Ruby on Rails 2.3.8:有没有办法使每个控制器的销毁操作仅在满足条件时发生?
目前,在我的应用程序中,我发现如果您拦截要执行删除命令的数据包,您可以将 ID 更改为任何 id,并且该对象将被删除,无论它是否属于创建它的人或不是。
所以,我的问题是,有没有办法以某种方式对销毁/删除的工作方式进行全局修改,以便 current_user 必须拥有要删除的项目(或任何其他条件,因为许多应用程序比简单的用户所有权)
Currently, in my app, I've discovered that if you intercept a packet about to perform a delete command, you can change the ID to any id, and that object will get deleted, regardless if it belong to the person who made it or not.
So, my question is, is there a way to somehow make a global modification to the way destroy / delete works such that the current_user must own the item about to be deleted (or whatever other condition, as many apps are a bit more complicated than simple user ownership)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为销毁行动制定全球规则并不是一个好主意。最简单的方法是,您只需要检查控制器中的访问权限:
您还应该查看 CanCan gem
It is not a good idea to write global rule for destroy action. In the simplest way you just need to check access in your controllers:
Also you should look into CanCan gem