Don't take the user id from the url. For example, don't do this:
url: /show_friends/5 code: Users.find(5).friends But do this: url: /show_friends code: current_user.friends where current_user is the currently auth user. You know who is logged in, don't need to pass his id around. On Jan 13, 7:53 am, eggie5 <[email protected]> wrote: > I have a system of users who have many resources. For example a user > many have many books, many friends, many items, etc. I have an > authentication system in which users can login working just fine > (authlogic). However, I have some default scaffold type pages for > index. You can view a list of Users and a list of Book and a List of > Friends. However when you go to the friends page the user can see the > friends of all the other users too. Manually I could just modify all > my index methods in the all the respective books friends items > controllers to say current_user.friends.all, ... etc instead of > Friends.all. But then still the user can view friends that aren't > theirs by just guessing the Id friends/32 I need a higher level system > to enforce these rules. Not sure how to describe the design problem > more simply is there a tool, method in place to handle such an issue. > i would think like acts_as_resource (doesn't exist) in the Friends > model so that any can to Friends will make sure that the friend > belongs to the user by association. This should be on the controller > level though and not on the model I dont think. > > Any ideas?
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
