I’m building a Rails app to manage an investment portfolio, with models
including:
User (has_many :portfolios)
Portfolio (belongs_to :user, has_many :accounts)
Account (belongs_to :portfolio)
The relevant SQL is:
CREATE TABLE users
(
id INTEGER AUTO_INCREMENT PRIMARY KEY,
…
);
CREATE TABLE portfolios
(
id INTEGER AUTO_INCREMENT PRIMARY KEY,
user_id INTEGER NOT NULL,
…
);
CREATE TABLE accounts
(
id INTEGER AUTO_INCREMENT PRIMARY KEY,
portfolio_id INTEGER NOT NULL,
);
The app requires user authentication, and I wish to limit visibility of
data to that associated with the logged in user (i.e., the portfolio
list should only include the current user’s portfolios, not all
portfolios in the database).
My current approach is to add :conditions and :joins to the find()
methods in the controllers. For example, the portfolio controller’s
edit() method includes:
@portfolio = Portfolio.find(params[:id], :conditions => [“user_id =
?”, session[:user_id]])
(straightforward since there’s a direct link between the portfolio
record and the user record)
and the account controller’s edit method includes:
@account = Account.find(params[:id], :joins => ["inner join
portfolios as p on accounts.portfolio_id = p.id and p.user_id = " +
session[:user_id].to_s])
(have to join through the portfolio record to get to the user)
This seems error prone (have to remember to do this throughout the
controllers), particularly as you get farther down into the model
(e.g., accounts include transactions, which will require two joins to
reach the user_id).
Is there a more systematic/declarative way to go about this? I’ve
looked through the main list of Rails plugins, but all the ACL ones
seem to be limited to roles, and not data ownership.
TIA,
Tim