I have a system of users who have many resources. For example a user many have many books, many friends, many items, etc. I have an authentication system in which users can login working just fine (authlogic). However, I have some default scaffold type pages for index. You can view a list of Users and a list of Book and a List of Friends. However when you go to the friends page the user can see the friends of all the other users too. Manually I could just modify all my index methods in the all the respective books friends items controllers to say current_user.friends.all, ... etc instead of Friends.all. But then still the user can view friends that aren't theirs by just guessing the Id friends/32 I need a higher level system to enforce these rules. Not sure how to describe the design problem more simply is there a tool, method in place to handle such an issue. i would think like acts_as_resource (doesn't exist) in the Friends model so that any can to Friends will make sure that the friend belongs to the user by association. This should be on the controller level though and not on the model I dont think.
Any ideas?