should a user's home page be invoked by a show then id => meaning / show/id(of user)?? when they log into the application? because it would be easy for another user to use /show/3 to access of another user.
Whats the normal procedure when a user logs into your app to get to his account page?
you store the id of the logged in user in the session. then on the personal show page you only use the id stored in the session to access his/her data.
You can use singular resources for the user, then you do not even need to use the id in the url
map.resource :user instead of map.resources :user
will allow for that.
thin in the controller: @user = User.find(session[:user_id]) and all data related by the user only from associations (eg he has orders) @user.orders.each dp |order|
That's roughly how to use Rails to make sure, nobody can access data that's not his own
thanks i'll try it out once i have the chance