Ms. Klein,
I handle that situation very similarly with the only disparity being where ownership is determined. In my opinion the object itself should know nothing about @current_user, whereas the application can know about Resource.user. I also tend to alias methods in my resources, like so def self.owner self.user end Then I insure that every object has some owner alias if it is to be restricted, and in my :require_ownership before_filter, I do the following: def require_ownership if @resource.owner == @current.user ... end The end effect is the same, but this allows the resource to be used intact in another application without modification, regardless of @current_user in the other application. Just of matter of who knows what about whom. Otherwise, unless someone can suggest a better method for us both, I personally think you're on the right track. Cheers, Darrik Mazey Lisa Klein wrote: > Hi, I just have a "best practices" question. I'd like to block users > that don't own a particular resource from performing edit/update/ > destroy actions on it. Here's how I currently do it: > > ## User has many resources, of different types > > ------- resource_controller.rb ------- > > before_filter :require_ownership, :only => [:edit, :update, :destroy] > > ... public actions ... > > protected > > def require_ownership > @resource = Resource.find(params[:id]) > redirect_to_somewhere unless owns?(@resource) > end > > ------- application.rb ------- > > def owns?(resource) > resource.user_id == @current_user.id > end > > ... And I apply this before_filter in the controller of any resource > I'd like to restrict in a similar way. I'm new to Rails and MVC so > I'm just wondering whether this is the best way of accomplishing this, > or if a different method is recommended. > > Thanks in advance! > > > -- Darrik Mazey Developer DMT Programming, LLC. P.O. Box 91 Torrington, CT 06790 office: 330.983.9941 fax: 330.983.9942 mobile: 330.808.2025 dar...@dmtprogramming.com To obtain my public key, send an email to dar...@publickey.dmtprogramming.com. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---