User a owns resource x; don't let user b see user a's resources

I have a system of users who have many resources. For example a user
many have many books, many friends, many items, etc. I have an
authentication system in which users can login working just fine
(authlogic). However, I have some default scaffold type pages for
index. You can view a list of Users and a list of Book and a List of
Friends. However when you go to the friends page the user can see the
friends of all the other users too. Manually I could just modify all
my index methods in the all the respective books friends items
controllers to say current_user.friends.all, … etc instead of
Friends.all. But then still the user can view friends that aren’t
theirs by just guessing the Id friends/32 I need a higher level system
to enforce these rules. Not sure how to describe the design problem
more simply is there a tool, method in place to handle such an issue.
i would think like acts_as_resource (doesn’t exist) in the Friends
model so that any can to Friends will make sure that the friend
belongs to the user by association. This should be on the controller
level though and not on the model I dont think.

Any ideas?

Don’t take the user id from the url.

For example, don’t do this:

url:
/show_friends/5
code:
Users.find(5).friends

But do this:

url:
/show_friends
code:
current_user.friends

where current_user is the currently auth user. You know who is logged
in, don’t need to pass his id around.

On Wed, Jan 13, 2010 at 8:02 AM, Eduard M.
[email protected] wrote:

url:
/show_friends
code:
current_user.friends

where current_user is the currently auth user. You know who is logged
in, don’t need to pass his id around.

And for the use case which the OP raised, which is the show action, it
should be:

def show
friend = current_user.friends.find(params[:id])
end

which scopes the find to the user’s friends. Similar comment for
other actions like edit and update


Rick DeNatale

Blog: http://talklikeaduck.denhaven2.com/
Twitter: http://twitter.com/RickDeNatale
WWR: http://www.workingwithrails.com/person/9021-rick-denatale
LinkedIn: http://www.linkedin.com/in/rickdenatale

oh that’s a good solution friend = current_user.friends.find(params
[:id]) i never though of that. search within the users friends for
the requested it… thanks

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs