This is a really basic response, but it may give you an idea.
When you call your ‘company/edit’ action, just do this:
@user = User.find(session[:user_id]) # This assumes that you are using cookies to authenticate
@company = @user.companies.find(params[:id])
This ensures that you are not editing companies out of scope for the owning user.
Does that help?