Permalink
Browse files

Protected movie controller methods by disabling some routes

  • Loading branch information...
1 parent fdaa57d commit 11a32c187fb821a193dbd9f799bab4723989f039 @Puskin committed May 17, 2012
Showing with 14 additions and 9 deletions.
  1. +12 −7 app/controllers/movies_controller.rb
  2. +1 −1 app/views/movies/_movie.html.erb
  3. +1 −1 config/routes.rb
@@ -1,6 +1,8 @@
class MoviesController < ApplicationController
before_filter :signed_in_user, except: [:show]
+ before_filter :correct_user, only: [:destroy]
+
def index
if params[:popular] == "fuckyea"
@@ -20,8 +22,6 @@ def show
end
end
- # GET /movies/new
- # GET /movies/new.json
def new
@movie = Movie.new
@@ -31,11 +31,6 @@ def new
end
end
- # GET /movies/1/edit
- def edit
- @movie = Movie.find(params[:id])
- end
-
# POST /movies
# POST /movies.json
def create
@@ -79,4 +74,14 @@ def destroy
format.js
end
end
+
+ private
+
+ def correct_user
+ movie = Movie.find(params[:id])
+ user = movie.user
+ redirect_to(root_path) unless current_user?(user)
+ end
+
+
end
@@ -30,7 +30,7 @@
<% end %>
</div>
<div class="action">
- <% if signed_in? && current_user?(movie.user) %>
+ <% if signed_in? && current_user?(movie.user) && 1 == 2 %>
<%= link_to "&times;".html_safe, movie, :confirm => "Entire movie fo' sho?", :method => :delete, :class => "btn btn-mini pull-right", :remote => true %>
<% end %>
</div>
View
@@ -4,7 +4,7 @@
resources :authentications
resources :comments
resources :likes
- resources :movies
+ resources :movies, only: [:show]
resources :users
resources :users do
member do

0 comments on commit 11a32c1

Please sign in to comment.