>... >> Then provide appropriate named scopes for >> BabyNames that enforce the conditions and always use those rather than >> the generic find. If you are not sure what named scopes you need then >> initially just put the finds in line with the conditions and when you >> find yourself repeating a find then convert it to a named scope. >> Remember that the code is under your control. If you have no find >> operations in the code that do not specify the user conditions then >> there is no way a find can be performed using your app that does not >> have that condition. Do a global search in your app for 'find' and >> check they all have appropriate conditions. > > That's fine, will do that - but the way you put it sounds like I'd have > a lot of named_scopes to do this, in this case I can only think of two, > the find for a specfic baby name and the one to get them all. Actually > hold on *CORRECTION*, sorry I type as I think! That's right I'm doing > other finds as well, e.g. finding a users boy baby names and girl baby > names - I guess I should secure those also on the basis of the > current_user's boy baby names. Basically are you saying move all find to > the model and make sure they're secured there?
By using named scopes you are putting the logic for the find into the model, you still have to call the named scope from the controller. So instead of BabyName.find(:all, :conditions.....) you use BabyName.find_all_for_current_user or whatever, where find_all_for_user is the named scope. The controller code does not have to know how to fetch records for the current user, it leaves that to the named_scope in the model, which is as it should be. By the way, when you code up the named scope you will have to use a 'lamba' for the current user, so that the query is reconstructed each time you call it (otherwise it will be constructed when the model is loaded, with the current user at that instant, which is not what you want). Read up on named_scope and you will see how that works. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
