User specific "resources" with devise and Rails?

user has many diary_entries

diary_entries are private to user, so that user can create/edit/see only his own diary_entries.

I haven't implemented this pattern before and trying to figure out how to do this.

First step wo开发者_运维问答uld be to before_filter :authenticate_user!, but this makes diary_entries still a "shared" resource among registered users.

In diary_entries#create action, we set @diary_entry.user = current_user. We then could allow editing/updating only if @diary_entry.user == current_user.

Index action simply lists current_user.diary_entries instead of all diary entries.

Am I thinking along the right lines here? Is there a better way to do this?

I would recommend using CanCan to implement permissions. It would make it very easy to restrict a user's access to their own diary_entries. It is also very easy to use. Don't write your own code to handle permissions, otherwise you'll risk compromising privacy and/or security if there are any bugs.