Limiting a user's view of data

I currently have two models. One holds users (username, password) and
one “data” (title, message, etc.). I can handle login via filters I
believe, courtesy of the Rails Recipes book.

However, I’d like to limit what a user can see of the data. To do this,
I added another table to the database with user_id and data_id fields.
Now I’m a little stuck, as I can’t figure out how to limit the ‘list’
action based on which users may see it. I don’t really need much more
granularity than this.

Do I need another model, to hold the user<->data mapping? Or is it
enough just to edit the data model somehow so it only returns entries
that the current user has access to?

Also, if anybody can suggest a good way to add the privileges that would
also be useful. I guess it would be simplest if it was a separate view
(instead of tacked on to the user or data views). But should it be
mixed with the data controller? Or the user controller?

Time to have another read of the pragmatic book, to see what I’ve missed



There are many way to nail this one, but you could use “with_scope” to
wrap the restriction around your query. You still have to 1/detect the
level of a given user and 2/filter out data records.

api doc: