DoubleRender Question: who can answer?

Joe,

You want to call this method as a before_filter. Then returning false will stop further request processing.

before_filter :is_owner_or_admin

You'll also need to pull out the param user_id and just locate this within the method as you can't pass params to filters.

Joe,

There is actually a lot wrong here. First of all you can never trust params with anything as important as access control. What happens when a user passes in param[:id] equal to an admins? They have admin access under your code. You need to do some sort of user authentication, store the user_id in the session and then check that in your code. Example:

# application.rb ... def current_user   @current_user ||= (session[:user_id] ? User.find(session[:user_id]) : nil) end helper_method :current_user ... private

  def authenticate     redirect_to(login_url) and return false unless current_user   end

So now you can write the authorization check as a before_filter:

def is_owner_or_admin   if current_user.role != "Admin" || [ownership check here]     flash[:error] = "Access denied"     redirect_to(:controller => :users, :action => :account) and return false   end end