protecting resources in an app

hi chaps. just want to check that i'm on the right lines with protecting resources in an app, the idea that only the resources owner can do stuff to it I figure there are only two steps I need (with authlogic), but I may be missing stuff 1st is a check authorised before filter, which just checks that a valid user is logged in that before filter is on all the actions that need protecting the 2nd step is to change the default find method in the controller from this type of thing @thing = Thing.find(params[:id]) to this ... @thing = current_user.things.find(params[:id])

am I on the right lines ?

Anybody? Are there further steps required?

I'm doing it just like you described above. However I would like to hear some more opinions on that as well.

Heinz Strunk wrote:

I'm doing it just like you described above. However I would like to hear some more opinions on that as well.

That's really good to know - a slight twist on it could be that I have seen people DRY it up and include more sophistication on the find by using a before filter for that too, then I could perhaps find only the users things but if the user is an admin, allow the admin to find anything (or edit or destroy anything).

Trying to make sure I don't miss anything before implementing.

The thing is the initial check will only check that there's a logged in user though, not a particular user. Then the find part is important as it would always limit the "things" that can be found to the things that the current_user owns. These are the typical two steps? Correct?