Home/ Questions/Q 8108049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T00:58:20+00:00

I’ve got it so that the show view on a customer’s page links to

  • 0

I’ve got it so that the show view on a customer’s page links to all the orders that they have placed. When they click “Show”, it takes them to the show view for that order. However, if they were to change the id of the order in the url, they can then see other people’s orders. Please can someone help or suggest ways in which I can have it so that if someone was to try and view an order other than the one they have been directed to, they will be redirected to their customer page? I can get the redirect bit working fine, using:

redirect_to customers_path(session[:customer_id])

but how would I get the application to make sure that the customer can only view that order? I can’t seem to use the sort of logic where I check that the order id equals the order id in the url, as that will always prove true!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Assuming than your Order model has some concept of “who owns this order,” usually via an integer column called something like user_id, you can check to see if session[:customer_id] is equal to order.user_id (or whatever you call it).

    You will generally keep this authorization code in your controllers.

    class OrdersController
  ...

  def show
    @order = Order.find params[:id]
    unless session[:customer_id] == @order.user_id
      flash[:notice] = "You don't have access to that order!"
      redirect_to customers_path(session[:customer_id])
      return
    end
  end

  ...
end

    As your application gets more complicated, you might look into authorization gems like CanCan to handle this logic.

    • 0