Ruby On Rails Lesson
One nice effect of building the authentication machinery in Chapter 8 is that we are now in a position to implement authorization as well: Authentication allows us to identify users of our site, and authorization lets us control what they can do.
Although the edit and update actions from Section 9.1 are functionally complete, they suffer from a ridiculous security flaw: They allow anyone (even non-signed-in users) to access either action, and any signed-in user can update the information for any other user. In this section, we’ll implement a security model that requires users to be signed in and prevents them from updating any information other than their own. Users who aren’t signed in and who try to access protected pages will be forwarded to the signin page with a helpful message, as mocked up in Figure 9.5.