文件上传与权限问题

class UserCertiController < ApplicationController
  before_filter :authorize
  observer :save_log_observer
  def upload
    #上传用户的文件，上传成功跳转show,并把文件放入pubic->image>user_certis
    @user_certi = UserCerti.new
    if request.post?
      @user_certi.cname = params[:user_certi][:cname]
      #根据用户名得到用户的id
      @user_certi.user_id = get_user_id(params[:user_certi][:cname]).to_s
      #得到上传的文件名
      str =  params[:user_certi][:file].original_filename.to_s
      #得到一个文件名称 user_id+一个随机数
      @user_certi.cfile =@user_certi.user_id +  rand(10000).to_s +
        "." + str.split(".")[1]
      # 读入文件并写在要求的路径下
      File.open("#{RAILS_ROOT}/public/images/user_certis/#{@user_certi.cfile}",
        "wb+") do | f |
        f.write(params[:user_certi][:file].read)
      end
      #      @flow = Flow.new
      #      @flow.sid = session[:stuff_id]
      #      @flow.stime =
      #        Time.now.strftime("%y-%m-%d %H:%M:%S")
      UserCerti.transaction  do
        #        @flow.save!
        #        @user_certi.flow_id = @flow.id
        @user_certi.save!
        save_flow(@user_certi.id ,10 , @user_certi.created_at)
        flash[:notice] = '保存成功'
        redirect_to(:controller => "user_certi",  :action => 'show',
                             :cname => @user_certi.cname)
        puts @user_certi.cname
      end
    end
  rescue
  end
 
 
  def show
    #显示上传成功的页面
    @user_certi= UserCerti.find(:first,
      :conditions => ["cname = ?",params[:cname]])
    @user_certi.cfile =  "/images/user_certis/#{@user_certi.cfile}"
  end
end

                         <权限后段>  

pope[100]=( params[:stuff][:orther6].to_s=="") ? "0" : "1"
      flash[:orther6]=pope[100]
      for i in 0..pope.length
        if pope[i] == nil
          pope[i] = "0"
        end
        next
      end
      Stuff.transaction  do
        @stuff.name = params[:stuff][:name].to_s