如何防止用户访问收件箱中的邮件

Question

我一直在这个自定义收件箱的消息。我正在设置，以便只有收件箱所有者（用户登录）才能查看他们的消息。现在任何人可以输入一个URL，例如/users/1/messages/7和查看该消息时，它应该仅是可读由用户王氏id为1，不与IDS 4，5，6等我假设用户我需要在消息去模型和添加如下：

if inbox.recepient_id != @current_user.id 
redirect_to :root 

任何想法如何让这个工作？

信息模型：

class Message < ActiveRecord::Base 
    attr_accessible :subject, :body, :sender_id, :recepient_id, :read_at,:sender_deleted,:recepient_deleted 
    validates_presence_of :subject, :message => "Please enter message title" 

    belongs_to :sender, :class_name => 'User', :foreign_key => 'sender_id' 
    belongs_to :recepient, :class_name => 'User', :foreign_key => 'recepient_id' 

    # marks a message as deleted by either the sender or the recepient, which ever the user that was passed is. 
    # When both sender and recepient marks it deleted, it is destroyed. 
    def mark_message_deleted(id,user_id) 
     self.sender_deleted = true if self.sender_id == user_id 
     self.recepient_deleted = true if self.recepient_id == user_id 
     (self.sender_deleted && self.recepient_deleted) ? self.destroy : self.save! 
    end 
    # Read message and if it is read by recepient then mark it is read 
    def readingmessage 
     self.read_at ||= Time.now 
     save 
    end 

    # Based on if a message has been read by it's recepient returns true or false. 
    def read? 
     self.read_at.nil? ? false : true 
    end 

    def self.received_by(user) 
    where(:recepient_id => user.id) 
    end 

    def self.not_recepient_deleted 
    where("recepient_deleted = ?", false) 
    end 
end 

Answer 1

Cancan对你是一个宝石。我在我的所有项目中都使用它。我会解决这个问题

Answer 2

一种方法是创建您的消息控制器上的before_filter。

class Messages < ApplicationController 
    before_filter :check_user_inbox 

    def check_user_inbox 
    if inbox.recepient_id != @current_user.id 
     redirect_to :root 
    end 
    end 

    ... 
end