How to have users who can only view his/her own stuff.

I know that it is better to have codes when asking questions here, but
I have none, which is kind of why I am asking.

I want to make a to-do list for my friends and family, I learned from
the Agile Development With Rails to make an administrator login. But I
don't seem to be able to figure out how to create users each of which
is restricted to view his or her own pages within the application.

Is there any tutorials/book on this?

Thank You

Slightly open ended question, but if you're asking what I think you are then typically you just let the association methods do the work for you. Eg if User has_many :foos then instead of using Foo.find :all, use some_user.foos.find :all, which guarantees that you will only ever get things belonging to that user (it behaves like a regular find apart from that, so you can pass conditions, a specific id etc...)


For more on that line of thought...

-- gw


I will just explain u with simple basic logic..When u want to restrict
the page or make something available to the related user only u can
easily give user restriction..

each and every user have their own id..So first u can fetch the id of
the user that has logged in and after that u can check in the user table
whose id is that..

once u have completed that work u just need to fire a query which will
display all the tast where user = to the current user who has logged

this is the simple login which can be easily translated into code..even
with the basic rails knowlege


Dhaval Parikh
Software Engineer

My most sincere thanks to you all.

All GREAT!. And they will serve me to unveil the eventual codes that
will get me to the target functionality.

I have thought about the limiting all tasks found according to the
logged-in user ID, hence
@errands = Errand.find(:all, :condition =>'user_id =?','logged_in_id')

But is this better(?):
@errands = User(logged_in_id).errands?

I mean, they fetch the same errands, but security-wise, which would
you prefer and if it is not too much trouble, why?

Hope you had a nice weekend!
And really, thanks so much for writing back! If you're in Berlin, let
me buy you a bier.

All my best,

I have thought about the limiting all tasks found according to the
logged-in user ID, hence
@errands = Errand.find(:all, :condition =>'user_id =?','logged_in_id')

But is this better(?):
@errands = User(logged_in_id).errands?

you mean

@errands = User.find(logged_in_id).errands?

which is the better one.
Only that most people would either use a plugin for the login stuff or
at least
put that in helpers and before_filters

something like:

def current_login
  @current_login ||= Login.find(session[:login]) if session[:login]

in application.rb


or whatever you look for.
From security view it's all the same, as long as you
make sure only to list errands that have the user_id of the logged in
(And this must be the one stored in the session after authentication,
no id that comes from the browser)
The association like thing current_login.errands is just more Ruby
and better to read.

Thanks for your help Thorsten, -- I was on a 25 hour day schedule and
put off this until today. --- I used the "login system" provided as an
example in the book Agile Web Development with Rails. I think it works
okay so far.

May I ask one more (tougher) question?

Well, my co-worker and I were to work on this Macro for the office, so
I added a task in my own account, but it 'd be great if she can see
it, too, in her account. So it's sort of like collaborating, but of
course, this is just a piece of read-only information to 'collaborate'
on. So now, I have this One User Can Have Many Tasks, AND One Task Can
Belong To Multiple Users thing. Is there an easy way to pull this off?

Thank You !

Sure, that's a has_and_belongs_to_many thing then.
This can be done two ways.
The simple one (needs no model):
create a relation table named users_tasks which contains user_id and

Users model:
has_and_belongs_to_many :tasks

Tasks model:
has_and_belongs_to_many :users

Then you can use all the common functions
@user.tasks <<
@user.tasks.each do |task|...
and so on

Disadvantage of this approach is, that you can't store more
in the intermediate table and can't access it in other ways, since it
has no
model of it's own.
Lots of Rails programmers (if not most) go another way, slightly more
work to setup, but with more options:

Create a model name UserTasks (columns: id, user_id, :task_id and
whatever information you may need), then
User model:
has_many :user_tasks
has_many :tasks :through :user_tasks

has_many :user_tasks
has_many :users :through :user_tasks

belongs_to :user
belongs_to :task

The tricky part (ok, not so tricky) is the through option which
relations over the intermediate table, so in the end you can again do
and get them all