I think this is very straight forward. You have a user requesting information. The first thing to do is to see if that user has permission to access that information. i.e. does bill id 2 belong to that user or not. If not, they get an error message.
Less straight forward is using id's in urls. Your bill should be assigned a unique code upon creation, so the request url is more like:
Code:
Not:
http://myapp/bills/edit/1
But:
http://myapp/bills/edit/jh234hdhpewsdkfj
Now what are you going to change to guess the next bill? Even if you do guess a bill code, you will not have permission to view it anyway. Also, if I get a new bill marked id=27, I can now guess you have issued 27 bills. With a code, you have no idea.
I would never user an id in a url. All my resources are accessed via a code, normally 16 characters long. But you MUST still make sure that the requesting user actually has permission to access the requested resource.
Hope that helps,
Best wishes,
Paul.
