Ruby on Rails

Finne Jager wrote in post #968357:
>> Why the current_user part? Just Timesheet.find(params[:id]) should do
>> the trick -- after all, the ID is unique.
>
> I read in Beginning Rails 3 that current_user makes sure that the logged
> in user can not see other people's incidents/timesheets.

True enough, though I'd probably use an authorization plugin for that.

I have the same
> thing in the IncidentsController:
> ------------------------------
> def index
> @incidents = current_user.incidents.all
> -------------------------------
>
> But now that Timesheets are nested within Incidents, I don't have to
> have current_user for that I guess.
>
>> Of course that's not working. You haven't defined timesheet anywhere.
>
> @timesheet = Timesheet.find(params[:id])
>
> Seems to be not working...

No, I'm sure it's working fine. But you're defining @timesheet in your
controller, then calling timesheet (without the @) in the view.

> Does it even need to find by ID if I'm
> already using the incident_timesheet_path(incident) link?

Yes. That only passes the ID. HTTP has no means of passing
ActiveRecord objects around.

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org

Sent from my iPhone

--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.