I have a network where people can write posts, and they have their personal feed of their own posts, and the network feed of everyone's.
The problem is, any omniauth'ed user can edit another user by typing in /edit or delete on the URL.
Cannot have this for a live site!
Does anyone have a quick answer to how this can be blocked? I have:
before_filter :authenticate_user!, :except => [:index, :show]
but I can't figure out without errors how to lock down edit to the user who created the post.
Model- user.rb
class User
has_many :posts
end
Model - post.rb
class Post
belongs_to :user
end
Let me know if you want to see more- thanks for the help! -D
If I read you correctly, your users are authenticated via OmniAuth, but now you're looking for a way to 'Authorize' them for specific resources/actions based on permissions or ownership.
The most popular gem for authorization of resources/actions for users, groups, roles, and in-between is CanCan.
There is also a railscast video that helped me understand the application of the gem in my applications.
Once you know how to write abilities in CanCan, take a look here for an ability that solves your original question on post editing based on the parent user.