Forum: Ruby on Rails block certain users from doing tasks

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Scott P. (Guest)
on 2007-07-30 04:55
So I have an account manager for users on my site and it has their
profile which just displays their information, and a place where they
can edit their info, the problem I am having is right now a person can
edit anyone's profile, so I obviously want to make it so they can only
edit their own profile. In my controller I added an if statement that
would check to see if the user was editing their profile which went like
this:

def edit
  id = params[:id]
  if session[:user_id] == id
  begin
    @user = User.find_by_id(id)
  rescue
    flash[:notice] = "No user by that user id can be found"
    redirect_to(:controller => 'home', :action => 'index')
  end
  else
  flash[:notice] = "You are not authorized to edit this user"
  redirect_to(:controller => 'account', :action => 'profile', :id => id)
  end
end

But that always gives me the message that I have set as my flash and
takes me to the profile that was trying to be edited (even if the
profile was my own).
Any suggestions?
This topic is locked and can not be replied to.