I have this current before filter in my users_controller
before_filter :authenticate_usergroup, :except => [:edit, :update, :show]
It works great for just allowing a user to edit their information but not being able to see all the users, but i'v found that by just changing their 'id' in the url they could also edit other users information.
How can i only allow :edit, :show and :update functions to the current user for their own record. i have this method in my application_controller to be able to access the current user
def current_user
return unless session[:user_id]
@current_user ||= User.find_by_id(session[:user_id])
end
#update from users_controller.rb
def update
@user = User.find(params[:id])
respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to @user, :notice => 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render :action => "edit" }
format.json { render :json => @user.errors, :status => :unprocessable_entity }
end
end
end
if you "scope" that only the current_user can access their information, then it doesn't matter.
so in show and edit
@user = current_user
in update action something like
current_user.update_attributes(params[:user])
should do the trick.