I have a problem with the way I'm currently propagating the object id from the current view to child objects. Right now, I'm doing this:
# properties_controller.rb def show @property = Property.find(params[:id]) session[:property] = params[:id] # snipped for brevity end # notes_controller.rb def create @note = Note.new(params[:note]) @note.property_id = session[:property] # snipped for brevity end This populates the foreign key in the note with the parent object's id. This works so far as it goes, but there's a problem here. Basically, if more than one browser window is open at a time, then the @note.property_id is set to whatever window was opened last, rather than the using the id from the property view that linked to the create action. This can result in notes being assigned to the wrong property--ugh! How can I *safely* propagate the property.id to note.property_id if I'm not using a nested form? I don't want to pass it as a hidden form field (vulnerable to tampering by the client), and I can't necessarily trust request.referer either, except possibly to validate whether the session value matches the referer. I can't be the first person to encounter this sort of issue. What is a good rails-centric way of doing this securely? -- "Oh, look: rocks!" -- Doctor Who, "Destiny of the Daleks" --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---