Rails allows you to restrict access to the page without sessions

Question

Rails allows you to restrict access to the page without sessions

Context

I am creating a super-simple, embossed sexy sign-up at http://hivechatter.com . (Yes, I take her very strongly.)

The root page is a new user action in which I request only the email address. If the visitor sends a valid email, a new user is created and I will be redirected to the edit page of this user and request additional additional information.

Problem

The URL of the edit page has the usual form: http://hivechatter.com/users/19/edit . Visit the edit page of any user simply by visiting this URL with any identifier number that they choose.

Question

How to restrict access to the editing page so that it can be visited only once and only immediately after creating this user_id from a new user page?

I can come up with many methods to learn. I would appreciate a pointer to the most elegant way to rails. Please note that I do not need any additional features such as sessions, etc. This two-step registration process is the volume of what I need right now.

Thank!

+3

security ruby ruby-on-rails

Tim Koelkebeck Mar 20 '11 at 19:21

source share

2 answers

cookie - . HTTP , , , , . RoR , .

.htaccess basic-auth. .

0

rook 20 . '11 19:47

fl00r · Accepted Answer · 2011-03-20T20:33:15+0000

. opened_once:boolean DEFAULT false

users_controller

def edit
  @user = User.find( params[:id], :conditions => ['opened_once => ?', false] ) rescue ActiveRecord::RecordNotFound
  @user.update_attribute :opened_once, true
  ...
end

UPD

Rails? . edit, :

def create
  @user = User.new params[:user]
  respond_to do |format|
    if @user.save
      format.html{ render :action => :edit }
    else 
      format.html{ render :action => :new }
    end
  end
end

, .

, "Rails way":)

Rails allows you to restrict access to the page without sessions

More articles: