URL faking with nested resources

I've created a three tiered nested resource tree as defined below. My
problem is that it's easy for a user to fake the URL and pull image
records from another users account since there is no check to see if
the image actually belongs to the user. Does anyone have a
recommendation on how I can secure this in a DRY manner? Is there
some sort of plugin or base functionality that I can't seem to find by
googling?

map.resources :people do |person|
     person.resources :events do |event|
       event.resources :images
     end
end

For example, if a user types in the following url they will get the
image whether or not the image is part of an event which belongs to
the specified user:

http://localhost/people/123/events/456/images/789

Thanks,

Mike

It seems that if you authenticate your user (probably your person), then you can safely assume ownership of events and images. So using your example, the ImagesController will be in charge of serving this page. This might translate to:

{:controller => 'images', :id => 789, :event_id=> 456, :person_id => 123}

Thus, you might write code in your controller such as:

if Session.user_authenticated(params[:person_id])
   image = Person.find(params[:person_id]).events.find(params[:event_id]).images.find(params[:id])
else
   flash[:error] = 'go steal images someplace else'
end

The "user_authenticated" method might be something you would add to RESTful Authentication to compare the params[:person_id] to the id of the current user.

you might want to read the following about nesting resources more than
2 levels deep: http://weblog.jamisbuck.org/2007/2/5/nesting-resources

having said that, the normal way to do this is by scoping to the
specified resource:

class EventsController < ApplicationController

before_filter :get_person

def get_person
@person = People.find_by_id(params[:person_id])
end

def index
@events = @person.events
end

def edit
@event = @person.events.find_by_id(params[:id])
...
end

Mike