I’m building something very common to most web applications: there are
multiple users, and each user has its own set of resources (e.g.
documents).
And I need a way of ensuring one user cannot access the resource of
another
user by simply typing something like /documents/3 into the URL, if 3 is
the
ID of a document by another user.
One way I see is to verify for every request, that the resource being
accessed actually belongs to the current user. But perhaps a more
elegant
approach is to scope the ID of resource to the user, so the post with ID
3
refers to different post for different user, essentially having a
composite
key; but I’m not sure how that would play with Rails’ preference for
global
primary key.
Any thoughts appreciated.