When building a rails app that allows a User to login and create data, is it best to setup a belongs_to :user association on every single model? For example, let’s say a user can create Favorites, Colors and Tags.
And let’s say Favorites has_many :tags and Colors also has_many :tags. Is it still important for Tags to belong_to :user assuming the User is the only person who has authority to edit those tags?
And a similar question along the same lines: When updating data in FavoritesController, I’ve come to the conclusion that you perform CRUD operations by always doing something like current_user.favorites.find(param[:id].update_attributes(param[:favorite]) so that they can definitely only update models that belong to them. Right?
Update Wasn’t too happy with any of the answers, as no one really answered my question but instead went after the for-example-only Tags model suggesting better ways to do that. I’m assuming I was right, and models should belong_to :user. I also discovered some great security tips that address my questions here: http://asciicasts.com/episodes/178-seven-security-tips
As you describe the tags it seems that they are more of an aspect, so you can implement them as a polymorphic association. But you should do it many-to-many, as tags can be reused among users and taggable objects. Let’s call the join model
Tagging, which will be the one that belongs to user if you want to remember who created the tagging.As for the Favorite updating, I agree with you: you will mostly work within the scope of a user (most likely the currently logged in user).