Forum: Ruby on Rails Recommended way of restricting action permissions?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Lisa Klein (Guest)
on 2008-12-19 22:26
(Received via mailing list)
Hi, I just have a "best practices" question.  I'd like to block users
that don't own a particular resource from performing edit/update/
destroy actions on it.  Here's how I currently do it:

## User has many resources, of different types

------- resource_controller.rb -------

before_filter :require_ownership, :only => [:edit, :update, :destroy]

... public actions ...


def require_ownership
  @resource = Resource.find(params[:id])
  redirect_to_somewhere unless owns?(@resource)

------- application.rb -------

def owns?(resource)
  resource.user_id ==

... And I apply this before_filter in the controller of any resource
I'd like to restrict in a similar way.  I'm new to Rails and MVC so
I'm just wondering whether this is the best way of accomplishing this,
or if a different method is recommended.

Thanks in advance!
Darrik Mazey (Guest)
on 2008-12-19 22:26
(Received via mailing list)
Ms. Klein,

I handle that situation very similarly with the only disparity being
where ownership is determined.  In my opinion the object itself should
know nothing about @current_user, whereas the application can know about

I also tend to alias methods in my resources, like so

def self.owner

Then I insure that every object has some owner alias if it is to be
restricted, and in my :require_ownership before_filter, I do the

def require_ownership
  if @resource.owner == @current.user ...

The end effect is the same, but this allows the resource to be used
intact in another application without modification, regardless of
@current_user in the other application.  Just of matter of who knows
what about whom.

Otherwise, unless someone can suggest a better method for us both, I
personally think you're on the right track.

Darrik Mazey

Lisa Klein wrote:
> ... public actions ...
> def owns?(resource)
Darrik Mazey
DMT Programming, LLC.
P.O. Box 91
Torrington, CT 06790
office: 330.983.9941
    fax: 330.983.9942
mobile: 330.808.2025

To obtain my public key, send an email to
Maurício L. (Guest)
on 2008-12-19 22:32
(Received via mailing list)
The simpler way is just search the user resources when performing an
edit/update/delete. like this:

def edit
  @resource = @user.resources.find(params[:id])

This way you can be sure that the user will not be able to select a
resource that doesn't belong to him.

Maurício Linhares (pt-br) |
Lisa Klein (Guest)
on 2008-12-19 22:38
(Received via mailing list)
Thanks a lot for the replies!  I guess I kind of prefer the
before_filter method a little bit because then I don't have to
replicate the redirect_if_not_found logic in each restricted action.
Thanks again!
This topic is locked and can not be replied to.