Prefered way to deny access

Lets say I have a session based login system:

username = session[:username] (jochen)
userid = session[:userid] (1)

Now I want to book a room:

http://127.0.0.1:3000/guests/1/bookings/new (works)

But when I type

http://127.0.0.1:3000/guests/5/bookings/new

I can book a room for a different user.

Whats the prefered way to deny success to urls including a userid so that I can only
access these url which include my userid?

Thanx

http://127.0.0.1:3000/guests/1/bookings/new

That's the way rails does, or?

I would suggest installing the restful_authentication plugin

Once done one way of doing it is in the bookings controller add the
following filter

before_filter :login_required

And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.

def authorized?

logged_in? && (current_user.roles.in_role('company') or

current_user.roles.in_role(‘admin’))

end

Jochen Kaechelin wrote:

Unless you're nesting your routes, which in this case might make sense.

--Jeremy