Preferred way of dealing with url hacking & REST

I am new to RoR and RESTful. I just listened to the David's keynote at
RailsConf and I think the what suggested above are not the RESTful way.

What's not RESTful about it?

According to David, the RESTful way of modeling what you have there is
to introduce a new active model called (for example) Writings, which
represents the relationship of a user's articles. Then creating a
Writing object is adding an article to the user and you can easily check
the permission by trying to find the Writing object by both user_id and

Any thoughts?

User#articles already represents the relationship between a user and
his articles. Throwing something in between is just some weird

You can of course really easily handle permissions by calling
current_user.articles.find(params[:id]). That does the scoping for
you and everything.

The "missing model" usually occurs with a many to many relationship.