Should I use global variables here?

In the controller, do something like:

@order = current_user.orders.find(params[:id]
@return = @order.returns.create(params[:return])

The first line will only find the order if it belongs to the current user.

-Jonathan.