Validation using session data

CWu · November 16, 2006, 8:05pm

I have a model containing user records and I want each user to only be able to edit his own data. I am storing the user_id in a session table. I was hoping to be able to use validate_on_update that would compare the POSTed id with that stored in the session table, so I wrote (in the model/user.rb file):

def validate_on_update if session[:user_id] != id errors.add("You are not allowed to edit this record.") end end end

When I do an update I get "undefined local variable or method `session' for #"

What concept am I not getting here?

Thanks

CWu · November 16, 2006, 9:04pm

So how do I pass the data to the model?

Maxim_Kulkin · November 16, 2006, 10:30pm

That is a bad idea. For your case it is better to perform that checking inside controller action.

Model should be independent of all that “session” thing. Model exists outside of those sessions. What would you pass to the model, if model update is run from Rails’ console ?

This is similar to authorization checking. You would never pass user to, say, Post model to see if user is allowed to see it, right ?