In the controller, do something like:
@order = current_user.orders.find(params[:id]
@return = @order.returns.create(params[:return])
The first line will only find the order if it belongs to the current user.
-Jonathan.
On 12/3/06, Ben Johnson
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:>
>
> This is a common situation and I was wondering what the professional way
> to handle this would be:
>
> I am going to create an example here, this example is just to help you
> grasp the concept.
>
> You have 3 models:
> Users
> Orders
> Returns
>
> Users has many orders and orders has many returns. A user goes to create
> a return, I want to validate that the return is assigned to an order
> that belongs to that user. Because when he goes to create the return he
> has to select which order it is for. He could easily send me any order
> id he wants.
>
> I realize you could validate this in the controller, but this
isn''t
> where the validation belongs in my opinion. So I thought that it might
> not be a bad idea to create a class called Globals or something and then
> I could pass their user object to it. Now the models have access to this
> user object and the validation can be in the model instead of the
> controller.
>
> What do you think is the best solution here? Because the last thing I
> want to happen is to allow users to start creating returns for other
> users.
>
> Thanks for your help.
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---