Hidden URL


I have in my application a private public URL. For those who know Flickr, it is sorta like the URL you give to your friend for them to access your photos. Usually the URL looks like this:


Where "khjuytf678ysdfksdgihsd" is an encoded path. Let say I want to have a public-private page for:


Now I created a controller called URLController that take the encoded path and redirect to it: "khjuytf678ysdfksdgihsd" becomes "event/124/pinvitation/12"

That works well. But an evil mind can actually directly write "event/ 124/pinvitation/12" in the browser and access the same page.

The other way I could do this is hide everything behind the URLController and make the redirection transparent to the browser (so the browser always thinks it is page "url/khjuytf678ysdfksdgihsd"). But I don't know how I can achieve that because redirect_to always change the url.

So my question is, how can I restrict the path "event/124/pinvitation/ 12" as being redirected from the URLController. Can I put a condition on the route for this?

I guess this is a classic problem :slight_smile:

Thank you very much, Julien.

One initial thought I have is use the idea of always showing the
browser the encoded url, but instead of redirecting, call the
appropriate action from the URLController, but make those called
actions protected so they can't be called directly from a browser.
Make sense? I haven't tried or tested it, but it should work.



Always show the encoded url will allow the user to bookmark the page also, which is a good thing. If I call the other controller actions using render... it does not execute the controller code, it goes directly to render the associated view.

Also what happens with the encoded url when the user trigger action on the page (like leaving a comment for example). The url for the form would be the url of the "protected" controller and not another encoded url. So basically all URL for a private-public page will have to be encoded in some way.

I am wondering if some deep functionality in rails can help me with that.

Thanks, Julien.

I wouldn't call the other method using render, call the other method
directly and let it render the results.



I got into reading this: http://weblog.jamisbuck.org/2006/10/4/under-the-hood-route-recognition-in-rails

And i think I can put the code for decrypting the url in a special implementation of the route.

Let's hope it doesn't slow everthing down too much.

Thanks! Julien.