search for: oelkers

In my app, a user logs in [via the login generator] and has access to details of his account, and transactions attached to his account. This is achieved in the standard rail manner by passing the account id or transaction id between the controller and the view. But what is to stop someone hacking the URL or view html to access another account id or transaction id ? eg /account/show/46 becomes