Forum: Ruby on Rails Redirect Post for Hiding ID?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F2a8e4cc069558b818508c80052f2f5e?d=identicon&s=25 Brent Johnson (Guest)
on 2006-03-29 17:12
(Received via mailing list)
I have a situation where I want to show the user details about an
appointment they entered.  They enter their name, phone number(s) and
other private data in a form.  I save that data in the controller with
a POST from a "confirmation" page.

I could simply show the params when that page is rendered (the save
one), but if they use the browser refresh it'll save the data again.
I thought about doing a redirect to a view that loads the newly
created object, but this shows their appointment ID in the URL.
Someone could simply subtract a couple ID's to view other peoples
appointments.

I was hoping there would be a nice Rails solution.  I could create a
view that just does a POST at onLoad which posts to a page that loads
the appointment and shows the data, that way the ID wont show, but was
hoping there would be an easier way using Rails.

I did notice there was a post method in
ActionController::Integration::Session, but I couldn't get that to
work (something about an uninitialized constant).

Any ideas?

Thanks,

- Brent
807e34b31d5463a9ac05d41458a9e537?d=identicon&s=25 Al Evans (al-evans)
on 2006-03-29 19:39
Brent Johnson wrote:

> I thought about doing a redirect to a view that loads the newly
> created object, but this shows their appointment ID in the URL.
> Someone could simply subtract a couple ID's to view other peoples
> appointments.

Presuming the user is "logged in" in some way, you could do something
like:

    if (user_logged_in?) && (params[:id].to_i ==
@session[:user_id].to_i)
      # Show them what they want to see
    else
      # Do something else
    end

Where user_logged_in? is something like

    return !@session.nil? && !@session[:user_id].nil?

--Al Evans
5d15c6821f3c3054c04b85471824ba7c?d=identicon&s=25 Mikkel Bruun (Guest)
on 2006-03-29 19:51
(Received via mailing list)
On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote:
>Brent Johnson wrote:
>
>> I thought about doing a redirect to a view that loads the newly
>> created object, but this shows their appointment ID in the URL.
>> Someone could simply subtract a couple ID's to view other peoples
>> appointments.
>

Which is why your show action needs to deal with security...

Introduce a User model, and add a has_many appointments

in your show action you do

@appointment =session[:user].appointments.find(params[:id])

render :text=>"oops, :status=>404 and return unless @appointment

this code will only show appointments belonging to the logged in user...




Mikkel Bruun

www.strongside.dk    - Football Portal(DK)
nflfeed.helenius.org - Football News(DK)
ting.minline.dk      - Buy Old Stuff!(DK)
F2a8e4cc069558b818508c80052f2f5e?d=identicon&s=25 Brent Johnson (Guest)
on 2006-03-29 20:18
(Received via mailing list)
Yeah I thought about this, but as of right now there is no user login.
 I should probably just implement that so I can enforce more security
rules.  The current idea is that a patient goes to the website and
schedules an appointment, with no registration required.

But after thinking about it, a registration process is probably best.
That may at least keep down the spam and garbage random visitors may
enter into the scheduling system.

Thanks,

- Brent

On 29 Mar 2006 17:47:49 -0000, Mikkel Bruun
This topic is locked and can not be replied to.