URL faking with nested resources

I’ve created a three tiered nested resource tree as defined below. My
problem is that it’s easy for a user to fake the URL and pull image
records from another users account since there is no check to see if
the image actually belongs to the user. Does anyone have a
recommendation on how I can secure this in a DRY manner? Is there
some sort of plugin or base functionality that I can’t seem to find by
googling?

map.resources :people do |person|
person.resources :events do |event|
event.resources :images
end
end

For example, if a user types in the following url they will get the
image whether or not the image is part of an event which belongs to
the specified user:

http://localhost/people/123/events/456/images/789

Thanks,

Mike

On Mar 14, 2008, at 11:28 PM, Mike Y wrote:

  event.resources :images

Mike

It seems that if you authenticate your user (probably your person),
then you can safely assume ownership of events and images. So using
your example, the ImagesController will be in charge of serving this
page. This might translate to:

{:controller => ‘images’, :id => 789, :event_id=> 456, :person_id =>
123}

Thus, you might write code in your controller such as:

if Session.user_authenticated(params[:person_id])
image =
Person
.find
(params
[:person_id]).events.find(params[:event_id]).images.find(params[:id])
else
flash[:error] = ‘go steal images someplace else’
end

The “user_authenticated” method might be something you would add to
RESTful Authentication to compare the params[:person_id] to the id of
the current user.

you might want to read the following about nesting resources more than
2 levels deep: Buckblog: Nesting resources

having said that, the normal way to do this is by scoping to the
specified resource:

class EventsController < ApplicationController

before_filter :get_person

def get_person
@person = People.find_by_id(params[:person_id])
end

def index
@events = @person.events
end

def edit
@event = @person.events.find_by_id(params[:id])

end

Mike