When I do this, I store the after a successful login. user’s id in
session. My controller actions pass that id into the find method
@tasks = Task.find_all_by_user_id(session[:user_id])
The session would have to be hacked in order for that to be broken. It’s
been secure enough for me.