Rails: How to produce 404 or redirect upon undesired url exploitation?

Posted by Baby Diego on Stack Overflow See other posts from Stack Overflow or by Baby Diego
Published on 2010-04-13T22:45:05Z Indexed on 2010/05/09 21:28 UTC
Read the original article Hit count: 285

I want to hide the urls for editing users and their profiles behind safer and meaningful urls. For instance, I want /user/13/edit to be /settings/account and /user/13/profile/edit to be /settings/profile.

I managed to achieve that, but for that I had to load the user information from the current_user bit from the session. Like so:

# users_controller
def edit
  @user = current_user
end

# profiles_controller
def edit
  @user = current_user
  @profile = @user.profile
end

But now, since I can't compare @user.id from the params with the current_user in the session, how can I stop the old urls (/user/13/edit and /user/13/profile/edit) from being exploitable? They always load the forms for the current user, so there's no harm done, but I'd be more comfortable if they just produced a 404 error or something.

Thanks in advance.

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about routing