Securing Data to a specific domain in Rails

We have an application which is multi-tenant (lots of user开发者_运维百科s all accessing their own data, similar to something like Basecamp).

Question is, what is the simplest and easiest way in Rails to ensure that users can only see their own accounts data? Is it a case of going and checking every single query?

A way to make that happen:

• Use subdomains, so its customer.domain.com .... Then in your Application controller, have a before filter that will find the subdomain and set a @customer variable
• Always get data from the customer, so you say @customer.quotes.find(params[:id]) ... rather than Quote.find(params[:id])

So, yes, in a multi-tenant database, you need to check every query.

you can use subdomain, but you can use as well the current_user, depending on your authentication method. explained.

I did login, and now i have my current_user. An User has many posts. So now, if i want to find my all posts i should do current_user.posts.all or current_user.posts.find().

Don't rely in cookies or in "hide paths", since it won't work. Write tests to check if you didn't break your authorization schema.