Limiting Access of Nested Resources

Rails
1

So I’m using nested routes for a users model that has measurements and
journals… like this:

map.resources :users do |users|
users.resources :journals
users.resources :measurements
end

This of course builds routes as something like:

/user/:user_id/journals/:id
/user/:user_id/measurements/:id

In the case of this application the logged in user is only going to be
accessing his or her own resources (journals and measurements). So my
question is: What is the proper way to accommodate that in routing so
that /user/:user_id isn’t necessary and just going to /journals or /
journals/:id would ensure that I’m going to the the currently logged
in user’s journals or measurements? And in turn, what would be the
best way of making sure that users can’t type /journal/:id and see
another users record once that :user_id was trimmed off (they should
only be able to see their own).

Thoughts? I greatly appreciate it.

Thanks.
Tim K.

2

I’ve never done this but I’ll give my 2 cents anyway:

  1. With nested routes, you are always still looking for the user - you
    fetch it in the Journals controller and that’s where you can evaluate
    it. What you can do is fetch the current_user unless the current_user
    is an admin or whatever
  2. About the routes I’d like to know that… if you always fetch the
    current_user it would be possible since you don’t pass the user_id in
    the URL anymore, but admins and such wouldn’t be able to see another’s
    journal.

Ramon T.

3

Ramon - Fetching the current_user in the Journals controller doesn’t
solve the issue, unless I’m misunderstanding you. The current_user is
set to in instance variable called @user so @user.id would be equal
to :user_id within the route. When I call @journals I’m using the
relationship to grab the journals suchas @journals = @user.journal.
The question is really about the routing not about getting the user_id
in question. I’m trying to take advantage of the restful routes such
as user_journals_path and all that but without the need to have /
users/:user_id in the url.

Does anyone have any experience in doing something like this?

On Sep 29, 1:00 am, “Ramon Miguel M. Tayag” [email protected]

4

On Mon, Sep 29, 2008 at 6:45 AM, Tim K. [email protected] wrote:

/user/:user_id/journals/:id
only be able to see their own).
Two things:

  1. A has_many do not necesseraly mean a nested resource in your
    interface    . You can simply configure

    map.resources :journals
    map.resources :measurements

  2. Access control is implemented via AR finders. In this case you’d do

    def index
    @journals = current_user.journals
    end

    before filter

    def find_journal
    current_user.journals.find(params[:id])
    rescue
    redirect_to journals_url
    end

5

I see Xavior - that’s makes a lot of sense especially with that
before_filter. I’ll refactor a little bit. Thanks.

6

Another thought I had would be just being able to replace the /
users/:user_id with /profile

then there could be /profile/journals/2 or whatever… but profile
would be somehow mapped to the users controller passing the @user as
it’s default id… am I heading in any form of a sane direction?