Ms. Klein,
I handle that situation very similarly with the only disparity being
where ownership is determined. In my opinion the object itself should
know nothing about @current_user, whereas the application can know about
Resource.user.
I also tend to alias methods in my resources, like so
def self.owner
self.user
end
Then I insure that every object has some owner alias if it is to be
restricted, and in my :require_ownership before_filter, I do the following:
def require_ownership
if @resource.owner == @current.user ...
end
The end effect is the same, but this allows the resource to be used
intact in another application without modification, regardless of
@current_user in the other application. Just of matter of who knows
what about whom.
Otherwise, unless someone can suggest a better method for us both, I
personally think you're on the right track.
Cheers,
Darrik Mazey
Lisa Klein wrote:
> Hi, I just have a "best practices" question. I'd like to block users
> that don't own a particular resource from performing edit/update/
> destroy actions on it. Here's how I currently do it:
>
> ## User has many resources, of different types
>
> ------- resource_controller.rb -------
>
> before_filter :require_ownership, :only => [:edit, :update, :destroy]
>
> ... public actions ...
>
> protected
>
> def require_ownership
> @resource = Resource.find(params[:id])
> redirect_to_somewhere unless owns?(@resource)
> end
>
> ------- application.rb -------
>
> def owns?(resource)
> resource.user_id == @current_user.id
> end
>
> ... And I apply this before_filter in the controller of any resource
> I'd like to restrict in a similar way. I'm new to Rails and MVC so
> I'm just wondering whether this is the best way of accomplishing this,
> or if a different method is recommended.
>
> Thanks in advance!
> >
>
--
Darrik Mazey
Developer
DMT Programming, LLC.
P.O. Box 91
Torrington, CT 06790
office: 330.983.9941
fax: 330.983.9942
mobile: 330.808.2025
[email protected]
To obtain my public key, send an email to
[email protected].
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
