Rails user authorization

I am currently building a Rails app, and trying to figure out the best way to authenticate that a user owns whatever data object they are trying to edit.

I already have an authentication system in place (restful-authentication), and I'm using a simple before_filter to make sure a user is logged in before they can reach certain areas of the website.

However, I'm not sure the best way to handle a user trying to edit a specific piece of data - for example lets say users on my site can own Books, and they can edit the properties of the book (title, author, pages, etc), but they should only be able to do this for Books that -they- own.

In my 'edit' method on the books controller I would have a find that onl开发者_如何学Pythony retrieved books owned by the current_user. However, if another user knew the id of the book, they could type in http://website.com/book/7/edit , and the controller would verify that they are logged in, then show the edit page for that book (seems to bypass the controller).

What is the best way to handle this? Is it more of a Rails convention routing issue that I don't understand (being able to go straight to the edit page), or should I be adding in a before_find, before_save, before_update, after_find etc callbacks to my model?

check out the following gems:

• cancan
• devise
• authlogic

and don't miss Ryan's great railscasts on the above

this will give access to anyone who changes the value in the address bar

@book = Book.find(params[:id])

but if you go through the association of the logged on user rails (ActiveRecord) will automatically update the sql query

@book = current_user.books.find(params[:id])

of course this assumes that your books table has a user_id column

You may need an authorization plugin. I had some experience use this plugin a while back. This article also has an overview:

You might also take a look at Declarative Authorization

Hey I have recently done this myself. The easiest way to do this is to have the edit feature display on the page but incase it in a method such as the following:

  <%if current_user %>
    <% if current_user.id == wishlist.user_id %>
   <div id="text3"><%= link_to 'Edit', edit_wishlist_path(@wishlist) %></div><br />
    <%end%>
   <%end%>

Is this what you were hoping for?