Prefered way to deny access

Lets say I have a session based login system:

username = session[:username] (jochen) userid = session[:userid] (1)

Now I want to book a room: (works)

But when I type

I can book a room for a different user.

Whats the prefered way to deny success to urls including a userid so that I can only access these url which include my userid?


That's the way rails does, or?

I would suggest installing the restful_authentication plugin

Once done one way of doing it is in the bookings controller add the following filter

before_filter :login_required

And add a subsequent authorized? method to check if the url user_id matches the current user, The code below checks the user is logged in and is in the correct role.

def authorized?

logged_in? && (current_user.roles.in_role('company') or



Jochen Kaechelin wrote:

Unless you're nesting your routes, which in this case might make sense.