On Jun 5, 2012, at 8:18 AM, John Mileham wrote: > > It's easy to dismiss as an obvious mistake, but I've seen it done too many > times to want to encourage deeply nested routes by automating the URL > generation. If your controller is forced find the user from the project in > order to perform access control, then the odds of making a mistake are much > lower: > > dev create > @project = Project.find(params[:project_id]) > raise "alert!!" unless @project.user == current_user
Curious - is there a reason to prefer this code to the alternative: @project = current_user.projects.find(params[:project_id]) which turns attempts to access other's projects into 404s? --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.