We're trying to secure our application and someone yesterday suggested a good idea.
Say we have blogs that belog to users our models would be something like
class User < ActiveRecord::Base has_many :blogs ...... end
class Blog <ActiveRecord::Base belongs_to :user ... end
we already have an authentication system inplace and on top of that we have been doing something like
@blog = Blog.find(:first, :conditions => ["user_id = ?", session[:user_id]]);
but someone suggested using something like
before_filter {|cntrlr| cntrlr.user = User.find(session[:user_id]) }
in the controller so that we could make a call like
@blog = @user.blogs.find(:first)
(Actually they suggested that we place it in the application.rb but not all of our objects have users.)
However, if we place it in the blog controller, like:
class NotebooksController < ApplicationController
before_filter { |ctrl| crtl.user = User.find(session[:user_id]) } ....
end
we get the folowing error:
undefined method `owner=' for NotebooksController:Class
I'm still a little new to this so I don't really understand what's going on here or how to make it work (assuming that I can and the person who suggested this isn't leading me up the path). I understand that there isn't an 'owner=' function defined for the controller, but shouldn't ther be one for the model, or am I completely lost?
Dale