Secure receipt generation

Has anyone got any ideas on how to approach the following:

I generate a pdf receipt and store it in a directory "outside" of
public since I do not want users to be able to just mess about with
URLs and look at other users receipts. However, I do want users to be
able to download and see their own receipt. I am struggling to come
up with a way of the browser showing the pdf but denying access to
other pdf's.

I had thought of using some sort of md5 generated id on a resource
called "receipt" to do a show but in the end there is always some
URL. Is there a way of creating some sort of "one-time-use" URL by
forming the headers accordingly and then simply using a file-read to
serve up the file. To me this seems a bit weird as the whole point of
webservers is doing precisely this.

I must be thinking along the wrong lines.

Thanks.

O.

Why not just scope the find to the user?

class User
has_many :receipts
end

Then in your controller you can do something like

def show
file_ref = current_user.receipts.find(params[:id])

#Read file code
end

This seems to have done the trick.

class DocumentController < ApplicationController

  def show
    fingerprint = params[:id]
    if doc = Document.find_by_fingerprint(fingerprint)
      render :file => doc.filepath, :content_type => content_type
(doc.filename)
    else
      raise ArgumentError, "Invalid document fingerprint, possible
tampered URL"
    end
  end

  def download
    fingerprint = params[:id]
    if doc = Document.find_by_fingerprint(fingerprint)
      send_file doc.filepath, :type => content_type(doc.filename)
    else
      raise ArgumentError, "Invalid document fingerprint, possible
tampered URL"
    end
  end

  protected

  def content_type(filename)
    extname = File.extname(filename)[1..-1]
    mime_type = Mime::Type.lookup_by_extension(extname)
    content_type = mime_type.to_s unless mime_type.nil?
  end
end