Daniel Legrand wrote:
I'm creating a registration page where parents register their children
for an event. I have each parent give me a username and password to
login and register their children. Parents also have the ability to
come back and edit their children's information. However, if I log in
as a parent to edit my child's information, I can type another parent's
child's id into the URL to edit that child.
For instance, say I log into the system and view my children, and the
link to this is: .../children/edit/1, where 1 is the id of my child. I
can go up to the URL and type in .../children/edit/2, and edit the
information of a child other than my own. Is there any simple way to
stop this and allow parents to edit ONLY their assocaited children?
My aplogies if this is a simple question; I'm new to web development and
Ruby on Rails. But if anyone has a solution or can point me to a
resource that can answer my question, I'd greatly appreciate it.
You should be using associations to do the find. As in:
@parent = Parent.find params[:parent_id]
@child = @parent.children.find params[:child_id]
That will only find children of @parent.