Secure receipt generation

Has anyone got any ideas on how to approach the following:

I generate a pdf receipt and store it in a directory "outside" of public since I do not want users to be able to just mess about with URLs and look at other users receipts. However, I do want users to be able to download and see their own receipt. I am struggling to come up with a way of the browser showing the pdf but denying access to other pdf's.

I had thought of using some sort of md5 generated id on a resource called "receipt" to do a show but in the end there is always some URL. Is there a way of creating some sort of "one-time-use" URL by forming the headers accordingly and then simply using a file-read to serve up the file. To me this seems a bit weird as the whole point of webservers is doing precisely this.

I must be thinking along the wrong lines.

Thanks.

O.

Why not just scope the find to the user?

class User has_many :receipts end

Then in your controller you can do something like

def show file_ref = current_user.receipts.find(params[:id])

#Read file code end

This seems to have done the trick.

class DocumentController < ApplicationController

  def show     fingerprint = params[:id]     if doc = Document.find_by_fingerprint(fingerprint)       render :file => doc.filepath, :content_type => content_type (doc.filename)     else       raise ArgumentError, "Invalid document fingerprint, possible tampered URL"     end   end

  def download     fingerprint = params[:id]     if doc = Document.find_by_fingerprint(fingerprint)       send_file doc.filepath, :type => content_type(doc.filename)     else       raise ArgumentError, "Invalid document fingerprint, possible tampered URL"     end   end

  protected

  def content_type(filename)     extname = File.extname(filename)[1..-1]     mime_type = Mime::Type.lookup_by_extension(extname)     content_type = mime_type.to_s unless mime_type.nil?   end end