I have a model containing user records and I want each user to only be able to edit his own data. I am storing the user_id in a session table. I was hoping to be able to use validate_on_update that would compare the POSTed id with that stored in the session table, so I wrote (in the model/user.rb file): def validate_on_update if session[:user_id] != id errors.add("You are not allowed to edit this record.") end end end When I do an update I get "undefined local variable or method `session'' for #" What concept am I not getting here? Thanks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
CWu wrote:> I have a model containing user records and I want each user to only be > able to edit his own data. I am storing the user_id in a session table. > I was hoping to be able to use validate_on_update that would compare > the POSTed id with that stored in the session table, so I wrote (in the > model/user.rb file): > > def validate_on_update > if session[:user_id] != id > errors.add("You are not allowed to edit this record.") > end > end > end > > When I do an update I get "undefined local variable or method `session'' > for #" > > What concept am I not getting here? > > Thankssession is part of the ActionController you need to pass the data to the model. the simplest way around this would be to simply never allow a foreign user access to the form that edits by redirecting (not hiding the link). -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
So how do I pass the data to the model? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 11/17/06, CWu <wucolin-k38eCpk7LZIsV2N9l4h3zg@public.gmane.org> wrote:> > So how do I pass the data to the model?That is a bad idea. For your case it is better to perform that checking inside controller action. Model should be independent of all that "session" thing. Model exists outside of those sessions. What would you pass to the model, if model update is run from Rails'' console ? This is similar to authorization checking. You would never pass user to, say, Post model to see if user is allowed to see it, right ? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---