy, and :user_gmails from below as the action is duplicated
before_action :set_goal, only: [:show, :like]
def show
## Remove: @goal = Goal.find(params[:id])
end
def like
# Remove this as it's being called ready in set_goal:
# @goal = Goal.find(params[:id])
...
end
...
def set_goal
@goal = Goal.find(params[:id])
redirect_to(:back) unless @goal.user_id == current_user.id or @goal.private_submit == false
end
end
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句