protecting records from public view

OK, sorry mental block, I do this sort of thing at the moment

I think you should look into filters and set a filter before on the
action to check if that user has been granted access to that invoice
(it belongs to him) or not.
Just google "rails before filter" and you'll find plenty of examples.

Typically you only care about stopping users seeing other users'
invoices. Assuming current_user returns the currently logged in user
and user has_many :invoices then

current_user.invoices.find params[:id]

is a normal find (so you could pass any of the things you could
normally pass to Invoice.find) but is scoped to only those invoices
belonging to that customer

Fred

Typically you only care about stopping users seeing other users'
invoices. Assuming current_user returns the currently logged in user
and user has_many :invoices then

current_user.invoices.find params[:id]

is a normal find (so you could pass any of the things you could
normally pass to Invoice.find) but is scoped to only those invoices
belonging to that customer

Fred

Hmm, bit confused, the form is available without any login, it's
publically available.

I suppose I'd like to scope the find in this method so that it only
returns the enquiry jsut submitted. It's easy surely, oh maybe I don't
need a find method at all?

Just need the one record previously saved.

Typically you only care about stopping users seeing other users'
invoices. Assuming current_user returns the currently logged in user
and user has_many :invoices then

current_user.invoices.find params[:id]

is a normal find (so you could pass any of the things you could
normally pass to Invoice.find) but is scoped to only those invoices
belonging to that customer

Fred

Hmm, bit confused, the form is available without any login, it's
publically available.

ok, i assumed it wasn't.

I suppose I'd like to scope the find in this method so that it only
returns the enquiry jsut submitted. It's easy surely, oh maybe I don't
need a find method at all?

Two separate users create a new invoice. How do you know to let user A
access their invoice but not other ones, and user B access only their
invoice ? How do you differentiate the two cases?

Fred

Two separate users create a new invoice. How do you know to let user A
access their invoice but not other ones, and user B access only their
invoice ? How do you differentiate the two cases?

I'm thinking that the app knows about the invoice just created (by ID).
Can I store this and limit the view to display just that ID (and no
other).

Two separate users create a new invoice. How do you know to let
user A
access their invoice but not other ones, and user B access only their
invoice ? How do you differentiate the two cases?

I'm thinking that the app knows about the invoice just created (by
ID).
Can I store this and limit the view to display just that ID (and no
other).

After creation you could just render the newly created invoice and do
away with the show action entirely.

Two disadvantages with this (over the traditional redirect)
- if the user reloads the page it will resubmit the form which created
the invoice
- no way for people to get at the invoice again once they've navigated
away from that page.

Another approach would be to keep almost everything the same, but
store the id of the freshly created invoice in the session and only
read it from the session, not the params (this will also stop the user
from viewing their invoice again once they've relaunched their browser).

Yet another option is to store a persistent cookie with the user's id
and track the user using that (to implement the scoped find I
mentioned earlier)

Fred

Another approach would be to keep almost everything the same, but
store the id of the freshly created invoice in the session and only
read it from the session, not the params (this will also stop the user
from viewing their invoice again once they've relaunched their browser).

Many thanks for this, sounds like just the ticket, would you mind
providing a brief code example for the syntax (am sure I can fill in the
gaps)?

Another approach would be to keep almost everything the same, but
store the id of the freshly created invoice in the session and only
read it from the session, not the params (this will also stop the
user
from viewing their invoice again once they've relaunched their
browser).

Many thanks for this, sounds like just the ticket, would you mind
providing a brief code example for the syntax (am sure I can fill in
the
gaps)?

well instead if doing find params[:id] you do find
session[:something], having previously set session[:something]
appropriately

Fred

well instead if doing find params[:id] you do find
session[:something], having previously set session[:something]
appropriately

Sorry Fred, Not sure I follow, can I set x = session[:enquiry_id]
(in the create) then do, find x basically in the show ?

well instead if doing find params[:id] you do find
session[:something], having previously set session[:something]
appropriately

Sorry Fred, Not sure I follow, can I set x = session[:enquiry_id]
(in the create) then do, find x basically in the show ?

No. after you've created the enquiry
session[:enquiry_id] = ...

in the show

@enquiry = Enquiry.find session[:enquiry_id]

Fred

No. after you've created the enquiry
session[:enquiry_id] = ...

in the show

@enquiry = Enquiry.find session[:enquiry_id]

Fred

Tried that, fine still working but still the user can edit the URL and
get to other records?

No. after you've created the enquiry
session[:enquiry_id] = ...

in the show

@enquiry = Enquiry.find session[:enquiry_id]

Fred

Tried that, fine still working but still the user can edit the URL and
get to other records?

not if you're doing it right, because you're not using the params from
the url.

Fred