Topic: drying up security check


I have a order model and a user model. A user can have 0 or many orders. I have a method in the order model to find the order which takes in the order ID. I also pass in the user Id of the currently logged in user so the find can add the user Id to the find conditions for security to stop people viewing orders not belonging to them.

So if somebody trys to find someone elses order, a record not found exception will be thrown. I could in a controller call this method, and catch the exception if there is one and create an error message and redirect them. The thing is that I call the method quite a lot so there is a lot of duplication checking for for the exception and creating error etc.

I could create a private method in my controller to do all this  safe in the knowledge that any failure will be handled in the new method but the thing is I want to find the order in more that 1 controller so I would have to repeat this too in multiple controllers.

What is the best way to handle this kind of situation.


Re: drying up security check

I believe you can just have it as a private method in application.rb. You will be able to use it throughout your application that way.

Re: drying up security check

thanks mzbphoto. That seems to a lot better.