I’m building something very common to most web applications: there are multiple users, and each user has its own set of resources (e.g. documents). And I need a way of ensuring one user cannot access the resource of another user by simply typing something like /documents/3 into the URL, if 3 is the ID of a document by another user.
One way I see is to verify for every request, that the resource being accessed actually belongs to the current user. But perhaps a more elegant approach is to scope the ID of resource to the user, so the post with ID 3 refers to different post for different user, essentially having a composite key; but I’m not sure how that would play with Rails’ preference for global primary key.
Any thoughts appreciated.