Validation using session data

I have a model containing user records and I want each user to only be
able to edit his own data. I am storing the user_id in a session table.
I was hoping to be able to use validate_on_update that would compare
the POSTed id with that stored in the session table, so I wrote (in the
model/user.rb file):

def validate_on_update
  if session[:user_id] != id
      errors.add("You are not allowed to edit this record.")

When I do an update I get "undefined local variable or method `session'
for #"

What concept am I not getting here?


So how do I pass the data to the model?

That is a bad idea. For your case it is better to perform that checking inside controller action.

Model should be independent of all that “session” thing. Model exists outside of those sessions. What would you pass to the model, if model update is run from Rails’ console ?

This is similar to authorization checking. You would never pass user to, say, Post model to see if user is allowed to see it, right ?