I have a situation where I want to show the user details about an appointment they entered. They enter their name, phone number(s) and other private data in a form. I save that data in the controller with a POST from a "confirmation" page. I could simply show the params when that page is rendered (the save one), but if they use the browser refresh it''ll save the data again. I thought about doing a redirect to a view that loads the newly created object, but this shows their appointment ID in the URL. Someone could simply subtract a couple ID''s to view other peoples appointments. I was hoping there would be a nice Rails solution. I could create a view that just does a POST at onLoad which posts to a page that loads the appointment and shows the data, that way the ID wont show, but was hoping there would be an easier way using Rails. I did notice there was a post method in ActionController::Integration::Session, but I couldn''t get that to work (something about an uninitialized constant). Any ideas? Thanks, - Brent
Brent Johnson wrote:> I thought about doing a redirect to a view that loads the newly > created object, but this shows their appointment ID in the URL. > Someone could simply subtract a couple ID''s to view other peoples > appointments.Presuming the user is "logged in" in some way, you could do something like: if (user_logged_in?) && (params[:id].to_i == @session[:user_id].to_i) # Show them what they want to see else # Do something else end Where user_logged_in? is something like return !@session.nil? && !@session[:user_id].nil? --Al Evans -- Posted via http://www.ruby-forum.com/.
On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote:>Brent Johnson wrote: > >> I thought about doing a redirect to a view that loads the newly >> created object, but this shows their appointment ID in the URL. >> Someone could simply subtract a couple ID''s to view other peoples >> appointments. >Which is why your show action needs to deal with security... Introduce a User model, and add a has_many appointments in your show action you do @appointment =session[:user].appointments.find(params[:id]) render :text=>"oops, :status=>404 and return unless @appointment this code will only show appointments belonging to the logged in user... Mikkel Bruun www.strongside.dk - Football Portal(DK) nflfeed.helenius.org - Football News(DK) ting.minline.dk - Buy Old Stuff!(DK) -- Posted with http://DevLists.com. Sign up and save your time!
Yeah I thought about this, but as of right now there is no user login. I should probably just implement that so I can enforce more security rules. The current idea is that a patient goes to the website and schedules an appointment, with no registration required. But after thinking about it, a registration process is probably best. That may at least keep down the spam and garbage random visitors may enter into the scheduling system. Thanks, - Brent On 29 Mar 2006 17:47:49 -0000, Mikkel Bruun <devlists-rubyonrails@devlists.com> wrote:> > On Wednesday, March 29, 2006, at 7:39 PM, Al Evans wrote: > >Brent Johnson wrote: > > > >> I thought about doing a redirect to a view that loads the newly > >> created object, but this shows their appointment ID in the URL. > >> Someone could simply subtract a couple ID''s to view other peoples > >> appointments. > > > > Which is why your show action needs to deal with security... > > Introduce a User model, and add a has_many appointments > > in your show action you do > > @appointment =session[:user].appointments.find(params[:id]) > > render :text=>"oops, :status=>404 and return unless @appointment > > this code will only show appointments belonging to the logged in user... > > > > > Mikkel Bruun > > www.strongside.dk - Football Portal(DK) > nflfeed.helenius.org - Football News(DK) > ting.minline.dk - Buy Old Stuff!(DK) > > > > > -- > Posted with http://DevLists.com. Sign up and save your time! > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >