Rails - Sep 2008 - Limiting Access of Nested Resources

So I''m using nested routes for a users model that has measurements and
journals... like this:

map.resources :users do |users|
  users.resources :journals
  users.resources :measurements
end

This of course builds routes as something like:

/user/:user_id/journals/:id
/user/:user_id/measurements/:id

In the case of this application the logged in user is only going to be
accessing his or her own resources (journals and measurements). So my
question is:  What is the proper way to accommodate that in routing so
that /user/:user_id isn''t necessary and just going to /journals or /
journals/:id would ensure that I''m going to the the currently logged
in user''s journals or measurements? And in turn, what would be the
best way of making sure that users can''t type /journal/:id and see
another users record once that :user_id was trimmed off (they should
only be able to see their own).

Thoughts? I greatly appreciate it.

Thanks.
Tim K.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I''ve never done this but I''ll give my 2 cents anyway:

1) With nested routes, you are always still looking for the user - you
fetch it in the Journals controller and that''s where you can evaluate
it.  What you can do is fetch the current_user unless the current_user
is an admin or whatever
2) About the routes I''d like to know that... if you always fetch the
current_user it would be possible since you don''t pass the user_id in
the URL anymore, but admins and such wouldn''t be able to see
another''s
journal.

Ramon Tayag



On Mon, Sep 29, 2008 at 12:45 PM, Tim K.
<jangchub-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> So I''m using nested routes for a users model that has measurements
and
> journals... like this:
>
> map.resources :users do |users|
>  users.resources :journals
>  users.resources :measurements
> end
>
> This of course builds routes as something like:
>
> /user/:user_id/journals/:id
> /user/:user_id/measurements/:id
>
> In the case of this application the logged in user is only going to be
> accessing his or her own resources (journals and measurements). So my
> question is:  What is the proper way to accommodate that in routing so
> that /user/:user_id isn''t necessary and just going to /journals or
/
> journals/:id would ensure that I''m going to the the currently
logged
> in user''s journals or measurements? And in turn, what would be the
> best way of making sure that users can''t type /journal/:id and see
> another users record once that :user_id was trimmed off (they should
> only be able to see their own).
>
> Thoughts? I greatly appreciate it.
>
> Thanks.
> Tim K.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Ramon - Fetching the current_user in the Journals controller doesn''t
solve the issue, unless I''m misunderstanding you. The current_user is
set to in instance variable called @user so @user.id would be equal
to :user_id within the route. When I call @journals I''m using the
relationship to grab the journals suchas @journals = @user.journal.
The question is really about the routing not about getting the user_id
in question. I''m trying to take advantage of the restful routes such
as user_journals_path and all that but without the need to have /
users/:user_id in the url.

Does anyone have any experience in doing something like this?


On Sep 29, 1:00 am, "Ramon Miguel M. Tayag"
<ramon.ta...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''ve never done this but I''ll give my 2 cents anyway:
>
> 1) With nested routes, you are always still looking for the user - you
> fetch it in the Journals controller and that''s where you can
evaluate
> it.  What you can do is fetch the current_user unless the current_user
> is an admin or whatever
> 2) About the routes I''d like to know that... if you always fetch
the
> current_user it would be possible since you don''t pass the user_id
in
> the URL anymore, but admins and such wouldn''t be able to see
another''s
> journal.
>
> Ramon Tayag
>
> On Mon, Sep 29, 2008 at 12:45 PM, Tim K.
<jangc...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > So I''m using nested routes for a users model that has
measurements and
> > journals... like this:
>
> > map.resources :users do |users|
> >  users.resources :journals
> >  users.resources :measurements
> > end
>
> > This of course builds routes as something like:
>
> > /user/:user_id/journals/:id
> > /user/:user_id/measurements/:id
>
> > In the case of this application the logged in user is only going to be
> > accessing his or her own resources (journals and measurements). So my
> > question is:  What is the proper way to accommodate that in routing so
> > that /user/:user_id isn''t necessary and just going to
/journals or /
> > journals/:id would ensure that I''m going to the the currently
logged
> > in user''s journals or measurements? And in turn, what would
be the
> > best way of making sure that users can''t type /journal/:id
and see
> > another users record once that :user_id was trimmed off (they should
> > only be able to see their own).
>
> > Thoughts? I greatly appreciate it.
>
> > Thanks.
> > Tim K.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Another thought I had would be just being able to replace the /
users/:user_id with /profile

then there could be /profile/journals/2 or whatever... but profile
would be somehow mapped to the users controller passing the @user as
it''s default id... am I heading in any form of a sane direction?


