I have a problem with the way I'm currently propagating the object id
from the current view to child objects. Right now, I'm doing this:
# properties_controller.rb
def show
@property = Property.find(params[:id])
session[:property] = params[:id]
# snipped for brevity
end
# notes_controller.rb
def create
@note = Note.new(params[:note])
@note.property_id = session[:property]
# snipped for brevity
end
This populates the foreign key in the note with the parent object's id.
This works so far as it goes, but there's a problem here. Basically, if
more than one browser window is open at a time, then the
@note.property_id is set to whatever window was opened last, rather than
the using the id from the property view that linked to the create
action. This can result in notes being assigned to the wrong
property--ugh!
How can I *safely* propagate the property.id to note.property_id if I'm
not using a nested form? I don't want to pass it as a hidden form field
(vulnerable to tampering by the client), and I can't necessarily trust
request.referer either, except possibly to validate whether the session
value matches the referer.
I can't be the first person to encounter this sort of issue. What is a
good rails-centric way of doing this securely?
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
