REST Route how to avoid hacking routes

You shouldn't ever rely on routing to protect information from being
accessed or edited. Not what it's for.

If only the current user can access his or her posts, I'd probably
create a route for that specifically, maybe something like:

/posts
/account/posts

That way you just go off current_user or session[:user] instead of
user_id. Otherwise, you definitely need a before_filter.