Well see that's exactly why I am confused. I understand the data integrity thing and the security thing, but how far do you take that?
/users/1/projects/2/tasks/3/notes/4 @user.find(params[:user_id] @project @user.projects.find(params[:project_id] @task = @project.tasks.find(params[:task_id] @note = @task.notes.find(params[:id] That just really seems to get messy. Is that really the approach you'd take? I assume you'd use some sort of includes there to reduce the db calls then, right? Are there examples of projects that use this nesting stuff in the wild that we could actually see the code to? I'd love to figure out what I'm missing here, as I really feel like I'm not "getting" it. In the past, for security purposes, I'd just have the user *own* everything by user_id and use that to see if someone can actually use it. Thanks for the explanation though, this is a really good topic. On 8/3/07, DHH <[EMAIL PROTECTED]> wrote: > > > > > On Aug 3, 11:04 am, Brian Hogan <[EMAIL PROTECTED]> wrote: > > Forgive me for reopening an old thread, but > > > > > posts/1/comments/34 > > > > > Which then lets me do > > > > > @post = user.posts.find(params[:post_id]) > > > @comment = @post.comments.find(params[:id]) > > > > Forgive me, but I actually do think that's silly. If I really needed > > to do that I'd do > > > > @comment = Comment.find(params[:id], :include=>[:post] > > @post = @comment.post > > > > and save a hit to the database. > > > > I'm having a really hard time wrapping my mind around the nesting, > > except that the URL looks pretty. Do you really mean to say that we > > should be accessing both objects that way? It seems really hackish. > > When I did this without nested routes on my first project, I built > > URLs this way but never used the post_id in the URL at all. Is that > > wrong? > > > > I'm just looking for some enlightenment here, not trying to be > > difficult! :) > > This is for security/data integrity reasons. When you fetch like the > example above, you can only access posts that were written by the > user. And only access comments written about that particular post. On > a blog that might not matter much, but on an application that keeps > data secret from different accounts, it's paramount. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
