Joe,
You want to call this method as a before_filter. Then returning false
will stop further request processing.
before_filter :is_owner_or_admin
You'll also need to pull out the param user_id and just locate this
within the method as you can't pass params to filters.
Joe,
There is actually a lot wrong here. First of all you can never trust
params with anything as important as access control. What happens
when a user passes in param[:id] equal to an admins? They have admin
access under your code. You need to do some sort of user
authentication, store the user_id in the session and then check that
in your code. Example:
# application.rb
...
def current_user
@current_user ||= (session[:user_id] ? User.find(session[:user_id]) : nil)
end
helper_method :current_user
...
private
def authenticate
redirect_to(login_url) and return false unless current_user
end
So now you can write the authorization check as a before_filter:
def is_owner_or_admin
if current_user.role != "Admin" || [ownership check here]
flash[:error] = "Access denied"
redirect_to(:controller => :users, :action => :account) and return false
end
end