I have a RESTful User class, but the User actions (minus new and create)
require an application user to be logged in. This leads me to a bit of a
REST conundrum.
The edit action for a specific User is obviously access with an url like
http://www.domain.com/users/1;edit
But I do not want the User with ID 1 to be able to edit User with ID 2’s
with http://www.domain.com/users/2;edit
I am curious as to how people are handling situations like this.
I am currently using a before_filter on these actions which checks if
the User ID stored in the session is the same as the params ID. If not,
it silently redirects to the same action, but with their ID. For
example, a request of http://www.domain.com/users/2 from the application
user logged in with an ID of 1 is redirected to
http://www.domain.com/users/1
So yeah, just curious what other people think about this issue.