Some people use the concept of resource nesting or "belongs to" to manage security, but it is pretty one-dimensional. More robust security systems (role-based access control, for example) have a much richer concept of authorization than could possibly be expressed in a request string. I love nested resources and use them a lot, but I wouldn't have expected Rails to hold up one (simple) interpretation of security as a justification.
I justify nested resources because they provide context information. For example: /users/23/groups/17/tags /groups/17/users/23/tags Those two URLs refer to very different things and it is the ORDERED nesting that sets them apart. Unfortunately, Rails doesn't provide any help with the ordering (ticket 8105) obliging me to inspect the request in order to know which tags we are talking about. -Chris On Aug 3, 12:18 pm, DHH <[EMAIL PROTECTED]> wrote: > On Aug 3, 11:04 am, Brian Hogan <[EMAIL PROTECTED]> wrote: > > > > > Forgive me for reopening an old thread, but > > > > posts/1/comments/34 > > > > Which then lets me do > > > > @post = user.posts.find(params[:post_id]) > > > @comment = @post.comments.find(params[:id]) > > > Forgive me, but I actually do think that's silly. If I really needed > > to do that I'd do > > > @comment = Comment.find(params[:id], :include=>[:post] > > @post = @comment.post > > > and save a hit to the database. > > > I'm having a really hard time wrapping my mind around the nesting, > > except that the URL looks pretty. Do you really mean to say that we > > should be accessing both objects that way? It seems really hackish. > > When I did this without nested routes on my first project, I built > > URLs this way but never used the post_id in the URL at all. Is that > > wrong? > > > I'm just looking for some enlightenment here, not trying to be > > difficult! :) > > This is for security/data integrity reasons. When you fetch like the > example above, you can only access posts that were written by the > user. And only access comments written about that particular post. On > a blog that might not matter much, but on an application that keeps > data secret from different accounts, it's paramount. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
