Limiting Access of Nested Resources

1 view
Skip to first unread message

Tim K.

unread,
Sep 29, 2008, 12:45:17 AM9/29/08
to Ruby on Rails: Talk
So I'm using nested routes for a users model that has measurements and
journals... like this:

map.resources :users do |users|
users.resources :journals
users.resources :measurements
end

This of course builds routes as something like:

/user/:user_id/journals/:id
/user/:user_id/measurements/:id

In the case of this application the logged in user is only going to be
accessing his or her own resources (journals and measurements). So my
question is: What is the proper way to accommodate that in routing so
that /user/:user_id isn't necessary and just going to /journals or /
journals/:id would ensure that I'm going to the the currently logged
in user's journals or measurements? And in turn, what would be the
best way of making sure that users can't type /journal/:id and see
another users record once that :user_id was trimmed off (they should
only be able to see their own).

Thoughts? I greatly appreciate it.

Thanks.
Tim K.

Ramon Miguel M. Tayag

unread,
Sep 29, 2008, 1:00:21 AM9/29/08
to rubyonra...@googlegroups.com
I've never done this but I'll give my 2 cents anyway:

1) With nested routes, you are always still looking for the user - you
fetch it in the Journals controller and that's where you can evaluate
it. What you can do is fetch the current_user unless the current_user
is an admin or whatever
2) About the routes I'd like to know that... if you always fetch the
current_user it would be possible since you don't pass the user_id in
the URL anymore, but admins and such wouldn't be able to see another's
journal.

Ramon Tayag

Tim K.

unread,
Sep 29, 2008, 1:32:12 AM9/29/08
to Ruby on Rails: Talk
Ramon - Fetching the current_user in the Journals controller doesn't
solve the issue, unless I'm misunderstanding you. The current_user is
set to in instance variable called @user so @user.id would be equal
to :user_id within the route. When I call @journals I'm using the
relationship to grab the journals suchas @journals = @user.journal.
The question is really about the routing not about getting the user_id
in question. I'm trying to take advantage of the restful routes such
as user_journals_path and all that but without the need to have /
users/:user_id in the url.

Does anyone have any experience in doing something like this?


On Sep 29, 1:00 am, "Ramon Miguel M. Tayag" <ramon.ta...@gmail.com>
wrote:
> I've never done this but I'll give my 2 cents anyway:
>
> 1) With nested routes, you are always still looking for the user - you
> fetch it in the Journals controller and that's where you can evaluate
> it.  What you can do is fetch the current_user unless the current_user
> is an admin or whatever
> 2) About the routes I'd like to know that... if you always fetch the
> current_user it would be possible since you don't pass the user_id in
> the URL anymore, but admins and such wouldn't be able to see another's
> journal.
>
> Ramon Tayag
>

Tim K.

unread,
Sep 29, 2008, 1:41:20 AM9/29/08
to Ruby on Rails: Talk
Another thought I had would be just being able to replace the /
users/:user_id with /profile

then there could be /profile/journals/2 or whatever... but profile
would be somehow mapped to the users controller passing the @user as
it's default id... am I heading in any form of a sane direction?

Xavier Noria

unread,
Sep 29, 2008, 2:23:30 AM9/29/08
to rubyonra...@googlegroups.com

Two things:

1) A has_many do not necesseraly mean a nested resource _in your
interface_. You can simply configure

map.resources :journals
map.resources :measurements

2) Access control is implemented via AR finders. In this case you'd do

def index
@journals = current_user.journals
end

# before filter
def find_journal
current_user.journals.find(params[:id])
rescue
redirect_to journals_url
end

Tim K.

unread,
Sep 29, 2008, 10:15:41 AM9/29/08
to Ruby on Rails: Talk
I see Xavior - that's makes a lot of sense especially with that
before_filter. I'll refactor a little bit. Thanks.

On Sep 29, 2:23 am, "Xavier Noria" <f...@hashref.com> wrote:
Reply all
Reply to author
Forward
0 new messages