I have a situation where I want to show the user details about an
appointment they entered. They enter their name, phone number(s) and
other private data in a form. I save that data in the controller with
a POST from a “confirmation” page.
I could simply show the params when that page is rendered (the save
one), but if they use the browser refresh it’ll save the data again.
I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.
I was hoping there would be a nice Rails solution. I could create a
view that just does a POST at onLoad which posts to a page that loads
the appointment and shows the data, that way the ID wont show, but was
hoping there would be an easier way using Rails.
I did notice there was a post method in
ActionController::Integration::Session, but I couldn’t get that to
work (something about an uninitialized constant).
Any ideas?
Thanks,
Brent J. wrote:
I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.
Presuming the user is “logged in” in some way, you could do something
like:
if (user_logged_in?) && (params[:id].to_i ==
@session[:user_id].to_i)
# Show them what they want to see
else
# Do something else
end
Where user_logged_in? is something like
return [email protected]? && !@session[:user_id].nil?
–Al Evans
On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote:
Brent J. wrote:
I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.
Which is why your show action needs to deal with security…
Introduce a User model, and add a has_many appointments
in your show action you do
@appointment =session[:user].appointments.find(params[:id])
render :text=>"oops, :status=>404 and return unless @appointment
this code will only show appointments belonging to the logged in user…
Mikkel B.
www.strongside.dk - Football Portal(DK)
nflfeed.helenius.org - Football News(DK)
ting.minline.dk - Buy Old Stuff!(DK)
Yeah I thought about this, but as of right now there is no user login.
I should probably just implement that so I can enforce more security
rules. The current idea is that a patient goes to the website and
schedules an appointment, with no registration required.
But after thinking about it, a registration process is probably best.
That may at least keep down the spam and garbage random visitors may
enter into the scheduling system.
Thanks,
On 29 Mar 2006 17:47:49 -0000, Mikkel B.