Why would you store the current user’s ID in the URL anyway? That’s a
major
security risk. It can be better handled by storing the user ID in a
session[:user] or session[:user_id] variable. Check out how
acts_as_authenticated and restful_authenticated does it.
I would suggest installing the restful_authentication plugin
Once done one way of doing it is in the bookings controller add the
following filter
before_filter :login_required
And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.
def authorized?
logged_in? && (current_user.roles.in_role(‘company’) or
current_user.roles.in_role(‘admin’))
end