how to secure controller functions per user

I've got an app running that uses acts as attachment.

Works well and i've secured an admin area and an owners area.

Trouble is I now need to secure each action to ensure that people can't just alter a url to edit another owners records. Any tips for doing this....?

I have a concept of a logged in owner. @owner = current_owner.

Be grateful for any pointers, i'm looking for the simplest solution.

Don't secure the controller method, secure the record. In a schema where:

User :has_many Thingies

you can do:


Where current_user is typically instantiated by your authentication filter. This effectively scopes the find only to those thingies that belong to a particular user.

Good question. Obviously, you are moving more toward an ACL or role-based authentication system, so it's not as simple as keeping people out of each others' data. If you created a habtm relationship instead of has_many, your data records could belong to both the user-level owner and also the admin. Just a thought.