As you alluded to, in all my controllers I have a before_filter that verifies and pre-populates instance variables of the main object(s) in the page. If you’re using AAA, you can just access ‘current_user’ object which should always be the logged in user, alleviating the issue of forgery. This renders the user id in the URL uneccessary altogether. If you’re not using AAA, you can set a before_filter such as:
def set_user @user = User.find(session[:user_id]) end
So then in your update method, you would just do a @user.update_attributes!(params). As for other controllers, it’s good to ensure the association isn’t forged as well. So in, say, an AssetsController you could have a before_filter like:
def set_variables @user = User.find(session[:user_id]) @asset = @user.assets.find(params[:id]) end
hope that helps,
ed
