On 1/7/06, Gareth R. email@example.com wrote:
access to. I probably should check that the current user has permissions
Rails mailing list
One thing to keep in mind is to always use associations for finding
things when you’ve got them set up. For example, you have a User
model and an JournalEntry model, and a User has many JournalEntries.
If you want users to only be able to access their own journal entries,
just be sure to access the entries through the user object. So
something like this in your controller:
entry = session[:user].journal_entries.find(params[:id])
This ends up being the same as
but it’s obviously way more concise and logical.
Anyway, that’s a pretty simple way of making sure that people don’t
get to view something they shouldn’t. As far as restricting access to
controllers and individual actions, you can look into using the
UserEngine which implements basic RBAC.