URL faking with nested resources

I've created a three tiered nested resource tree as defined below. My
problem is that it's easy for a user to fake the URL and pull image
records from another users account since there is no check to see if
the image actually belongs to the user. Does anyone have a
recommendation on how I can secure this in a DRY manner? Is there
some sort of plugin or base functionality that I can't seem to find by

map.resources :people do |person|
     person.resources :events do |event|
       event.resources :images

For example, if a user types in the following url they will get the
image whether or not the image is part of an event which belongs to
the specified user:




It seems that if you authenticate your user (probably your person), then you can safely assume ownership of events and images. So using your example, the ImagesController will be in charge of serving this page. This might translate to:

{:controller => 'images', :id => 789, :event_id=> 456, :person_id => 123}

Thus, you might write code in your controller such as:

if Session.user_authenticated(params[:person_id])
   image = Person.find(params[:person_id]).events.find(params[:event_id]).images.find(params[:id])
   flash[:error] = 'go steal images someplace else'

The "user_authenticated" method might be something you would add to RESTful Authentication to compare the params[:person_id] to the id of the current user.

you might want to read the following about nesting resources more than
2 levels deep: http://weblog.jamisbuck.org/2007/2/5/nesting-resources

having said that, the normal way to do this is by scoping to the
specified resource:

class EventsController < ApplicationController

before_filter :get_person

def get_person
@person = People.find_by_id(params[:person_id])

def index
@events = @person.events

def edit
@event = @person.events.find_by_id(params[:id])