Forum: Ruby on Rails REST and Limiting Access

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Ac1585f1d07df0c387f2a8618c0b8054?d=identicon&s=25 John Smith (captaffy)
on 2007-03-02 10:50
I have a RESTful User class, but the User actions (minus new and create)
require an application user to be logged in. This leads me to a bit of a
REST conundrum.

The edit action for a specific User is obviously access with an url like;edit
But I do not want the User with ID 1 to be able to edit User with ID 2's

I am curious as to how people are handling situations like this.

I am currently using a before_filter on these actions which checks if
the User ID stored in the session is the same as the params ID. If not,
it silently redirects to the same action, but with their ID. For
example, a request of from the application
user logged in with an ID of 1 is redirected to

So yeah, just curious what other people think about this issue.
15c80c9bf8be5ba6e5eeac9cb0304464?d=identicon&s=25 Ed Hickey (Guest)
on 2007-03-02 16:36
(Received via mailing list)
As you alluded to, in all my controllers I have a before_filter that
verifies and pre-populates instance variables of the main object(s) in
page.  If you're using AAA, you can just access 'current_user' object
should always be the logged in user, alleviating the issue of forgery.
renders the user id in the URL uneccessary altogether. If you're not
AAA, you can set a before_filter such as:

def set_user
  @user = User.find(session[:user_id])

So then in your update method, you would just do a
As for other controllers, it's good to ensure the association isn't
as well.  So in, say, an AssetsController you could have a before_filter

def set_variables
  @user = User.find(session[:user_id])
  @asset = @user.assets.find(params[:id])

hope that helps,

This topic is locked and can not be replied to.