Block certain users from doing tasks


#1

So I have an account manager for users on my site and it has their
profile which just displays their information, and a place where they
can edit their info, the problem I am having is right now a person can
edit anyone’s profile, so I obviously want to make it so they can only
edit their own profile. In my controller I added an if statement that
would check to see if the user was editing their profile which went like
this:

def edit
id = params[:id]
if session[:user_id] == id
begin
@user = User.find_by_id(id)
rescue
flash[:notice] = “No user by that user id can be found”
redirect_to(:controller => ‘home’, :action => ‘index’)
end
else
flash[:notice] = “You are not authorized to edit this user”
redirect_to(:controller => ‘account’, :action => ‘profile’, :id => id)
end
end

But that always gives me the message that I have set as my flash and
takes me to the profile that was trying to be edited (even if the
profile was my own).
Any suggestions?