Currently with the Authenticity Token, we have a really easy way to validate that a form was submitted from our site, vs from a third party, and can reject it easily.
Using Strong Parameters, we can protect attributes from end-user assignment.
I’m interested rather, in protecting against users manipulating the action url before submitting a form.
Example where this would be useful:
resources :products do resources :reviews end
When I hit the #create in the ReviewsController, it would be kinda nice if I could safely assume that the review is being created for the exact product that the form action originally specified. That way, if I only render that form for people who have bought that product, I know they are allowed to review that product without having to check anything manually. I think to do this, you’d have to implement it almost exactly the same way Authenticity Tokens are.
Would this be useful in general? I think it’d be kinda nice to have form actions be restricted from tampering by default, and it could even cut down on database calls to check if people are authorized to do certain things, if you already checked auth before rendering the form in the first place.