I would suggest installing the restful_authentication plugin
Once done one way of doing it is in the bookings controller add the
following filter
before_filter :login_required
And add a subsequent authorized? method to check if the url user_id
matches the current user, The code below checks the user is logged in
and is in the correct role.
def authorized?
logged_in? && (current_user.roles.in_role('company') or