如何防止用戶訪問收件箱中的郵件

Question

我一直在這個自定義收件箱的消息。我正在設置，以便只有收件箱所有者（用戶登錄）才能查看他們的消息。現在任何人可以輸入一個URL，例如/users/1/messages/7和查看該消息時，它應該僅是可讀由用戶王氏id爲1，不與IDS 4，5，6等我假設用戶我需要在消息去模型和添加如下：

if inbox.recepient_id != @current_user.id 
redirect_to :root 

任何想法如何讓這個工作？

信息模型：

class Message < ActiveRecord::Base 
    attr_accessible :subject, :body, :sender_id, :recepient_id, :read_at,:sender_deleted,:recepient_deleted 
    validates_presence_of :subject, :message => "Please enter message title" 

    belongs_to :sender, :class_name => 'User', :foreign_key => 'sender_id' 
    belongs_to :recepient, :class_name => 'User', :foreign_key => 'recepient_id' 

    # marks a message as deleted by either the sender or the recepient, which ever the user that was passed is. 
    # When both sender and recepient marks it deleted, it is destroyed. 
    def mark_message_deleted(id,user_id) 
     self.sender_deleted = true if self.sender_id == user_id 
     self.recepient_deleted = true if self.recepient_id == user_id 
     (self.sender_deleted && self.recepient_deleted) ? self.destroy : self.save! 
    end 
    # Read message and if it is read by recepient then mark it is read 
    def readingmessage 
     self.read_at ||= Time.now 
     save 
    end 

    # Based on if a message has been read by it's recepient returns true or false. 
    def read? 
     self.read_at.nil? ? false : true 
    end 

    def self.received_by(user) 
    where(:recepient_id => user.id) 
    end 

    def self.not_recepient_deleted 
    where("recepient_deleted = ?", false) 
    end 
end 

Answer 1

Cancan對你是一個寶石。我在我的所有項目中都使用它。我會解決這個問題

Answer 2

一種方法是創建您的消息控制器上的before_filter。

class Messages < ApplicationController 
    before_filter :check_user_inbox 

    def check_user_inbox 
    if inbox.recepient_id != @current_user.id 
     redirect_to :root 
    end 
    end 

    ... 
end