Having authentication does not do anything security wise if you don’t enforce any authorization. Let’s restrict the show user view to the user it’s showing only. We deny the access if the user id of the currently logged in user is not the same as the one we want to see. In the case the user is different or not even logged in, you will be redirected to the login screen or get an error message. We can quickly confirm this is working by opening the show view with the id of another user. We can take another id from the data explorer tool from ihp. In this case, I can’t view the page because the user i am trying to see is not myself. Another use case would be to restrict posting only to logged in users. We can do that by adding a ensureIsUser to the top of our actions we want to restrict. That way, we can also tie the user to the post and display who made the post in the show post view.