[Rails] Re: User a owns resource x; don't let user b see user a's resources...

oh that's a good solution friend = current_user.friends.find(params
[:id]) i never though of that. search within the users friends for
the requested it... thanks

On Jan 14, 7:12 am, Rick DeNatale <rick.denat...@gmail.com> wrote:
> On Wed, Jan 13, 2010 at 8:02 AM, Eduard Martini
>
>
>
>
>
> <eduard.mart...@gmail.com> wrote:
> > Don't take the user id from the url.
>
> > For example, don't do this:
>
> > url:
> > /show_friends/5
> > code:
> > Users.find(5).friends
>
> > But do this:
>
> > url:
> > /show_friends
> > code:
> > current_user.friends
>
> > where current_user is the currently auth user. You know who is logged
> > in, don't need to pass his id around.
>
> And for the use case which the OP raised, which is the show action, it
> should be:
>
> def show
>     friend = current_user.friends.find(params[:id])
> end
>
> which scopes the find to the user's friends.  Similar comment for
> other actions like edit and update
>
> --
> Rick DeNatale
>
> Blog:http://talklikeaduck.denhaven2.com/
> Twitter:http://twitter.com/RickDeNatale
> WWR:http://www.workingwithrails.com/person/9021-rick-denatale
> LinkedIn:http://www.linkedin.com/in/rickdenatale