Limiting records in a restful controller

I want to make my controller only show records for view, edit and destroy that belong to their owner (the user who created it). My question - My first guess would be to perhaps create a filter for the "show" action. Thus presenting the user with only their own records. Does this make sense ? And, is it possible for a hacker to send a request like '7;edit' (when 7 doesn't belong to them). So, perhaps I need to code all the actions for the right user ?

TIA Stuart

Update - I'm thinking that probably the best way to approach this is via an option in the map.resources call in routes.rb. ? Maybe ?

Stuart

i use the meantime_filter plugin to scope the active records in question. It’s like having a before and after filter in one method, so you can yield a block. In the example below the require_user method is called first and creates the @user object. Then the show action is called, but it is called within the attach_scope method which scopes the records so only those belonging to the user are shown.

`class JobsController < ApplicationController

before_filter :require_user

meantime_filter :attach_scope

def show

   @jobs.find(:all) # This will only retrieve the users jobs

end

private

def require_user

   @user = User.find(params[:user])

   if not @user or not @user.enabled; render :partial =>

“users/disabled”; return; end

end

def attach_scope

   Job.with_scope(:find => {:conditions => ["user_id = ?",

@user.id]}) do

      yield

   end

end

end`

Dark Ambient wrote:

Always work from the user:

@application.rb

def current_user    User.find(session[:user_id]) end

@record_controller

def edit    current_user.records.find(params[:id]) end

This seems to be a nice solution. I received a few errors and sort of bailed on it for the time being, ONLY because I already have a number of before_filters in the controller. I thought if I could combine the user.id into them it might work.

This is my before filter -

protected     def find_cdetail       begin         @cdetail = Cdetail.find(params[:id])       rescue         flash.now[:warning] = 'Error, Invalid ID'         logger.error("RescueAttemptToFindInvalidID#{params[:id]}")       end     end

and I tried doing something like this: protected    def find_cdetail    id = params[:id]    user = current_user.id       begin          @cdetail = Cdetail.find(:all, :conditions =>["id = :id and user_id = :user",                            {:id => id, :user => user => user_id}]) .................... end

However it doesn't seem to be work as expected. Stuart