In addition to using authorization gems like CanCan, you can also do these things yourself. Before each action in each controller, get the current user. Before any action that would modify, or show in such a way as to allow modifying, any records, check if the current user is the owner of those records. If not, redirect to an error page. Also don't give him any *links* to such things! For instance, on the pages where he can *view* other people's records, don't put an "Edit" link.
-Dave