Here's how I'd approach this:
Basically, Task.foo (by which I mean "any class-level method on Task") will find / create / delete *any* Task in the system, regardless of who "owns" that task. Our initial version of the TasksController naively passes the ID from the URL (via params[:id]).
So, if user A has task 1 and is looking at the URL:
and changes it to:
then that user can see (and be able to edit, etc.) Task #2, even though task #2 might be owned by another user.
If, instead of "Task.foo", you substitute "current_user.tasks.foo", then you are interacting with the current user (this is supplied by Devise, btw) model's "tasks" method, which only returns tasks that are "owned" by the user.
In other words, for the scenario above, "current_user.tasks.find(2)" would fail with an ActiveRecord::RecordNotFound. Which is better than letter the user find / create / update any & every body's tasks.