Finne Jager wrote in post #968357: >> Why the current_user part? Just Timesheet.find(params[:id]) should do >> the trick -- after all, the ID is unique. > > I read in Beginning Rails 3 that current_user makes sure that the logged > in user can not see other people's incidents/timesheets.
True enough, though I'd probably use an authorization plugin for that. I have the same > thing in the IncidentsController: > ------------------------------ > def index > @incidents = current_user.incidents.all > ------------------------------- > > But now that Timesheets are nested within Incidents, I don't have to > have current_user for that I guess. > >> Of course that's not working. You haven't defined timesheet anywhere. > > @timesheet = Timesheet.find(params[:id]) > > Seems to be not working... No, I'm sure it's working fine. But you're defining @timesheet in your controller, then calling timesheet (without the @) in the view. > Does it even need to find by ID if I'm > already using the incident_timesheet_path(incident) link? Yes. That only passes the ID. HTTP has no means of passing ActiveRecord objects around. Best, -- Marnen Laibow-Koser http://www.marnen.org mar...@marnen.org Sent from my iPhone -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.