Validation using session data

I have a model containing user records and I want each user to only be able to edit his own data. I am storing the user_id in a session table. I was hoping to be able to use validate_on_update that would compare the POSTed id with that stored in the session table, so I wrote (in the model/user.rb file):

def validate_on_update   if session[:user_id] != id       errors.add("You are not allowed to edit this record.")     end   end end

When I do an update I get "undefined local variable or method `session' for #"

What concept am I not getting here?


So how do I pass the data to the model?

That is a bad idea. For your case it is better to perform that checking inside controller action.

Model should be independent of all that “session” thing. Model exists outside of those sessions. What would you pass to the model, if model update is run from Rails’ console ?

This is similar to authorization checking. You would never pass user to, say, Post model to see if user is allowed to see it, right ?