brandon-beacher · March 30, 2012 17:44
diff --git a/01-forbidden_error.rb b/01-forbidden_error.rb
 # drop this in lib/forbidden_error.rb
 class ForbiddenError < StandardError
 end
diff --git a/02-application_controller.rb b/02-application_controller.rb
 class ApplicationController < ActionController::Base
  protect_from_forgery

  rescue_from ForbiddenError, :with => :forbidden

 private

  def forbid
    raise ForbiddenError
  end

  def forbidden
    respond_to do |format|
      format.html { render :text => "Permission denied", :status => :forbidden }
      format.all  { head :forbidden }
    end
  end

 end
diff --git a/03-users_controller.rb b/03-users_controller.rb
 class UsersController < ApplicationController
  before_filter :require_user

  def show
    @user = User.find(params[:id])

    forbid unless current_user.can_show_user?(@user)
  end
  
 end
diff --git a/04-user.rb b/04-user.rb
 class User < ActiveRecord::Base

  def can_show_user?(user)
    system_admin? || self?(user)
  end

  def self?(user)
    self == user
  end

 end
	# drop this in lib/forbidden_error.rb
	class ForbiddenError < StandardError
	end
	class ApplicationController < ActionController::Base
	protect_from_forgery

	rescue_from ForbiddenError, :with => :forbidden

	private

	def forbid
	raise ForbiddenError
	end

	def forbidden
	respond_to do \|format\|
	format.html { render :text => "Permission denied", :status => :forbidden }
	format.all { head :forbidden }
	end
	end

	end
	class UsersController < ApplicationController
	before_filter :require_user

	def show
	@user = User.find(params[:id])

	forbid unless current_user.can_show_user?(@user)
	end

	end
	class User < ActiveRecord::Base

	def can_show_user?(user)
	system_admin? \|\| self?(user)
	end

	def self?(user)
	self == user
	end

	end