On Aug 3, 11:04 am, Brian Hogan <[EMAIL PROTECTED]> wrote:
> Forgive me for reopening an old thread, but
>
> > posts/1/comments/34
>
> > Which then lets me do
>
> > @post = user.posts.find(params[:post_id])
> > @comment = @post.comments.find(params[:id])
>
> Forgive me, but I actually do think that's silly. If I really needed
> to do that I'd do
>
> @comment = Comment.find(params[:id], :include=>[:post]
> @post = @comment.post
>
> and save a hit to the database.
>
> I'm having a really hard time wrapping my mind around the nesting,
> except that the URL looks pretty. Do you really mean to say that we
> should be accessing both objects that way? It seems really hackish.
> When I did this without nested routes on my first project, I built
> URLs this way but never used the post_id in the URL at all. Is that
> wrong?
>
> I'm just looking for some enlightenment here, not trying to be
> difficult! :)
This is for security/data integrity reasons. When you fetch like the
example above, you can only access posts that were written by the
user. And only access comments written about that particular post. On
a blog that might not matter much, but on an application that keeps
data secret from different accounts, it's paramount.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
