Ruby on rails 如何在Rails中防止URL被篡改
我的Rails student planner应用程序在URL篡改方面存在一些问题。我相信他们可能都有类似的解决方案,但我有困难 查看作业(Ruby on rails 如何在Rails中防止URL被篡改,ruby-on-rails,ruby,Ruby On Rails,Ruby,我的Rails student planner应用程序在URL篡改方面存在一些问题。我相信他们可能都有类似的解决方案,但我有困难 查看作业(学生/:id/assignments/:id)时,将URL中的作业id更改为属于另一名学生的作业id,有时会导致我的作业#显示页面出现“无方法错误”,有时会显示另一名学生的作业,理想情况下,我只想重定向回他们的主页 同样,作业的编辑页面(students/:id/assignments/:id/edit)、课程(students/:id/courses/:i
学生/:id/assignments/:id
)时,将URL中的作业id更改为属于另一名学生的作业id,有时会导致我的作业#显示
页面出现“无方法错误”,有时会显示另一名学生的作业,理想情况下,我只想重定向回他们的主页
同样,作业的编辑页面(students/:id/assignments/:id/edit
)、课程(students/:id/courses/:id
)和课程的编辑页面(students/:id/courses/:id/edit
)也会发生这种情况。有时,在查看作业的编辑页面时,我会看到“作业编辑中的ArgumentError”
我相信这些问题应该可以在我的控制器中解决,因此我已经将我的作业\u控制器
和课程\u控制器
包括在内
主控主任:
class AssignmentsController < ApplicationController
before_action :require_logged_in
before_action :set_student
def new
if @student && @student.id == current_student.id
@assignment = Assignment.new
@courses = Course.where(student_id: current_student.id)
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
end
end
def create
@assignment = Assignment.new(assignment_params)
@assignment.student_id = current_student.id if current_student
@courses = Course.where(student_id: current_student.id)
if @assignment.save
redirect_to student_assignments_path(@student)
else
render :new
end
end
def index
if @student && @student.id == current_student.id
@assignments = Assignment.where(student_id: current_student.id)
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
end
end
def show
#student = Student.find_by(id: params[:student_id])
if @student && @student.id == current_student.id
#@assignment = student.assignments.find_by(id: params[:id])
@assignment = Assignment.find_by(id: params[:id])
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
end
end
def edit
if @student && @student.id == current_student.id
@assignment = Assignment.find_by(id: params[:id])
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
end
end
def update
student = Student.find_by(id: params[:student_id])
@assignment = Assignment.find_by(id: params[:id])
@assignment.update(params.require(:assignment).permit(:title, :due_date))
redirect_to student_assignment_path(student, @assignment)
end
def destroy
@student = Student.find_by(id: params[:student_id])
@assignment = Assignment.find_by(id: params[:id]).destroy
redirect_to student_path(@student), notice: 'Assignment was successfully completed.'
end
private
def assignment_params
params.require(:assignment).permit(:title, :due_date, :course_id, :student_id)
end
def set_student
@student = Student.find_by(id: params[:student_id])
end
end
类分配控制器
主计长:
class CoursesController < ApplicationController
before_action :require_logged_in
before_action :set_student
def new
if @student && @student.id == current_student.id
@course = Course.new
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
end
end
def create
if @student && @student.id == current_student.id
@course = Course.create(course_params)
@course.student_id = params[:student_id]
if @course.save
redirect_to student_courses_path(@student)
else
render :new
end
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
end
end
def index
if @student && @student.id == current_student.id
@courses = Course.where(student_id: current_student.id)
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
end
end
def show
@student = Student.find_by(id: params[:student_id])
if @student && @student.id == current_student.id
@course = @student.courses.find_by(id: params[:id])
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
end
end
def edit
if @student && @student.id == current_student.id
@course = Course.find_by(id: params[:id])
else
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
end
end
def update
student = Student.find_by(id: params[:student_id])
@course = Course.find_by(id: params[:id])
@course.update(params.require(:course).permit(:course_name))
redirect_to student_course_path(student, @course)
end
def destroy
@student = Student.find_by(id: params[:student_id])
@course = Course.find_by(id: params[:id]).destroy
redirect_to student_path(@student), notice: 'Course was successfully deleted.'
end
private
def course_params
params.require(:course).permit(:course_name)
end
def set_student
@student = Student.find_by(id: params[:student_id])
end
end
class CoursesController
我想访问限制是您需要的。将帮助您设置对页面的正确访问
另外,请用find(id)
替换find_by(id:params[:id])
,因为它更可读、更高效。这可能会帮助您:
在课程控制器中
和<
#xxx_controller.rb
class XxxController < ApplicationController
before_action :require_logged_in
before_action :set_student
before_action :check_owner, only: [:show, :edit, :update, :destroy]
#application_controller.rb
def check_owner
if @student.blank? || @student.id != current_student.id
redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
end
end
@assignment = Assignment.find_by(id: params[:id])
@assignment = @student.assignments.find_by(id: params[:id])
before_validation :assign_slug
def assign_slug
self.slug ||= SecureRandom.uuid
end
add_index :assignments, [ :student_id, :slug ]