I have typical RESTful routes for a user:
/user/:id /user/:id/edit /user/:id/newsfeed
/user/:id/edit route can only be accessed when the id equals the current_user's id. As I only want the current_user to have access to edit its profile. I don't want other users able to edit profiles that don't belong to them.
What is typically the best practice to handle this situation?
Should I leave the route as is, and through an error if the
current_user.id != param[:id], forcing the front end client calling the api to track the logged in user's id?
Should I make a special route
/user/self/edit and in the controller check to see if
param[:id] == 'self'?