Validation using session data

I have a model containing user records and I want each user to only be
able to edit his own data. I am storing the user_id in a session table.
I was hoping to be able to use validate_on_update that would compare
the POSTed id with that stored in the session table, so I wrote (in the
model/user.rb file):

def validate_on_update
if session[:user_id] != id
errors.add(“You are not allowed to edit this record.”)
end
end
end

When I do an update I get “undefined local variable or method `session’
for #”

What concept am I not getting here?

Thanks

CWu wrote:

I have a model containing user records and I want each user to only be
able to edit his own data. I am storing the user_id in a session table.
I was hoping to be able to use validate_on_update that would compare
the POSTed id with that stored in the session table, so I wrote (in the
model/user.rb file):

def validate_on_update
if session[:user_id] != id
errors.add(“You are not allowed to edit this record.”)
end
end
end

When I do an update I get “undefined local variable or method `session’
for #”

What concept am I not getting here?

Thanks

session is part of the ActionController you need to pass the data to the
model.
the simplest way around this would be to simply never allow a foreign
user access to the form that edits by redirecting (not hiding the link).

So how do I pass the data to the model?

On 11/17/06, CWu [email protected] wrote:

So how do I pass the data to the model?

That is a bad idea. For your case it is better to perform that checking
inside controller action.

Model should be independent of all that “session” thing. Model exists
outside of those sessions. What would you pass to the model, if model
update
is run from Rails’ console ?

This is similar to authorization checking. You would never pass user to,
say, Post model to see if user is allowed to see it, right ?