Redirect Post for Hiding ID?


#1

I have a situation where I want to show the user details about an
appointment they entered. They enter their name, phone number(s) and
other private data in a form. I save that data in the controller with
a POST from a “confirmation” page.

I could simply show the params when that page is rendered (the save
one), but if they use the browser refresh it’ll save the data again.
I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.

I was hoping there would be a nice Rails solution. I could create a
view that just does a POST at onLoad which posts to a page that loads
the appointment and shows the data, that way the ID wont show, but was
hoping there would be an easier way using Rails.

I did notice there was a post method in
ActionController::Integration::Session, but I couldn’t get that to
work (something about an uninitialized constant).

Any ideas?

Thanks,

  • Brent

#2

Brent J. wrote:

I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.

Presuming the user is “logged in” in some way, you could do something
like:

if (user_logged_in?) && (params[:id].to_i == 

@session[:user_id].to_i)
# Show them what they want to see
else
# Do something else
end

Where user_logged_in? is something like

return !@session.nil? && !@session[:user_id].nil?

–Al Evans


#3

On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote:

Brent J. wrote:

I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID’s to view other peoples
appointments.

Which is why your show action needs to deal with security…

Introduce a User model, and add a has_many appointments

in your show action you do

@appointment =session[:user].appointments.find(params[:id])

render :text=>"oops, :status=>404 and return unless @appointment

this code will only show appointments belonging to the logged in user…

Mikkel B.

www.strongside.dk - Football Portal(DK)
nflfeed.helenius.org - Football News(DK)
ting.minline.dk - Buy Old Stuff!(DK)


#4

Yeah I thought about this, but as of right now there is no user login.
I should probably just implement that so I can enforce more security
rules. The current idea is that a patient goes to the website and
schedules an appointment, with no registration required.

But after thinking about it, a registration process is probably best.
That may at least keep down the spam and garbage random visitors may
enter into the scheduling system.

Thanks,

  • Brent

On 29 Mar 2006 17:47:49 -0000, Mikkel B.