I want to make my controller only show records for view, edit and
destroy that belong to their owner (the user who created it).
My question - My first guess would be to perhaps create a filter for
the "show" action. Thus presenting the user with only their own
records. Does this make sense ? And, is it possible for a hacker to
send a request like '7;edit' (when 7 doesn't belong to them). So,
perhaps I need to code all the actions for the right user ?
TIA
Stuart
Update - I'm thinking that probably the best way to approach this is
via an option in the map.resources call in routes.rb. ? Maybe ?
Stuart
i use the meantime_filter plugin to scope the
active records in question. It’s like having a before and after filter
in one method, so you can yield a block. In the example below the
require_user method is called first and creates the @user object. Then
the show action is called, but it is called within the attach_scope
method which scopes the records so only those belonging to the user are
shown.
`class JobsController < ApplicationController
before_filter :require_user
meantime_filter :attach_scope
def show
@jobs.find(:all) # This will only retrieve the users jobs
end
private
def require_user
@user = User.find(params[:user])
if not @user or not @user.enabled; render :partial =>
“users/disabled”; return; end
end
def attach_scope
Job.with_scope(:find => {:conditions => ["user_id = ?",
@user.id]}) do
yield
end
end
end`
Dark Ambient wrote:
Always work from the user:
@application.rb
def current_user
User.find(session[:user_id])
end
@record_controller
def edit
current_user.records.find(params[:id])
end
This seems to be a nice solution. I received a few errors and sort of
bailed on it for the time being, ONLY because I already have a number
of before_filters in the controller. I thought if I could combine the
user.id into them it might work.
This is my before filter -
protected
def find_cdetail
begin
@cdetail = Cdetail.find(params[:id])
rescue
flash.now[:warning] = 'Error, Invalid ID'
logger.error("RescueAttemptToFindInvalidID#{params[:id]}")
end
end
and I tried doing something like this:
protected
def find_cdetail
id = params[:id]
user = current_user.id
begin
@cdetail = Cdetail.find(:all, :conditions =>["id = :id and
user_id = :user",
{:id => id, :user => user => user_id}])
....................
end
However it doesn't seem to be work as expected.
Stuart