[eluser]phester[/eluser]
I am working on a sales leads applications where groups of people can enter in data about sales leads in a database to help track them.
I have a users table with USER_ID and GROUP_ID fields for each user (and other fields).
I also have a leads table with USER_ID AND LEAD_ID (and other fields).
I am trying to find the best way to provide data security so that each group can only view leads posted by users of their group only. I have a "view" controller and I need to find the best way to stop users from accessing another group's information by entering in a lead id in the url after a controller/method eg: view/lead/20 where 20 is a LEAD_ID posted by a different group.
The one way I was thinking about to fix this is to store the group_id of the user in a cookie when they login, and add a GROUP_ID field in the leads table. And each time they want to view a lead, I would add the GROUP_ID as a "where" clause using active record.
This is a simplified explanation of my problem. I have a lot more than one table, and I'm not sure if adding GROUP_ID to all the tables is a smart idea.
Any other ideas are greatly appreciated! THanks!