I have a RESTful User class, but the User actions (minus new and create)
require an application user to be logged in. This leads me to a bit of a
The edit action for a specific User is obviously access with an url like
But I do not want the User with ID 1 to be able to edit User with ID 2’s
I am curious as to how people are handling situations like this.
I am currently using a before_filter on these actions which checks if
the User ID stored in the session is the same as the params ID. If not,
it silently redirects to the same action, but with their ID. For
example, a request of http://www.domain.com/users/2 from the application
user logged in with an ID of 1 is redirected to
So yeah, just curious what other people think about this issue.