I have an application used by several organizations and I want to check that users of one domain (a.domain.com) cannot edit users of another domain (b.domain.com). My question is where to put the logic, in a before filter or in the view?
View:
<% if @user.websites.detect {|website| website.url == request.host} %>
render :partial => 'form'
<% else %>
render :partial => 'no_access'
<% end %>
Or, in the controller:
before_filter :verify_editable_user, :only => ['edit', 'update', 'delete']
protected
def verify_editable_user
@user = User.find(params[:id], :include => 'websites')
unless @user.websites.detect {|website| website.url == request.host}
render 'no_access'
end
end
In this scenario, the first version feels cleaner to me. However, the second seems more along the MVC scenario. What do you think? Am I way off base? Thanks in advance.