I have a system of users who have many resources. For example a user
many have many books, many friends, many items, etc. I have an
authentication system in which users can login working just fine
(authlogic). However, I have some default scaffold type pages for
index. You can view a list of Users and a list of Book and a List of
Friends. However when you go to the friends page the user can see the
friends of all the other users too. Manually I could just modify all
my index methods in the all the respective books friends items
controllers to say current_user.friends.all, … etc instead of
Friends.all. But then still the user can view friends that aren’t
theirs by just guessing the Id friends/32 I need a higher level system
to enforce these rules. Not sure how to describe the design problem
more simply is there a tool, method in place to handle such an issue.
i would think like acts_as_resource (doesn’t exist) in the Friends
model so that any can to Friends will make sure that the friend
belongs to the user by association. This should be on the controller
level though and not on the model I dont think.
oh that’s a good solution friend = current_user.friends.find(params
[:id]) i never though of that. search within the users friends for
the requested it… thanks
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.