I am wondering if anyone has developed solutions for handling "nested" resources. I wrote a gist explaining how I handle the issue. (Albeit simplified - in my actual solution the loadModel() method and data returned by actionParams are separate classes.)
My method is to implement my controllers so that they allow optional "scoping" parameters. E.g., in a "Purchases" controller, you can set the "userId" request parameter to limit the scope of searched purchases to those made by the given user, and to set the user_id attribute of the Purchase.
Essentially, the assumption is that the current user has known access to a set of users’ data, which is restricted regardless of any optional parameters supplied in the request. (E.g. “Only show purchases made by users I have access to.”) The scoping parameters just narrow the scope down further within that pre-defined scope.
The gist should provide enough code to indicate the pattern.
The drawback is that authorization must be performed on the userId parameter, either in the controller or model. (Although really, it should already be in the model.)
Any other solutions? This is a seldom-addressed topic on the web and I’ve not seen a good, standard solution in the Rails, Yii, or Symfony communities, except for a pretty good effort in Symfony’s FOSRESTBundle.