On Sep 29, 1:32 am, "Tim K."
<jangc...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Ramon - Fetching the current_user in the Journals controller
doesn''t
> solve the issue, unless I''m misunderstanding you. The current_user
is
> set to in instance variable called @user so @user.id would be equal
> to :user_id within the route. When I call @journals I''m using the
> relationship to grab the journals suchas @journals = @user.journal.
> The question is really about the routing not about getting the user_id
> in question. I''m trying to take advantage of the restful routes
such
> as user_journals_path and all that but without the need to have /
> users/:user_id in the url.
>
> Does anyone have any experience in doing something like this?
>
> On Sep 29, 1:00 am, "Ramon Miguel M. Tayag"
<ramon.ta...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
>
> > I''ve never done this but I''ll give my 2 cents
anyway:
>
> > 1) With nested routes, you are always still looking for the user - you
> > fetch it in the Journals controller and that''s where you can
evaluate
> > it.  What you can do is fetch the current_user unless the current_user
> > is an admin or whatever
> > 2) About the routes I''d like to know that... if you always
fetch the
> > current_user it would be possible since you don''t pass the
user_id in
> > the URL anymore, but admins and such wouldn''t be able to see
another''s
> > journal.
>
> > Ramon Tayag
>
> > On Mon, Sep 29, 2008 at 12:45 PM, Tim K.
<jangc...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > > So I''m using nested routes for a users model that has
measurements and
> > > journals... like this:
>
> > > map.resources :users do |users|
> > >  users.resources :journals
> > >  users.resources :measurements
> > > end
>
> > > This of course builds routes as something like:
>
> > > /user/:user_id/journals/:id
> > > /user/:user_id/measurements/:id
>
> > > In the case of this application the logged in user is only going
to be
> > > accessing his or her own resources (journals and measurements).
So my
> > > question is:  What is the proper way to accommodate that in
routing so
> > > that /user/:user_id isn''t necessary and just going to
/journals or /
> > > journals/:id would ensure that I''m going to the the
currently logged
> > > in user''s journals or measurements? And in turn, what
would be the
> > > best way of making sure that users can''t type
/journal/:id and see
> > > another users record once that :user_id was trimmed off (they
should
> > > only be able to see their own).
>
> > > Thoughts? I greatly appreciate it.
>
> > > Thanks.
> > > Tim K.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Sep 29, 2008 at 6:45 AM, Tim K.
<jangchub-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> So I''m using nested routes for a users model that has measurements
and
> journals... like this:
>
> map.resources :users do |users|
>  users.resources :journals
>  users.resources :measurements
> end
>
> This of course builds routes as something like:
>
> /user/:user_id/journals/:id
> /user/:user_id/measurements/:id
>
> In the case of this application the logged in user is only going to be
> accessing his or her own resources (journals and measurements). So my
> question is:  What is the proper way to accommodate that in routing so
> that /user/:user_id isn''t necessary and just going to /journals or
/
> journals/:id would ensure that I''m going to the the currently
logged
> in user''s journals or measurements? And in turn, what would be the
> best way of making sure that users can''t type /journal/:id and see
> another users record once that :user_id was trimmed off (they should
> only be able to see their own).
Two things:

1) A has_many do not necesseraly mean a nested resource _in your
interface_. You can simply configure

   map.resources :journals
   map.resources :measurements

2) Access control is implemented via AR finders. In this case you''d do

   def index
     @journals = current_user.journals
   end

   # before filter
   def find_journal
     current_user.journals.find(params[:id])
   rescue
     redirect_to journals_url
   end

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I see Xavior - that''s makes a lot of sense especially with that
before_filter. I''ll refactor a little bit. Thanks.

On Sep 29, 2:23 am, "Xavier Noria"
<f...-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org>
wrote:
> On Mon, Sep 29, 2008 at 6:45 AM, Tim K.
<jangc...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > So I''m using nested routes for a users model that has
measurements and
> > journals... like this:
>
> > map.resources :users do |users|
> >  users.resources :journals
> >  users.resources :measurements
> > end
>
> > This of course builds routes as something like:
>
> > /user/:user_id/journals/:id
> > /user/:user_id/measurements/:id
>
> > In the case of this application the logged in user is only going to be
> > accessing his or her own resources (journals and measurements). So my
> > question is:  What is the proper way to accommodate that in routing so
> > that /user/:user_id isn''t necessary and just going to
/journals or /
> > journals/:id would ensure that I''m going to the the currently
logged
> > in user''s journals or measurements? And in turn, what would
be the
> > best way of making sure that users can''t type /journal/:id
and see
> > another users record once that :user_id was trimmed off (they should
> > only be able to see their own).
>
> Two things:
>
> 1) A has_many do not necesseraly mean a nested resource _in your
> interface_. You can simply configure
>
>    map.resources :journals
>    map.resources :measurements
>
> 2) Access control is implemented via AR finders. In this case
you''d do
>
>    def index
>      @journals = current_user.journals
>    end
>
>    # before filter
>    def find_journal
>      current_user.journals.find(params[:id])
>    rescue
>      redirect_to journals_url
>    end
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---