Rails 在 link_to 中传递参数如何使其安全
Rails passing params in link_to how to make it secure
我正在尝试在 rails 中创建一个喜欢和不喜欢的函数,因为我正在使用 lin_to 助手来传递参数但是当有人试图复制粘贴 link它更新了数据库。我正在使用 ajax 来使此功能正常工作,这里是我的方法的代码。
控制器代码:
class FeedLikesController < ApplicationController
before_action :authenticate_user! ,only: [:create, :destroy]
before_action :get_feed ,only: [:create, :destroy]
def index
@fees = FeedLike.all
respond_to do |format|
format.html
format.js
end
end
def update
@feed_likes = FeedLike.find_or_create_by(feed_like_params)
respond_to do |format|
if @feed_likes.save
format.html { redirect_to root_url, notice: 'Like ' }
end
end
end
def create
@feed_like_counter = Feed.find(params[:feed_id])
@feed_likes = FeedLike.find_or_create_by(:feed_id => params[:feed_id],:user_id =>params[:user_id])
@f = @feed_like_counter.like_count
@feed_like_counter.like_count = @f+1
@feed_like_counter.save
respond_to do |format|
if @feed_likes.save
format.html { redirect_to root_url, notice: 'Like ' }
format.js
end
end
end
def delete
end
def destroy
@feed_like_counter = Feed.find(params[:feed_id])
@feed_likes = FeedLike.where(feed_like_params)
@f = @feed_like_counter.like_count
@feed_like_counter.like_count = @f-1
@feed_like_counter.save
respond_to do |format|
if @feed_likes.destroy_all
format.html { redirect_to root_url, notice: 'Unlike ' }
format.js
end
end
end
def feed_like_params
params.permit(:user_id, :feed_id)
#params[:market_place]
end
def get_feed
@feed = Feed.find(params[:feed_id])
end
end
在我的 link 视图中是这样的:
<div class="feed-like-<%= @feed %> " >
<%= link_to "like",{ :action => 'create', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, method: :post,class: "btn btn-primary" %>
</div>
不喜欢link是这样的:
<div class="feed-like-<%= @feed %> " >
<%= link_to "Dislike",{ :action => 'destroy', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, class: "btn btn-primary" %>
</div>
我的路线是这样的:
get "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#destroy"
post "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#create"
这里的问题是每当有人想在我通过 url direclty 时喜欢提要它更新数据库我怎么能限制这个只有当用户单击按钮时它才更新数据库而不是 url :
还有另一个问题我正在使用 ajax onclick 事件它更新了数据库但是当我快速单击喜欢按钮时它在不喜欢的部分出现之前更新了数据库 2 或 3 次。我有什么办法可以使用这个 .
我找到了这个问题的解决方案,它非常简单,我试图以非 rails 的方式生成路由,所以我做了一些更改。首先我添加了
resources :feed_likes
然后像这样替换链接:
<%= link_to "Dislike", feed_like_path(:feed_id => @feed, :user_id => current_user.id ), :confirm => 'Are you sure?',:remote => true, :method => :delete,data: { disable_with: "Processsing..." }, class: "btn btn-primary" %>
<%= link_to "like", feed_likes_path(:feed_id => @feed, :user_id => current_user.id ), :confirm => 'Are you sure?',:remote => true, :method => :post, data: { disable_with: "Processsing..." }, class: "btn btn-primary" %>
我正在尝试在 rails 中创建一个喜欢和不喜欢的函数,因为我正在使用 lin_to 助手来传递参数但是当有人试图复制粘贴 link它更新了数据库。我正在使用 ajax 来使此功能正常工作,这里是我的方法的代码。
控制器代码:
class FeedLikesController < ApplicationController
before_action :authenticate_user! ,only: [:create, :destroy]
before_action :get_feed ,only: [:create, :destroy]
def index
@fees = FeedLike.all
respond_to do |format|
format.html
format.js
end
end
def update
@feed_likes = FeedLike.find_or_create_by(feed_like_params)
respond_to do |format|
if @feed_likes.save
format.html { redirect_to root_url, notice: 'Like ' }
end
end
end
def create
@feed_like_counter = Feed.find(params[:feed_id])
@feed_likes = FeedLike.find_or_create_by(:feed_id => params[:feed_id],:user_id =>params[:user_id])
@f = @feed_like_counter.like_count
@feed_like_counter.like_count = @f+1
@feed_like_counter.save
respond_to do |format|
if @feed_likes.save
format.html { redirect_to root_url, notice: 'Like ' }
format.js
end
end
end
def delete
end
def destroy
@feed_like_counter = Feed.find(params[:feed_id])
@feed_likes = FeedLike.where(feed_like_params)
@f = @feed_like_counter.like_count
@feed_like_counter.like_count = @f-1
@feed_like_counter.save
respond_to do |format|
if @feed_likes.destroy_all
format.html { redirect_to root_url, notice: 'Unlike ' }
format.js
end
end
end
def feed_like_params
params.permit(:user_id, :feed_id)
#params[:market_place]
end
def get_feed
@feed = Feed.find(params[:feed_id])
end
end
在我的 link 视图中是这样的:
<div class="feed-like-<%= @feed %> " >
<%= link_to "like",{ :action => 'create', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, method: :post,class: "btn btn-primary" %>
</div>
不喜欢link是这样的:
<div class="feed-like-<%= @feed %> " >
<%= link_to "Dislike",{ :action => 'destroy', :controller => 'feed_likes', :feed_id => @feed, :user_id => current_user.id, :remote => true }, class: "btn btn-primary" %>
</div>
我的路线是这样的:
get "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#destroy"
post "/feed_likes/:feed_id/feed_likes/:user_id" => "feed_likes#create"
这里的问题是每当有人想在我通过 url direclty 时喜欢提要它更新数据库我怎么能限制这个只有当用户单击按钮时它才更新数据库而不是 url :
还有另一个问题我正在使用 ajax onclick 事件它更新了数据库但是当我快速单击喜欢按钮时它在不喜欢的部分出现之前更新了数据库 2 或 3 次。我有什么办法可以使用这个 .
我找到了这个问题的解决方案,它非常简单,我试图以非 rails 的方式生成路由,所以我做了一些更改。首先我添加了
resources :feed_likes
然后像这样替换链接:
<%= link_to "Dislike", feed_like_path(:feed_id => @feed, :user_id => current_user.id ), :confirm => 'Are you sure?',:remote => true, :method => :delete,data: { disable_with: "Processsing..." }, class: "btn btn-primary" %>
<%= link_to "like", feed_likes_path(:feed_id => @feed, :user_id => current_user.id ), :confirm => 'Are you sure?',:remote => true, :method => :post, data: { disable_with: "Processsing..." }, class: "btn btn-primary" %>