On 12 February 2011 10:00, msaspence <[email protected]> wrote: > On Feb 12, 9:53 am, Colin Law <[email protected]> wrote: >> On 11 February 2011 22:40, msaspence <[email protected]> wrote: >> >> > I'm want to restrict access to an object show action to the owner >> >> > in my action I have this >> >> > def show >> > @thing = Thing.find(params[:id]) >> > if current_user && @thing.owner == current_user >> >> Not related to your problem, but just pointing out that you might be >> better to use a :conditions option in the find so that it only finds >> the current users things in the first place. Then put this in a named >> scope in the Thing model and the above reduces to something like >> @thing = Thing.current_users_things.find(params[:id]) >> >> Colin > > > But if it doesnt find anything i wont know weither to return a 404 or > a 403
Your current code does not allow that distinction either. Since I see you are using authlogic do you not have a before filter require_user or similar so that you can trap no user condition before it even gets to the show action? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
