Locking out users from certain records/urls

I am using the standard login controller that ships with RoR to
authenticate users in my application. In my app, Users belong to
Clients, Clients have Projects that users are assigned to (stored in a
stakeholder table with user_id and project_id columns) , then each
project has a bunch of folders and assets (file uploads).

So currently I have urls that look like /project/show/12 etc. I want to
stop users from typing in something like /project/show/24 and viewing
projects and folders that they are not assigned to…whats the best way
to go about this, given that a user might be assigned to projects with
:id 12, 14, 27 etc, but perhaps not 24

(pls bear in mind I’m still a relative beginner with RoR, so verbose
answers welcome :wink:


Something like

if !StakeHolder.find_by_user_id_and_project_id(session[:user_id],

Not yours, redirect or something.


in the project controller list method might work, but I am as new as

  • Ian

On 2/1/06, robbie shepherd [email protected] wrote:

:id 12, 14, 27 etc, but perhaps not 24
[email protected]

"Her faults were those of her race and sex; her virtues were her own.
Farewell, and if for ever - "

– “Travels with a Donkey in the Cevennes” by Robert Louis Stevenson

thanks Ian, I’ll give that a whirl…

You could create User of different roles and check whether a user can
at a particular record.

For example you can

User class and Admin (which inherits User) Class. Both have permission

When loggin in instantiate according user role ( User or Admin using
inheritance column)

In ur permission class for User

def check_user_have_access? (project)
return project.user.id == user.id

In ur Admin permission class
def check_user_have_access? (project)
return true

This way Admin will be able to see all projects and Users can see
only they own.

–Siva J.
My First Rails Project.
Education Through Collabration

This is the ‘authorized user/unauthorized access’ problem. In many
you have user that are authorized to use the system, but not authorized
see other users data. It can be a real challenge.

In my opinion you are asking for trouble if you rely on UI/controller
to check this for you. I think this is the equivalent of putting access
checking into an editor to make sure that non-privileged users can’t
Sooner or later you or someone that follows you will miss something and
someone will peek at someone else’s stuff. If the stuff is sensitive you
have a real problem. If it is a commercial site you may loose all your

Instead you want to push this down below the UI. Sure you put checks in
UI - but if you miss one, you want something below to throw an

Move that logic into your models. Make your models user aware, then
methods that you want to protect and add the user access checking there.

This is a little more work initially, but you will sleep better in the


This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs