I''m building a Rails app to manage an investment portfolio, with models including: User (has_many :portfolios) Portfolio (belongs_to :user, has_many :accounts) Account (belongs_to :portfolio) The relevant SQL is: CREATE TABLE users ( id INTEGER AUTO_INCREMENT PRIMARY KEY, ... ); CREATE TABLE portfolios ( id INTEGER AUTO_INCREMENT PRIMARY KEY, user_id INTEGER NOT NULL, ... ); CREATE TABLE accounts ( id INTEGER AUTO_INCREMENT PRIMARY KEY, portfolio_id INTEGER NOT NULL, ); The app requires user authentication, and I wish to limit visibility of data to that associated with the logged in user (i.e., the portfolio list should only include the current user''s portfolios, not all portfolios in the database). My current approach is to add :conditions and :joins to the find() methods in the controllers. For example, the portfolio controller''s edit() method includes: @portfolio = Portfolio.find(params[:id], :conditions => ["user_id ?", session[:user_id]]) (straightforward since there''s a direct link between the portfolio record and the user record) and the account controller''s edit method includes: @account = Account.find(params[:id], :joins => ["inner join portfolios as p on accounts.portfolio_id = p.id and p.user_id = " + session[:user_id].to_s]) (have to join through the portfolio record to get to the user) This seems error prone (have to remember to do this throughout the controllers), particularly as you get farther down into the model (e.g., accounts include transactions, which will require two joins to reach the user_id). Is there a more systematic/declarative way to go about this? I''ve looked through the main list of Rails plugins, but all the ACL ones seem to be limited to roles, and not data ownership. TIA, Tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---