I have a model named Division which has_many :courses
Bottom line: I need the Ruby way to prevent someone from the id
parameter to http://example.com/courses/edit/
so that they don't hijack another user's data. The code I have is all
over most of the controller methods and it is really clunky.
Every Division has users who can modify elements only within their own
so now when someone goes to example.com/courses/edit/9
I need to make sure the course with id of 9 falls within a division
that the user has access to.
I am trying to prevent the user from modifying parameters to get at
someone elses data.
I have code like this in nearly all methods in most of my controllers:
@course = Course.find(params[:id])
@course = Course.new unless current_user.has_division?
I know I am doing it incorrectly, but I can't find anything to point
me to something better.
If anyone has an idea, it would be greatly appreciated.