songtianlun
2b03661431
- Implement friendly forwarding for user login - Add correct_user method to ensure users can only edit their own profiles - Update sessions_controller to handle forwarding URL - Enhance user controller tests to verify redirection for unauthorized access These changes improve user experience by allowing users to be redirected back to their intended page after logging in. Additionally, the new correct_user method enhances security by preventing users from editing other users' profiles, ensuring proper authorization checks are in place.
53 lines
1.1 KiB
Ruby
53 lines
1.1 KiB
Ruby
module SessionsHelper
|
|
def log_in(user)
|
|
session[:user_id] = user.id
|
|
# 防范会话重放攻击
|
|
session[:session_token] = user.session_token
|
|
end
|
|
|
|
def remember(user)
|
|
user.remember
|
|
cookies.permanent.encrypted[:user_id] = user.id
|
|
cookies.permanent[:remember_token] = user.remember_token
|
|
end
|
|
|
|
def current_user
|
|
if (user_id = session[:user_id])
|
|
user = User.find_by(id: user_id)
|
|
if user && session[:session_token] == user.session_token
|
|
@current_user = user
|
|
end
|
|
elsif (user_id = cookies.encrypted[:user_id])
|
|
user = User.find_by(id: user_id)
|
|
if user && user.authenticated?(cookies[:remember_token])
|
|
log_in user
|
|
@current_user = user
|
|
end
|
|
end
|
|
end
|
|
|
|
def logged_in?
|
|
!current_user.nil?
|
|
end
|
|
|
|
def forget(user)
|
|
user.forget
|
|
cookies.delete(:user_id)
|
|
cookies.delete(:remember_token)
|
|
end
|
|
|
|
def log_out
|
|
forget(current_user)
|
|
reset_session
|
|
@current_user = nil
|
|
end
|
|
|
|
def current_user?(user)
|
|
user && user == current_user
|
|
end
|
|
|
|
def store_location
|
|
session[:forwarding_url] = request.original_url if request.get?
|
|
end
|
|
end
|