Sorry if this is an elementary question but I've just started to consider whether I've been doing this correctly all along. Usually when a user tries to update the database, I simply use his/her username as the key in a user table and then base all operations on that. However I just realized that a crafty user MIGHT be able to submit a query using another username name thus circumventing this weak form of enforcing entitlements. So my question really is how do I prevent a user from potentially submitting a destructive action against a database under a different userid?
You should store the current user's ID in the session, which isn't easily manipulated.
I usually refer to the objects through a relation on a User object:
current_user.fragile_records.find(params[:id]).destroy
It's a readable and simple way of doing an ownership test.
http://guides.rubyonrails.org/security.html is a surprisingly good read on the subject.
There are plenty of readymade solutions for maintaining user identity (authentication) and ensuring user has clearance for an action (authorization) in Rails.