On Tue, Feb 7, 2012 at 11:15, Pallav_bfs <spalla...@gmail.com> wrote:
> How can I design the app, so that any logged in user can edit/remove > his details only if he wishes to do so and can only view others' > records. In addition to using authorization gems like CanCan, you can also do these things yourself. Before each action in each controller, get the current user. Before any action that would modify, or show in such a way as to allow modifying, any records, check if the current user is the owner of those records. If not, redirect to an error page. Also don't give him any *links* to such things! For instance, on the pages where he can *view* other people's records, don't put an "Edit" link. -Dave -- Dave Aronson: Available Cleared Ruby on Rails Freelancer (NoVa/DC/Remote) -- see www.DaveAronson.com, and blogs at www.Codosaur.us, www.Dare2XL.com, www.RecruitingRants.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
