I have a situation where I want to show the user details about an appointment they entered. They enter their name, phone number(s) and other private data in a form. I save that data in the controller with a POST from a "confirmation" page. I could simply show the params when that page is rendered (the save one), but if they use the browser refresh it'll save the data again. I thought about doing a redirect to a view that loads the newly created object, but this shows their appointment ID in the URL. Someone could simply subtract a couple ID's to view other peoples appointments. I was hoping there would be a nice Rails solution. I could create a view that just does a POST at onLoad which posts to a page that loads the appointment and shows the data, that way the ID wont show, but was hoping there would be an easier way using Rails. I did notice there was a post method in ActionController::Integration::Session, but I couldn't get that to work (something about an uninitialized constant). Any ideas? Thanks, - Brent
on 2006-03-29 19:12
on 2006-03-29 21:39
Brent J. wrote: > I thought about doing a redirect to a view that loads the newly > created object, but this shows their appointment ID in the URL. > Someone could simply subtract a couple ID's to view other peoples > appointments. Presuming the user is "logged in" in some way, you could do something like: if (user_logged_in?) && (params[:id].to_i == @session[:user_id].to_i) # Show them what they want to see else # Do something else end Where user_logged_in? is something like return !@session.nil? && !@session[:user_id].nil? --Al Evans
on 2006-03-29 21:51
On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote: >Brent J. wrote: > >> I thought about doing a redirect to a view that loads the newly >> created object, but this shows their appointment ID in the URL. >> Someone could simply subtract a couple ID's to view other peoples >> appointments. > Which is why your show action needs to deal with security... Introduce a User model, and add a has_many appointments in your show action you do @appointment =session[:user].appointments.find(params[:id]) render :text=>"oops, :status=>404 and return unless @appointment this code will only show appointments belonging to the logged in user... Mikkel B. www.strongside.dk - Football Portal(DK) nflfeed.helenius.org - Football News(DK) ting.minline.dk - Buy Old Stuff!(DK)
on 2006-03-29 22:18
Yeah I thought about this, but as of right now there is no user login. I should probably just implement that so I can enforce more security rules. The current idea is that a patient goes to the website and schedules an appointment, with no registration required. But after thinking about it, a registration process is probably best. That may at least keep down the spam and garbage random visitors may enter into the scheduling system. Thanks, - Brent On 29 Mar 2006 17:47:49 -0000, Mikkel B.