Thanks a lot for the replies! I guess I kind of prefer the
before_filter method a little bit because then I don't have to
replicate the redirect_if_not_found logic in each restricted action.
Thanks again!
--~--~-~--~~~---~--~~
You received this message because you
Ms. Klein,
I handle that situation very similarly with the only disparity being
where ownership is determined. In my opinion the object itself should
know nothing about @current_user, whereas the application can know about
Resource.user.
I also tend to alias methods in my resources, like so
The simpler way is just search the user resources when performing an
edit/update/delete. like this:
def edit
@resource = @user.resources.find(params[:id])
end
This way you can be sure that the user will not be able to select a
resource that doesn't belong to him.
-
MaurĂcio Linhares
http://al
3 matches
Mail list logo