Home/ Questions/Q 6239761
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T11:26:50+00:00

How do I prevent accessing a specific set of records based on a session

  • 0

How do I prevent accessing a specific set of records based on a session variable?

i.e. I have a table of items with a user_id key, how do I filter access to the items based on user_id. I don’t want someone to be able to access /items/3/edit unless that item has their user id against it (based on session var)

update:
I am using the answer suggested by @fl00r with one change, using find_by_id() rather than find() as it returns a nil and can be handled quite nice:

@item = current_user.items.find_by_id([params[:id]]) || item_not_found

where item_not_found is handled in the application controller and just raises a routing error.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Restrict access by fetching items through your current_user object (User should :has_many => :items)

    # ItemsController
def edit
  @item = current_user.items.find(params[:id])
  ...
end

    where current_user is kind of User.find(session[:user_id])

    UPD

    Useful Railscast: http://railscasts.com/episodes/178-seven-security-tips, TIP #5

    • 0