How to prevent users from looking at other user's data


#1

Say I have Users. A user can login and create e.g. Houses…and Houses
can contain People …etc.

How do I prevent another logged in user from accessing another user’s
House (e.g. http://test.com/houses/1 -> where id=1 doesn’t belong to
this user but to another user).

Would People also need to have a user_id field so I can check if the
request was done by the correct user?


#2

Gerwin wrote:

Say I have Users. A user can login and create e.g. Houses…and Houses
can contain People …etc.

How do I prevent another logged in user from accessing another user’s
House (e.g. http://test.com/houses/1 -> where id=1 doesn’t belong to
this user but to another user).

Would People also need to have a user_id field so I can check if the
request was done by the correct user?

There are various ways to accomplish this but basically you want to make
sure houses can only be accesses through a user.

HousesController

def index
user = User.find(current_user)
@houses = user.houses.find(1)


end

That’s the basic idea anyway.


#3

On Feb 11, 12:31 pm, Robert W. removed_email_address@domain.invalid
wrote:

end

That’s the basic idea anyway.

Posted viahttp://www.ruby-forum.com/.

Thanks! I didn’t know that something like
current_user.houses.people.find_by_id(param[:id]) would work :slight_smile: