I've created a three tiered nested resource tree as defined below. My
problem is that it's easy for a user to fake the URL and pull image
records from another users account since there is no check to see if
the image actually belongs to the user. Does anyone have a
recommendation on how I can secure this in a DRY manner? Is there
some sort of plugin or base functionality that I can't seem to find by
googling?
map.resources :people do |person|
person.resources :events do |event|
event.resources :images
end
end
For example, if a user types in the following url they will get the
image whether or not the image is part of an event which belongs to
the specified user:
It seems that if you authenticate your user (probably your person), then you can safely assume ownership of events and images. So using your example, the ImagesController will be in charge of serving this page. This might translate to:
Thus, you might write code in your controller such as:
if Session.user_authenticated(params[:person_id])
image = Person.find(params[:person_id]).events.find(params[:event_id]).images.find(params[:id])
else
flash[:error] = 'go steal images someplace else'
end
The "user_authenticated" method might be something you would add to RESTful Authentication to compare the params[:person_id] to the id of the current user.
