I see your point, but the user_id is just an arbitrary number used for the lookup of the correct user record. You could use anything, like user name (User.find_first_by_username(params[:username]) if you have the correct route set up. Or you could do the same thing with a randomly generated unique id that identifies the user. This all assumes you are concerned with user_id being a sequential integer. At any rate, it's tried and true.
You should be able to use your implementation of role models with CanCan. It doesn't provide roles, just authorization based on your implementation of "roles". You could, for instance, use CanCan to control access based on something as arbitrary as which UserAgent their browser is reports. Just remember to restrict access in both the View and the Controller (especially). Good luck on your project. On Jun 2, 9:51 pm, Fearless Fool <li...@ruby-forum.com> wrote: > @Dee: > > Yes, you're answering the right question. My addition of the .html > suffixes (suffixen?) was a brain bubble and should be ignored. > > I wonder if exposing the user id in the url is useful or prudent. I > agree with most RESTful philosophy, but even if authorization code is in > place to prevent the user 123 from accessing the account of user 142, > exposing the db-level user ID in the URL doesn't feel right. > > That's why I was asking about having two styles of routing: one where > the user ID is implicit (derived from session and authentication > credentials) for ordinary users, and one where the user ID is manifest > in the URL (for the administrator). > > But: CanCan looks like a sensible adjunct to Authlogic (even though I've > already written a Role model). I'll just go with the flow and use that > as it was intended. > > Thanks for the pointer. > > - ff > -- > Posted viahttp://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
