Ruby on rails 如何在Rails中防止URL被篡改

我的Rails student planner应用程序在URL篡改方面存在一些问题。我相信他们可能都有类似的解决方案，但我有困难

查看作业（

学生/：id/assignments/：id

）时，将URL中的作业id更改为属于另一名学生的作业id，有时会导致我的

作业#显示

页面出现“无方法错误”，有时会显示另一名学生的作业，理想情况下，我只想重定向回他们的主页

同样，作业的编辑页面（

students/：id/assignments/：id/edit

）、课程（

students/：id/courses/：id

）和课程的编辑页面（

students/：id/courses/：id/edit

）也会发生这种情况。有时，在查看作业的编辑页面时，我会看到“作业编辑中的ArgumentError”

我相信这些问题应该可以在我的控制器中解决，因此我已经将我的

作业\u控制器

和

课程\u控制器

包括在内

主控主任：

class AssignmentsController < ApplicationController
  before_action :require_logged_in
  before_action :set_student

  def new
    if @student && @student.id == current_student.id
      @assignment = Assignment.new
      @courses = Course.where(student_id: current_student.id)
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
    end
  end

  def create
    @assignment = Assignment.new(assignment_params)
    @assignment.student_id = current_student.id if current_student
    @courses = Course.where(student_id: current_student.id)

    if @assignment.save
      redirect_to student_assignments_path(@student)
    else
      render :new
    end
  end

  def index
    if @student && @student.id == current_student.id
      @assignments = Assignment.where(student_id: current_student.id)
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
    end
  end

  def show
    #student = Student.find_by(id: params[:student_id])
    if @student && @student.id == current_student.id
      #@assignment = student.assignments.find_by(id: params[:id])
      @assignment = Assignment.find_by(id: params[:id])
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
    end
  end

  def edit
    if @student && @student.id == current_student.id
      @assignment = Assignment.find_by(id: params[:id])
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
    end
  end

  def update
    student = Student.find_by(id: params[:student_id])
    @assignment = Assignment.find_by(id: params[:id])
    @assignment.update(params.require(:assignment).permit(:title, :due_date))
    redirect_to student_assignment_path(student, @assignment)
  end

  def destroy
    @student = Student.find_by(id: params[:student_id])
    @assignment = Assignment.find_by(id: params[:id]).destroy
    redirect_to student_path(@student), notice: 'Assignment was successfully completed.'
  end

  private

    def assignment_params
      params.require(:assignment).permit(:title, :due_date, :course_id, :student_id)
    end

    def set_student
      @student = Student.find_by(id: params[:student_id])
    end
end

类分配控制器

主计长：

class CoursesController < ApplicationController
  before_action :require_logged_in
  before_action :set_student

  def new
    if @student && @student.id == current_student.id
      @course = Course.new
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
    end
  end

  def create
    if @student && @student.id == current_student.id
      @course = Course.create(course_params)
      @course.student_id = params[:student_id]

      if @course.save
        redirect_to student_courses_path(@student)
      else
        render :new
      end
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
    end
  end

  def index
    if @student && @student.id == current_student.id
      @courses = Course.where(student_id: current_student.id)
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
    end
  end

  def show
    @student = Student.find_by(id: params[:student_id])
    if @student && @student.id == current_student.id
      @course = @student.courses.find_by(id: params[:id])
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
    end
  end

  def edit
    if @student && @student.id == current_student.id
      @course = Course.find_by(id: params[:id])
    else
      redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users courses.'
    end
  end

  def update
    student = Student.find_by(id: params[:student_id])
    @course = Course.find_by(id: params[:id])
    @course.update(params.require(:course).permit(:course_name))
    redirect_to student_course_path(student, @course)
  end

  def destroy
    @student = Student.find_by(id: params[:student_id])
    @course = Course.find_by(id: params[:id]).destroy
    redirect_to student_path(@student), notice: 'Course was successfully deleted.'
  end

  private

    def course_params
      params.require(:course).permit(:course_name)
    end

    def set_student
      @student = Student.find_by(id: params[:student_id])
    end
end

class CoursesController

我想访问限制是您需要的。将帮助您设置对页面的正确访问

另外，请用

find（id）

替换

find_by（id:params[：id]）

，因为它更可读、更高效。

这可能会帮助您：

在

课程控制器中

和<

#xxx_controller.rb
class XxxController < ApplicationController
  before_action :require_logged_in
  before_action :set_student
  before_action :check_owner, only: [:show, :edit, :update, :destroy]

#application_controller.rb
def check_owner
  if @student.blank? || @student.id != current_student.id
    redirect_to student_path(current_student), error: 'Sorry, you can\'t view another Users assignments.'
  end
end

@assignment = Assignment.find_by(id: params[:id])

@assignment = @student.assignments.find_by(id: params[:id])

 before_validation :assign_slug

 def assign_slug
   self.slug ||= SecureRandom.uuid
 end

 add_index :assignments, [ :student_id, :slug ]