Home/ Questions/Q 7434427
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T09:50:14+00:00

I’ve set up Devise to manage the authentication to my app. I have a

  • 0

I’ve set up Devise to manage the authentication to my app.

I have a Category model in which users create their own categories. User has_many :categories. This model has a user_id attribute, so when someone logs in and goes to categories/index for example, from the controller the query would bring categories using current_user.id to filter out which ones to bring.

So far straight forward and works well, nobody seems to be able to see someone else’s categories, but to be honest, unless I’m missing something, this seems a bit insecure. How do I know some hacker will not figure it out and send his own requests modifying the params?

Is this possible or am I being paranoid? Also, I might not be using the functionality properly?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think you have the relationship setup for a one-to-one (one category per user) instead of a one-to-many (many categories per user). If you have a category_id in the User model, the following should be your setup.

    # in User.rb
belongs_to :category

# in Category.rb
has_many :users

# in CategoriesController
@category = current_user.category

    If you want to have multiple categories per user, than I suggest using a link table (as model UserCategory) with user_id and category_id.

    # in UserCategory.rb
belongs_to :user
belongs_to :category

# in User.rb
has_many :user_categories
has_many :categories, :through => :user_categories

# in Category.rb
has_many :user_categories
has_many :users, :through => :user_categories

    Then, in your Category controller you can use your code from above to grab all categories by a given user.

    # in CategoriesController.rb
@categories = current_user.categories
    • 0