Say I have Users. A user can login and create e.g. Houses…and Houses
can contain People …etc.
How do I prevent another logged in user from accessing another user’s
House (e.g. http://test.com/houses/1 → where id=1 doesn’t belong to
this user but to another user).
Would People also need to have a user_id field so I can check if the
request was done by the correct user?
Say I have Users. A user can login and create e.g. Houses…and Houses
can contain People …etc.
How do I prevent another logged in user from accessing another user’s
House (e.g. http://test.com/houses/1 → where id=1 doesn’t belong to
this user but to another user).
Would People also need to have a user_id field so I can check if the
request was done by the correct user?
There are various ways to accomplish this but basically you want to make
sure houses can only be accesses through a user.
HousesController
def index
user = User.find(current_user) @houses = user.houses.find(1)
…
…
end