How to restrict viewing/modifying other users data?

Hi Everyone. I am working on my first Ruby on Rails app. It is a basic project management application. I have user login/logout functionality set up. It will only display a list of projects that are linked to the logged in user. However, if someone else logs in and types in a url such as www.projectmanagement.com/projects/17 (where 17 is a project id), they will be able to see that project even if they are not linked to it. What is the best design approach to this problem?

Thank you for any advice!!!

Nathan

Hi Everyone. I am working on my first Ruby on Rails app. It is a basic project management application. I have user login/logout functionality set up. It will only display a list of projects that are linked to the logged in user. However, if someone else logs in and types in a url such aswww.projectmanagement.com/projects/17 (where 17 is a project id), they will be able to see that project even if they are not linked to it. What is the best design approach to this problem?

Instead of doing Project.find do current_user.projects.find This restricts the find to projects owned by that user.

Fred

I would think a simple before_filter would work for you that would require a login before those projects could be viewed. Once they login, they would only be able to see the projects that they are assigned to.

Your before_filter would be placed up top in the controller for projects.

Something like this....

before_filter :login_required, :only => [:new, :create, :edit, :update]

Then you could add all of the other actions that required a login as well such as :show, :add, :edit, :delete, etc., etc. I am certainly no Rails genius yet, but I think this would work for you.

--Cory

Actually, nevermind. Frederick posted exactly what I was coming back to post!

--Cory

Great! Thank you for the advice. I had thought of doing the before_filter, but was not sure if that was the best way to go. Also, I like the "current_user.projects.find" idea.

Thanks again! Nathan