Forum: Ruby on Rails How to prevent users from looking at other user's data

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C50a0de51a2cd13566ea4fc651e6ebd3?d=identicon&s=25 Gerwin (Guest)
on 2009-02-11 21:09
(Received via mailing list)
Say I have Users. A user can login and create e.g. Houses..and Houses
can contain People ..etc.

How do I prevent another logged in user from accessing another user's
House (e.g. http://test.com/houses/1  -> where id=1 doesn't belong to
this user but to another user).

Would People also need to have a user_id field so I can check if the
request was done by the correct user?
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-02-11 21:31
Gerwin wrote:
> Say I have Users. A user can login and create e.g. Houses..and Houses
> can contain People ..etc.
>
> How do I prevent another logged in user from accessing another user's
> House (e.g. http://test.com/houses/1  -> where id=1 doesn't belong to
> this user but to another user).
>
> Would People also need to have a user_id field so I can check if the
> request was done by the correct user?

There are various ways to accomplish this but basically you want to make
sure houses can only be accesses through a user.

HousesController
---------------
def index
  user = User.find(current_user)
  @houses = user.houses.find(1)
  ...
  ...
end

That's the basic idea anyway.
C50a0de51a2cd13566ea4fc651e6ebd3?d=identicon&s=25 Gerwin (Guest)
on 2009-02-12 02:31
(Received via mailing list)
On Feb 11, 12:31 pm, Robert Walker <rails-mailing-l...@andreas-s.net>
wrote:
>
> end
>
> That's the basic idea anyway.
> --
> Posted viahttp://www.ruby-forum.com/.

Thanks! I didn't know that something like
current_user.houses.people.find_by_id(param[:id]) would work :)
This topic is locked and can not be replied to.