We've moved discussions to Discord We've moved discussions to Discord!

Problem changing account from url using multitenancy Path /:account_id/

Borja Soler • March 31, 2020 3:43pm

I am using Multitenancy with Path

/:account_id/

but I am having a problem that is when I change the account URL manually for example from http://localhost:5000/4 to http://localhost:5000/3 I can see both contents but I am only member of the /4 account and I am not a member in /3 but still can see the content

is there anything I am missing in my controllers?

I have in my controllers:

before_action :set_discussion, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!

John Chambers • April 1, 2020 9:14am

Have you added the following line to your content models?

acts_as_tenant :account

That should scope content items so only those belonging to current_account are shown
https://jumpstartrails.com/docs/accounts

Borja Soler • April 1, 2020 9:53am

yes, I have added them

John Chambers • April 1, 2020 10:15am

Sorry I misunderstood the issue.

Maybe you need to add a before_action to the controller so that only members see contents associated with that account? Non account members could be redirected away because they don't have authorization.

Chris Oliver • April 1, 2020 4:41pm

Yeah, you'll want to add a before action to redirect if you're signed in but not a member of the account.

That's not something everyone wants (like if you're building a marketplace type of app), so it's not going to be there by default.

Borja Soler • April 13, 2020 3:28pm

I included a before_action

before_action :restrict_access, only: [:show, :edit, :update, :destroy]

and a new method

  def restrict_access
    redirect_to root_path unless current_account.present? && current_account.discussions.pluck(:id).include?(params[:id])
  end

but I still can access other teams urls, what might be wrong? thanks!

Chris Oliver • April 13, 2020 3:39pm

Borja Soler You're not checking if the current user is part of the account.

For example, this would redirect if the user was not in the account users list. And don't forget, you'll want to redirect with the script name changed so that it removes the account_id from the URL.

def restrict_access
  if user_signed_in? && !current_account.account_users.where(user_id: current_user.id).exists?
    redirect_to root_url(script_name: '/')
  end
end

Borja Soler • April 13, 2020 3:49pm

True 🤦‍♂️, thank you

Chris Oliver

My Discussions Participating All Discussions

Notifications

You’re not receiving notifications from this thread.