On Feb 12, 10:11 am, Colin Law <[email protected]> wrote: > On 12 February 2011 10:00, msaspence <[email protected]> wrote:
> > > On Feb 12, 9:53 am, Colin Law <[email protected]> wrote: > >> On 11 February 2011 22:40, msaspence <[email protected]> wrote: > > >> > I'm want to restrict access to an object show action to the owner > > >> > in my action I have this > > >> > def show > >> > @thing = Thing.find(params[:id]) > >> > if current_user && @thing.owner == current_user > > >> Not related to your problem, but just pointing out that you might be > >> better to use a :conditions option in the find so that it only finds > >> the current users things in the first place. Then put this in a named > >> scope in the Thing model and the above reduces to something like > >> @thing = Thing.current_users_things.find(params[:id]) > > >> Colin > > > But if it doesnt find anything i wont know weither to return a 404 or > > a 403 > > Your current code does not allow that distinction either. > > Since I see you are using authlogic do you not have a before filter > require_user or similar so that you can trap no user condition before > it even gets to the show action? > > Colin no but i could add it in at some point (psudo code:) def show @thing = Thing.find(params[:id]) if not @thing throw 404 else if current_user && @thing.owner == current_user respond_to do |format| format.json { render :json => @thing } end else render :status => :forbidden, :text => "API requires authentication for the minute." end end require user sounds like a better way to do if current_user but does solve the current_user == @thing.owner part -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
