图像修改添加权限

app/controllers/avatar_controller.rb

@@ -7,6 +7,10 @@ class AvatarController < ApplicationController
   include ApplicationHelper
 
   def upload
+    if params[:source_type] == "User" && !(User.current.admin? || User.current.id == params[:source_id].to_i)
+      render_403
+    end
+
     # Make sure that API users get used to set this content type
     # as it won't trigger Rails' automatic parsing of the request body for parameters
     unless request.content_type == 'application/octet-stream'