Hi, I just have a "best practices" question. I'd like to block users that don't own a particular resource from performing edit/update/ destroy actions on it. Here's how I currently do it: ## User has many resources, of different types ------- resource_controller.rb ------- before_filter :require_ownership, :only => [:edit, :update, :destroy] ... public actions ... protected def require_ownership @resource = Resource.find(params[:id]) redirect_to_somewhere unless owns?(@resource) end ------- application.rb ------- def owns?(resource) resource.user_id == @current_user.id end ... And I apply this before_filter in the controller of any resource I'd like to restrict in a similar way. I'm new to Rails and MVC so I'm just wondering whether this is the best way of accomplishing this, or if a different method is recommended. Thanks in advance!
on 2008-12-19 21:26
on 2008-12-19 21:26
Ms. Klein, I handle that situation very similarly with the only disparity being where ownership is determined. In my opinion the object itself should know nothing about @current_user, whereas the application can know about Resource.user. I also tend to alias methods in my resources, like so def self.owner self.user end Then I insure that every object has some owner alias if it is to be restricted, and in my :require_ownership before_filter, I do the following: def require_ownership if @resource.owner == @current.user ... end The end effect is the same, but this allows the resource to be used intact in another application without modification, regardless of @current_user in the other application. Just of matter of who knows what about whom. Otherwise, unless someone can suggest a better method for us both, I personally think you're on the right track. Cheers, Darrik Mazey Lisa Klein wrote: > ... public actions ... > def owns?(resource) > -- Darrik Mazey Developer DMT Programming, LLC. P.O. Box 91 Torrington, CT 06790 office: 330.983.9941 fax: 330.983.9942 mobile: 330.808.2025 email@example.com To obtain my public key, send an email to firstname.lastname@example.org.
on 2008-12-19 21:32
The simpler way is just search the user resources when performing an edit/update/delete. like this: def edit @resource = @user.resources.find(params[:id]) end This way you can be sure that the user will not be able to select a resource that doesn't belong to him. - Maurício Linhares http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/ (en)
on 2008-12-19 21:38
Thanks a lot for the replies! I guess I kind of prefer the before_filter method a little bit because then I don't have to replicate the redirect_if_not_found logic in each restricted action. Thanks again!