Can someone explain "Authorizing Ownership"?
I've been going through the Railscasts' - 7 Security tips, and was wondering how is the "current_user.projects.find" implemented?
# projects_controller.rb
def show
@project = current_user.projects.find(params[:id])
end
Thank you!
This defines user.projects:
class User
has_many :projects
end
Well if you mean that with implemented, otherwise take a look at activerecord source code :)
Actually I realized that the answer is quite simple, and it is in the railscast attached to the post.
Initially the @project was retrieved with this construct:
def show
@project = Project.find(params[:id])
end
All that was needed was to use the activerecord association by doing
@project = current_user.projects.find(params[:id])