I''m building something very common to most web applications: there are multiple users, and each user has its own set of resources (e.g. documents). And I need a way of ensuring one user cannot access the resource of another user by simply typing something like /documents/3 into the URL, if 3 is the ID of a document by another user. One way I see is to verify for every request, that the resource being accessed actually belongs to the current user. But perhaps a more elegant approach is to scope the ID of resource to the user, so the post with ID 3 refers to different post for different user, essentially having a composite key; but I''m not sure how that would play with Rails'' preference for global primary key. Any thoughts appreciated. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---