How to restrict viewing/modifying other users data?

Hi Everyone. I am working on my first Ruby on Rails app. It is a
basic project management application. I have user login/logout
functionality set up. It will only display a list of projects that
are linked to the logged in user. However, if someone else logs in
and types in a url such as www.projectmanagement.com/projects/17
(where 17 is a project id), they will be able to see that project even
if they are not linked to it. What is the best design approach to
this problem?

Thank you for any advice!!!

Nathan

On Sep 24, 8:57 pm, Nathan [email protected] wrote:

Hi Everyone. I am working on my first Ruby on Rails app. It is a
basic project management application. I have user login/logout
functionality set up. It will only display a list of projects that
are linked to the logged in user. However, if someone else logs in
and types in a url such aswww.projectmanagement.com/projects/17
(where 17 is a project id), they will be able to see that project even
if they are not linked to it. What is the best design approach to
this problem?

Instead of doing Project.find do current_user.projects.find
This restricts the find to projects owned by that user.

Fred

I would think a simple before_filter would work for you that would
require a login before those projects could be viewed. Once they
login, they would only be able to see the projects that they are
assigned to.

Your before_filter would be placed up top in the controller for
projects.

Something like this…

before_filter :login_required, :only =>
[:new, :create, :edit, :update]

Then you could add all of the other actions that required a login as
well such as :show, :add, :edit, :delete, etc., etc. I am certainly no
Rails genius yet, but I think this would work for you.

–Cory

Great! Thank you for the advice. I had thought of doing the
before_filter, but was not sure if that was the best way to go. Also,
I like the “current_user.projects.find” idea.

Thanks again!
Nathan

Actually, nevermind. Frederick posted exactly what I was coming back
to post!

–Cory