#416 ✓hold
Xavier Noria

nested resources and authorization

Reported by Xavier Noria | August 16th, 2010 @ 06:59 PM | in The Rails 3 Way

Section 3.7.2 talks about non-shallowed routes, but the examples fails to depict the point I think.

When you say /auctions/23/bids/3, the 23 is totally irrelevant, you do not need to scope like you do in the example to justify that you do not ask for /bids/3 directly.

It would be more suited to the explanation to assume that you need to check the auction belongs to the current user:

@auction = current_user.auctions.find(...)
@bid     = @actions.bids.find(...)

It is true that you could technically test that /bids/3 is a bid, whose auction belongs to the current user. But the resulting code would not be as idiomatic probably.

Note that there's an example in section 3.11.4 that also uses current_user.auctions.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket