At the moment, any logged in user can go to http://localhost:3000/notes/note_id and view the

Question

0

Asked: May 16, 20262026-05-16T10:42:46+00:00 2026-05-16T10:42:46+00:00

At the moment, any logged in user can go to http://localhost:3000/notes/note_id and view the

0

At the moment, any logged in user can go to http://localhost:3000/notes/note_id and view the note there. How do I restrict this so that you can only see notes that belong to you? Thanks for reading.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T10:42:46+00:00

In the NotesController #show action, redirect or show a permission denied error if the user_id on the note doesn’t == the logged in user id.

Another solution is to put this code in a before_filter in the NotesController, since the same validation is performed for the #edit and #delete methods.

Edit: Putting all the suggestions together (Sorry if this has been confusing):

Edit2: Using Veeti’s association answer, which I always seem to forget, we can add current_user.notes.find() to the mix. Like he said, your current_user needs to return a User object, and you’ll need a has_many :notes in your User model.

class NotesController < ApplicationController
  before_filter :check_ownership, :except => [:new, :create, :index]

  #.. new, create, index, show, edit, delete actions

  private

  def check_ownership
    redirect_to :back unless current_user.notes.find(params[:id])
  end
end

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

At the moment, any logged in user can go to http://localhost:3000/notes/note_id and view the

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply