Hidden URL

Hello,

I have in my application a private public URL. For those who know
Flickr, it is sorta like the URL you give to your friend for them to
access your photos. Usually the URL looks like this:

http://www.domain.com/url/khjuytf678ysdfksdgihsd

Where “khjuytf678ysdfksdgihsd” is an encoded path. Let say I want to
have a public-private page for:

http://www.domain.com/event/124/pinvitation/12

Now I created a controller called URLController that take the encoded
path and redirect to it:
“khjuytf678ysdfksdgihsd” becomes “event/124/pinvitation/12”

That works well. But an evil mind can actually directly write “event/
124/pinvitation/12” in the browser and access the same page.

The other way I could do this is hide everything behind the
URLController and make the redirection transparent to the browser (so
the browser always thinks it is page “url/khjuytf678ysdfksdgihsd”).
But I don’t know how I can achieve that because redirect_to always
change the url.

So my question is, how can I restrict the path “event/124/pinvitation/
12” as being redirected from the URLController. Can I put a condition
on the route for this?

I guess this is a classic problem :slight_smile:

Thank you very much,
Julien.

One initial thought I have is use the idea of always showing the
browser the encoded url, but instead of redirecting, call the
appropriate action from the URLController, but make those called
actions protected so they can’t be called directly from a browser.
Make sense? I haven’t tried or tested it, but it should work.

-Bill

Hello,

Always show the encoded url will allow the user to bookmark the page
also, which is a good thing.
If I call the other controller actions using render… it does not
execute the controller code, it goes directly to render the associated
view.

Also what happens with the encoded url when the user trigger action on
the page (like leaving a comment for example). The url for the form
would be the url of the “protected” controller and not another encoded
url. So basically all URL for a private-public page will have to be
encoded in some way.

I am wondering if some deep functionality in rails can help me with
that.

Thanks,
Julien.

Hello,

I got into reading this:
http://weblog.jamisbuck.org/2006/10/4/under-the-hood-route-recognition-in-rails

And i think I can put the code for decrypting the url in a special
implementation of the route.

Let’s hope it doesn’t slow everthing down too much.

Thanks!
Julien.

I wouldn’t call the other method using render, call the other method
directly and let it render the results.

-Bill