Security Interceptors

I'm currently developing a CRUD application where users have an item
page where they can create, read, update and delete their own items
which are then stored in a database. Now, if a user accesses an item
that they created as follows:

How would I ensure only the user who owns that item can access that
url? Orginally I was looking at the security interceptor but there is
virtual no examples of using querystrings so I'm thinking that isn't
what the interceptor is for? What is the correct method for securing
urls in this situation?


To be more clear:

Can I pass an the event object to userValidator? as I would need it to
compare against the rule...

You could accomplish that security requirement in the SQL statement pulling the record(s). Just pass the item ID variable from the request collection into your service (and subsequently the DAO). Are you using 3.0?

Jason Durham

Yes I am using v3. If I just pass the id to the service what would
stop the user from changing the URL to any ID they want. I could pass
the ID and the user ID