similar to: Securing my database with user session data

Hi, I just have a "best practices" question. I''d like to block users that don''t own a particular resource from performing edit/update/ destroy actions on it. Here''s how I currently do it: ## User has many resources, of different types ------- resource_controller.rb ------- before_filter :require_ownership, :only => [:edit, :update, :destroy] ... public

hi all, i am new in ruby on rails,i have one issue regarding the session in ruby on rails.I am using session , i have following condition in my rhtml <%if @session[''user''].first_name == "admin"%> <table width="290" border="0" height="20" align="right" cellspacing="0"

Can someone tell if there is a reason models shouldn''t access the session? Models could easily be made to access the session or some other shared persistant data store such as a file or a table. _This is the problem_, a model needs to know certain information eg. the id of the current user. But the model has no idea about anything outside of its self, because it can''t access

Could someone please explain why this works: current_user.accounts.sum(:balance) But not this: current_user.accounts.find_all_by_active(true).sum(:balance) For the latter Rails tells me sum is an undefined method. It seems like I lose the ActiveRecord methods when I call ''find''? This (simpler) does not work either: current_user.accounts.find_all.sum(:balance) Thanks! --

My application needs to know if a user is an administrator, for security and aesthetic reasons. At the moment, I store true/false in the session by doing the following at login: session[:user_is_admin] = authenticated_user.is_admin? Is this OK to do? Or should I really be doing the following every time: User.find(session[:user_id]).is_admin? (user_id is always in the session too) Is there

(Semi-newbie.) I want to ensure a user''s able to destroy only his own objects. I''ve set session info at login: session[:user_id] = user.id Now I try this in the model of my deletable objects: before_destroy :destroy_your_own def destroy_your_own raise "Can''t delete that!" unless session[:user_id] == self.user.id end which snags EVERY attempted

I have some code working that lists only items from a particular user. The code in my list action finds the user and then conditionally lists only his/her items: def list user = User.find(session[:user]) user_id = user.id @product_pages, @products = paginate :products, :per_page => 10, :conditions =>[''user_id = ?'', user.id]

My problem: Mock ''Task_1005'' received unexpected message :user_id= with (1) No matter what I do to try to stub that out it will still fail out and give me that message. Here is my spec describe TasksController, "handling POST /tasks" do before(:each) do @task = mock_model(Task, :to_param => "1", :save => true)

Please Im trying to create an application where i can post like twitter, but i was the users name to be posted under their respective posts My Post_controller looks like this def index @posts = Post.all(:order => "created_at DESC") @users = User.find(:all) #@user_id = current_user.find(params[:id]) respond_to do |format| format.html end end def create

I''d like to always add a condition to any version of "find" (e.g. Thing.find(), Thing.find_by_name(), Thing.find_by_whatever) so that in addition to whatever conditions are set, an additional condition is set :conditions=>"user_id=#{current_user.id}" I''d like to make sure that a user only sees/edits/creates entries in the database that have the user_id

Hi, I just installed Rails 2.0.2 [root@mymachine easyx]# ruby --version ruby 1.8.6 (2007-03-13 patchlevel 0) [i686-linux] [root@mymachine easyrx]# gem install rails --include-dependencies Need to update 16 gems from http://gems.rubyforge.org ................ complete Successfully installed rails-2.0.2 [root@remandev easyrx]# But I''m getting this error in my restful_authentication

I''ve got User has_one Shop. Rails is not validating when I tried create_shop or build_shop, neither in the browser nor the rails console. My code: class Shop < ActiveRecord::Base attr_protected :user_id belongs_to :user validates_presence_of :name, :primary_address, :city, :country_code, :currency end class ShopsController < ApplicationController before_filter

I''m trying to run a single worker that could perform a periodic task for a given user. >From a controller, I imagine something like: def start_job MiddleMan.ask_work(:worker => :foo_worker, :worker_method => :perform_task, :data => { :user_id = current_user.id }) end def check_job @status = MiddleMan.ask_status(:worker => :foo_worker)[current_user.id] end

Can I set an application wide instance variable that is available for all actions...and their views? eg. class ApplicationController < ActionController::Base @current_user = User.find(session[:user_id]) end and everywhere I can call @current_user.id and I can get that object? Even down in the views? I could not get this to work... Thanks in advance, Jeff -------------- next part

Rails is throwing this error C:/Ruby/Depot/app/views/products/index.html.erb:28: syntax error, unexpected tSTRING_BEG, expecting keyword_do or ''{'' or ''('' ...er.privilege == 50 ? {link_to ''Show'', product} : ''a'' );@out... in line <%= current_user.privilege == 50 ? {link_to ''Show'', product} :

Hi! Definite newbie here - I''m working through this like-hate relationship with Ruby and Rails right now... sometimes things work really well (like blobs seem to rock) but other times, I dunno! :-) Anyway, I''d like put in create and update user timestamps on all my primary domain tables and allow them to be updated automatically by ActiveRecord. Coming from Hibernate, I just

I keep getting this exception "SQLite3::SQLException: no such column: books.user_id: SELECT "books".* FROM "books" WHERE ("books".user_id = 4)" ,which sounds like there is no user_id in books table.So i just installed foreigner plugin and added " t.integer :user_id, :null => false" and "add_foreign_key(:books, :users)" in book

I have 3 tables items (columns are: id, name , type) history(columns are: id, date, username, item_id, user_id) user(id , username, password) When a user "ABC" logs in and creates a new item, a history record gets created with the following after_create filter. How to set the username field in history table to "ABC". class Item < ActiveRecord::Base has_many :histories

Throughout my Message controller, I do this a lot: @message = Message.find(params[:id],:conditions => ["user_id = ?", @session[''user''].id]) Since you need to authenticate to use this app, is there a way i can tie the Accounts model in with the Message model so I dont have to pass in the user_id everytime? --~--~---------~--~----~------------~-------~--~----~ You

I have a simple form , with a file field = form_for (Clip.new), :html => {:multipart => true} , :remote => true , do |f| = f.hidden_field :user_id, {:value => current_user.id} = f.text_field :name = f.text_area :description = f.file_field :image = f.submit I18n.t(:add) generating the html code <form accept-charset="UTF-8"