[RUBY] Rails Direct hit prohibition method (Do not transition to another person's edit screen by entering the URL)

What is a direct hit prohibition?

With 7 months of programming experience, I still don't know right or left. While completing the assignment, there was a condition that "* Please set so that only posters * can edit and delete." It is said that this is ** prohibited from direct typing ** (because you can edit other people's posts by ** directly ** https: /// XXX / edit ** in the URL, ... ?).

スクリーンショット 2020-10-31 18.00.23.png

After a while, it was time to create a portfolio, and it turned out that I could hit it directly after it was completed. I forgot it inadvertently, so I will record the method of prohibiting direct hitting as a memorandum.

If you are not logged in, you cannot judge * "Posters only" *, so how do you do apps and homepages that do not have a login function? It will be investigated and learned in the future. (By the way, there was a company that was in trouble because I could fly directly to the reservation site ...)

Anyway, even though it's easy to ban direct hits, it's a feature you shouldn't forget, as it can be quite difficult to forget!

Direct hit prohibition code

First, add the before_action method to application_controller.

application_controller.rb


class ApplicationController < ActionController::Base
before_action :configure_permitted_parameters, if: :devise_controller?

Next, open the controller page where you want to prohibit direct hits. (For example, if it's a post page named Post, post_controller.rb)

post_controller.rb


class PostsController < ApplicationController
    before_action :authenticate_user!
    before_action :correct_post,only: [:edit,:XXX]

By the way, before_action: authenticate_user! Can only be used by logged-in users! is what it means.

Before_action: correct_post, only: Add [: edit ,: XX]. : XX adds other actions that you don't want to hit directly.

Also, add the following code under the same post_controller.rb (above private).

post_controller.rb


def correct_post
        @post = Post.find(params[:id])
    unless @post.user.id == current_user.id
      redirect_to posts_path
    end
end

For redirect_to posts_path, please describe the link to be skipped if someone other than the poster directly hits it. With the above, I think that direct hitting can be prohibited!

By the way, there is current_post because it is similar to correct_post. Thanks to that, I got messed up in my head, and I'm writing a code that prohibits direct hits, so I can't ban it! I was holding my head for a few minutes.

This is also a point to be careful of.

Recommended Posts

Rails Direct hit prohibition method (Do not transition to another person's edit screen by entering the URL)
What to do when javax.el.ELException: Not a Valid Method Expression: appears when the JSF screen is displayed
[Rails] How to get the URL of the transition source and redirect
[Rails] How to prevent screen transition
Screen transition by Post method [Java]
How to make the schema of the URL generated by Rails URL helper https