Managing user accounts and data records

Michael5 · January 30, 2009, 2:52am

Hi, I am looking for a simple way to implement a form of "data ownership" in a Rails application. Basically, I'd like for users / accounts to only be able to view or operate on model data that they have created themselves and to not have any sort of awareness of the data created by other users / accounts.

My initial thought is that I will need something like account_id on all of the models and each request will check that the searched for model id is owned by the currently authenticated account. Has anyone done anything like this and is there a simpler way?

Thanks

Julian_Leviston · January 30, 2009, 5:55am

Google model scoping.

Basically you get:

For 'dogs' list your list action

You hve a before filter to authorize and set the logged in user then:

logged_in_user.dogs

The show action has:

logged_in_user.dogs.find(params[:id])

That way people can't look up the wrong records

Topic		Replies	Views
Validate Object Ownership (user_id) in model, or in controller? rubyonrails-talk	1	99	December 10, 2007
Simplify code on method about 4 models rubyonrails-talk	4	193	August 10, 2011
How to prevent users from looking at other user's data rubyonrails-talk	1	157	February 12, 2009
Restricting visibility of data based on user id rubyonrails-talk	0	113	December 23, 2006
Recommended way of restricting action permissions? rubyonrails-talk	3	104	December 19, 2008

Managing user accounts and data records

Related topics

More Resources