The simpler way is just search the user resources when performing an edit/update/delete. like this:
def edit @resource = @user.resources.find(params[:id]) end This way you can be sure that the user will not be able to select a resource that doesn't belong to him. - Maurício Linhares http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/ (en) On Fri, Dec 19, 2008 at 5:14 PM, Lisa Klein <lisaklei...@gmail.com> wrote: > > Hi, I just have a "best practices" question. I'd like to block users > that don't own a particular resource from performing edit/update/ > destroy actions on it. Here's how I currently do it: > > ## User has many resources, of different types > > ------- resource_controller.rb ------- > > before_filter :require_ownership, :only => [:edit, :update, :destroy] > > ... public actions ... > > protected > > def require_ownership > @resource = Resource.find(params[:id]) > redirect_to_somewhere unless owns?(@resource) > end > > ------- application.rb ------- > > def owns?(resource) > resource.user_id == @current_user.id > end > > ... And I apply this before_filter in the controller of any resource > I'd like to restrict in a similar way. I'm new to Rails and MVC so > I'm just wondering whether this is the best way of accomplishing this, > or if a different method is recommended. > > Thanks in advance! > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---