Overcoming security via typing in the URL?

Daniel Legrand wrote:

I'm creating a registration page where parents register their children
for an event. I have each parent give me a username and password to
login and register their children. Parents also have the ability to
come back and edit their children's information. However, if I log in
as a parent to edit my child's information, I can type another parent's
child's id into the URL to edit that child.

For instance, say I log into the system and view my children, and the
link to this is: .../children/edit/1, where 1 is the id of my child. I
can go up to the URL and type in .../children/edit/2, and edit the
information of a child other than my own. Is there any simple way to
stop this and allow parents to edit ONLY their assocaited children?

My aplogies if this is a simple question; I'm new to web development and
Ruby on Rails. But if anyone has a solution or can point me to a
resource that can answer my question, I'd greatly appreciate it.

Daniel L

You should be using associations to do the find. As in:

@parent = Parent.find params[:parent_id]
@child = @parent.children.find params[:child_id]

That will only find children of @parent.

Check out http://api.rubyonrails.com/classes/ActiveRecord/Associations/ClassMethods.html

There is still a security issue doing it his way
@parent = Parent.find params[:parent_id]
since all someone has to do is put in ?parent_id=whatever
If you used some sort of login generator you can do something like
current_user.children.find params[:child_id]
That way you are pulling the current_user from the session.