This is a really basic response, but it may give you an idea.
When you call your ‘company/edit’ action, just do this:
@user = User.find(session[:user_id]) # This assumes that you are using cookies to authenticate
@company = @user.companies.find(params[:id])
This ensures that you are not editing companies out of scope for the owning user.
Does that help?
Off the top of my head, I can’t see a way to do this. It seems to be out of the scope w/ the MVC here, and that the controller really needs to be handling this rather than the model.
Now, you could override the methods of your class so that they require an id to be passed to them for each action… but that sounds like a lot of extra work.
Maybe someone else has some insight here…
Take a look at the authorization plugin: http://www.writertopia.com/developers/authorization
I especially like the authorization DSL.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks