Forum: Ruby on Rails How to prevent users from looking at other user's data

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Gerwin (Guest)
on 2009-02-11 22:09
(Received via mailing list)
Say I have Users. A user can login and create e.g. Houses..and Houses
can contain People ..etc.

How do I prevent another logged in user from accessing another user's
House (e.g. http://test.com/houses/1  -> where id=1 doesn't belong to
this user but to another user).

Would People also need to have a user_id field so I can check if the
request was done by the correct user?
Robert W. (Guest)
on 2009-02-11 22:31
Gerwin wrote:
> Say I have Users. A user can login and create e.g. Houses..and Houses
> can contain People ..etc.
>
> How do I prevent another logged in user from accessing another user's
> House (e.g. http://test.com/houses/1  -> where id=1 doesn't belong to
> this user but to another user).
>
> Would People also need to have a user_id field so I can check if the
> request was done by the correct user?

There are various ways to accomplish this but basically you want to make
sure houses can only be accesses through a user.

HousesController
---------------
def index
  user = User.find(current_user)
  @houses = user.houses.find(1)
  ...
  ...
end

That's the basic idea anyway.
Gerwin (Guest)
on 2009-02-12 03:31
(Received via mailing list)
On Feb 11, 12:31 pm, Robert W. <removed_email_address@domain.invalid>
wrote:
>
> end
>
> That's the basic idea anyway.
> --
> Posted viahttp://www.ruby-forum.com/.

Thanks! I didn't know that something like
current_user.houses.people.find_by_id(param[:id]) would work :)
This topic is locked and can not be replied to.