User a owns resource x; don't let user b see user a's resources...

rubyonrails-talk
1

I have a system of users who have many resources. For example a user many have many books, many friends, many items, etc. I have an authentication system in which users can login working just fine (authlogic). However, I have some default scaffold type pages for index. You can view a list of Users and a list of Book and a List of Friends. However when you go to the friends page the user can see the friends of all the other users too. Manually I could just modify all my index methods in the all the respective books friends items controllers to say current_user.friends.all, ... etc instead of Friends.all. But then still the user can view friends that aren't theirs by just guessing the Id friends/32 I need a higher level system to enforce these rules. Not sure how to describe the design problem more simply is there a tool, method in place to handle such an issue. i would think like acts_as_resource (doesn't exist) in the Friends model so that any can to Friends will make sure that the friend belongs to the user by association. This should be on the controller level though and not on the model I dont think.

Any ideas?

2

Don't take the user id from the url.

For example, don't do this:

url: /show_friends/5 code: Users.find(5).friends

But do this:

url: /show_friends code: current_user.friends

where current_user is the currently auth user. You know who is logged in, don't need to pass his id around.

3

And for the use case which the OP raised, which is the show action, it should be:

def show     friend = current_user.friends.find(params[:id]) end

which scopes the find to the user's friends. Similar comment for other actions like edit and update

4

oh that's a good solution friend = current_user.friends.find(params [:id]) i never though of that. search within the users friends for the requested it... thanks