DoubleRender Question: who can answer?


You want to call this method as a before_filter. Then returning false
will stop further request processing.

before_filter :is_owner_or_admin

You'll also need to pull out the param user_id and just locate this
within the method as you can't pass params to filters.


There is actually a lot wrong here. First of all you can never trust
params with anything as important as access control. What happens
when a user passes in param[:id] equal to an admins? They have admin
access under your code. You need to do some sort of user
authentication, store the user_id in the session and then check that
in your code. Example:

# application.rb
def current_user
  @current_user ||= (session[:user_id] ? User.find(session[:user_id]) : nil)
helper_method :current_user

  def authenticate
    redirect_to(login_url) and return false unless current_user

So now you can write the authorization check as a before_filter:

def is_owner_or_admin
  if current_user.role != "Admin" || [ownership check here]
    flash[:error] = "Access denied"
    redirect_to(:controller => :users, :action => :account) and return false