In this case nested-routes may be a good choice. Darian Shimy -- http://www.darianshimy.com http://twitter.com/dshimy
On Tue, Nov 17, 2009 at 12:30 PM, Todd A. Jacobs <[email protected]> wrote: > > I have a problem with the way I'm currently propagating the object id > from the current view to child objects. Right now, I'm doing this: > > # properties_controller.rb > def show > �...@property = Property.find(params[:id]) > session[:property] = params[:id] > # snipped for brevity > end > > # notes_controller.rb > def create > �...@note = Note.new(params[:note]) > �[email protected]_id = session[:property] > # snipped for brevity > end > > This populates the foreign key in the note with the parent object's id. > > This works so far as it goes, but there's a problem here. Basically, if > more than one browser window is open at a time, then the > @note.property_id is set to whatever window was opened last, rather than > the using the id from the property view that linked to the create > action. This can result in notes being assigned to the wrong > property--ugh! > > How can I *safely* propagate the property.id to note.property_id if I'm > not using a nested form? I don't want to pass it as a hidden form field > (vulnerable to tampering by the client), and I can't necessarily trust > request.referer either, except possibly to validate whether the session > value matches the referer. > > I can't be the first person to encounter this sort of issue. What is a > good rails-centric way of doing this securely? > > -- > "Oh, look: rocks!" > -- Doctor Who, "Destiny of the Daleks" > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
