OK, sorry mental block, I do this sort of thing at the moment ------------- redirect_to :action => ''show_invoice'', :id => @enquiry def show_invoice @enquiry = Enquiry.find(params[:id]) end ------------- This works fine as far as it goes, it finds the invoice and dsiplays it (my show_invoice view obviously handles the display). The URL looks something like this. http://foo/bar/show_invoice/18 That''s fine but the user can change 18 to say 17 and see the previous invoice! What''s the elegant (hopefully simple) solution? bb. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I think you should look into filters and set a filter before on the action to check if that user has been granted access to that invoice (it belongs to him) or not. Just google "rails before filter" and you''ll find plenty of examples. On Sep 5, 12:06 pm, bingo bob <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> OK, sorry mental block, I do this sort of thing at the moment > > ------------- > > redirect_to :action => ''show_invoice'', :id => @enquiry > > def show_invoice > @enquiry = Enquiry.find(params[:id]) > end > > ------------- > > This works fine as far as it goes, it finds the invoice and dsiplays it > (my show_invoice view obviously handles the display). The URL looks > something like this. > > http://foo/bar/show_invoice/18 > > That''s fine but the user can change 18 to say 17 and see the previous > invoice! > > What''s the elegant (hopefully simple) solution? > > bb. > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Sep 5, 12:06 pm, bingo bob <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> OK, sorry mental block, I do this sort of thing at the moment > > ------------- > > redirect_to :action => ''show_invoice'', :id => @enquiry > > def show_invoice > @enquiry = Enquiry.find(params[:id]) > end > > ------------- > > This works fine as far as it goes, it finds the invoice and dsiplays it > (my show_invoice view obviously handles the display). The URL looks > something like this. > > http://foo/bar/show_invoice/18 > > That''s fine but the user can change 18 to say 17 and see the previous > invoice!Typically you only care about stopping users seeing other users'' invoices. Assuming current_user returns the currently logged in user and user has_many :invoices then current_user.invoices.find params[:id] is a normal find (so you could pass any of the things you could normally pass to Invoice.find) but is scoped to only those invoices belonging to that customer Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Typically you only care about stopping users seeing other users'' > invoices. Assuming current_user returns the currently logged in user > and user has_many :invoices then > > current_user.invoices.find params[:id] > > is a normal find (so you could pass any of the things you could > normally pass to Invoice.find) but is scoped to only those invoices > belonging to that customer > > FredHmm, bit confused, the form is available without any login, it''s publically available. I suppose I''d like to scope the find in this method so that it only returns the enquiry jsut submitted. It''s easy surely, oh maybe I don''t need a find method at all? Just need the one record previously saved. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2008, at 11:26, bingo bob wrote:> > >> Typically you only care about stopping users seeing other users'' >> invoices. Assuming current_user returns the currently logged in user >> and user has_many :invoices then >> >> current_user.invoices.find params[:id] >> >> is a normal find (so you could pass any of the things you could >> normally pass to Invoice.find) but is scoped to only those invoices >> belonging to that customer >> >> Fred > > Hmm, bit confused, the form is available without any login, it''s > publically available. >ok, i assumed it wasn''t.> I suppose I''d like to scope the find in this method so that it only > returns the enquiry jsut submitted. It''s easy surely, oh maybe I don''t > need a find method at all? >Two separate users create a new invoice. How do you know to let user A access their invoice but not other ones, and user B access only their invoice ? How do you differentiate the two cases? Fred> Just need the one record previously saved. > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Two separate users create a new invoice. How do you know to let user A > access their invoice but not other ones, and user B access only their > invoice ? How do you differentiate the two cases? >I''m thinking that the app knows about the invoice just created (by ID). Can I store this and limit the view to display just that ID (and no other). -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2008, at 11:51, bingo bob wrote:> > >> Two separate users create a new invoice. How do you know to let >> user A >> access their invoice but not other ones, and user B access only their >> invoice ? How do you differentiate the two cases? >> > > I''m thinking that the app knows about the invoice just created (by > ID). > Can I store this and limit the view to display just that ID (and no > other).After creation you could just render the newly created invoice and do away with the show action entirely. Two disadvantages with this (over the traditional redirect) - if the user reloads the page it will resubmit the form which created the invoice - no way for people to get at the invoice again once they''ve navigated away from that page. Another approach would be to keep almost everything the same, but store the id of the freshly created invoice in the session and only read it from the session, not the params (this will also stop the user from viewing their invoice again once they''ve relaunched their browser). Yet another option is to store a persistent cookie with the user''s id and track the user using that (to implement the scoped find I mentioned earlier) Fred> > > > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> > Another approach would be to keep almost everything the same, but > store the id of the freshly created invoice in the session and only > read it from the session, not the params (this will also stop the user > from viewing their invoice again once they''ve relaunched their browser). >Many thanks for this, sounds like just the ticket, would you mind providing a brief code example for the syntax (am sure I can fill in the gaps)? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2008, at 12:32, bingo bob wrote:> >> >> Another approach would be to keep almost everything the same, but >> store the id of the freshly created invoice in the session and only >> read it from the session, not the params (this will also stop the >> user >> from viewing their invoice again once they''ve relaunched their >> browser). >> > > Many thanks for this, sounds like just the ticket, would you mind > providing a brief code example for the syntax (am sure I can fill in > the > gaps)?well instead if doing find params[:id] you do find session[:something], having previously set session[:something] appropriately Fred> > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> well instead if doing find params[:id] you do find > session[:something], having previously set session[:something] > appropriatelySorry Fred, Not sure I follow, can I set x = session[:enquiry_id] (in the create) then do, find x basically in the show ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2008, at 14:27, bingo bob wrote:> >> well instead if doing find params[:id] you do find >> session[:something], having previously set session[:something] >> appropriately > > Sorry Fred, Not sure I follow, can I set x = session[:enquiry_id] > (in the create) then do, find x basically in the show ?No. after you''ve created the enquiry session[:enquiry_id] = ... in the show @enquiry = Enquiry.find session[:enquiry_id] Fred> > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> No. after you''ve created the enquiry > session[:enquiry_id] = ... > > in the show > > @enquiry = Enquiry.find session[:enquiry_id] > > FredTried that, fine still working but still the user can edit the URL and get to other records? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2008, at 16:16, bingo bob wrote:> > >> No. after you''ve created the enquiry >> session[:enquiry_id] = ... >> >> in the show >> >> @enquiry = Enquiry.find session[:enquiry_id] >> >> Fred > > Tried that, fine still working but still the user can edit the URL and > get to other records?not if you''re doing it right, because you''re not using the params from the url. Fred> > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---