Daniel Legrand wrote:
I'm creating a registration page where parents register their children for an event. I have each parent give me a username and password to login and register their children. Parents also have the ability to come back and edit their children's information. However, if I log in as a parent to edit my child's information, I can type another parent's child's id into the URL to edit that child.
For instance, say I log into the system and view my children, and the link to this is: .../children/edit/1, where 1 is the id of my child. I can go up to the URL and type in .../children/edit/2, and edit the information of a child other than my own. Is there any simple way to stop this and allow parents to edit ONLY their assocaited children?
My aplogies if this is a simple question; I'm new to web development and Ruby on Rails. But if anyone has a solution or can point me to a resource that can answer my question, I'd greatly appreciate it.
Thanks. Daniel L
You should be using associations to do the find. As in:
@parent = Parent.find params[:parent_id] @child = @parent.children.find params[:child_id]
That will only find children of @parent.
Check out Peak Obsession