Limiting records in a restful controller

I want to make my controller only show records for view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the "show" action. Thus presenting the user with only their own
records. Does this make sense ? And, is it possible for a hacker to
send a request like '7;edit' (when 7 doesn't belong to them). So,
perhaps I need to code all the actions for the right user ?

TIA
Stuart

Update - I'm thinking that probably the best way to approach this is
via an option in the map.resources call in routes.rb. ? Maybe ?

Stuart

i use the meantime_filter plugin to scope the
active records in question. It’s like having a before and after filter
in one method, so you can yield a block. In the example below the
require_user method is called first and creates the @user object. Then
the show action is called, but it is called within the attach_scope
method which scopes the records so only those belonging to the user are
shown.

`class JobsController < ApplicationController

before_filter :require_user

meantime_filter :attach_scope

def show

   @jobs.find(:all) # This will only retrieve the users jobs

end

private

def require_user

   @user = User.find(params[:user])

   if not @user or not @user.enabled; render :partial =>

“users/disabled”; return; end

end

def attach_scope

   Job.with_scope(:find => {:conditions => ["user_id = ?",

@user.id]}) do

      yield

   end

end

end`

Dark Ambient wrote:

Always work from the user:

@application.rb

def current_user
   User.find(session[:user_id])
end

@record_controller

def edit
   current_user.records.find(params[:id])
end

This seems to be a nice solution. I received a few errors and sort of
bailed on it for the time being, ONLY because I already have a number
of before_filters in the controller. I thought if I could combine the
user.id into them it might work.

This is my before filter -

protected
    def find_cdetail
      begin
        @cdetail = Cdetail.find(params[:id])
      rescue
        flash.now[:warning] = 'Error, Invalid ID'
        logger.error("RescueAttemptToFindInvalidID#{params[:id]}")
      end
    end

and I tried doing something like this:
protected
   def find_cdetail
   id = params[:id]
   user = current_user.id
      begin
         @cdetail = Cdetail.find(:all, :conditions =>["id = :id and
user_id = :user",
                           {:id => id, :user => user => user_id}])
....................
end

However it doesn't seem to be work as expected.
Stuart