0

When creating an object with partial validations like here, Wicked requires the object id in the url -

http://localhost:3000/pets/1/steps/identity

Does this mean that anyone can type this route and modify the data?

I need the form to be filled in by anyone (not logged in), but I don't want there to be any access by a third party to another users object.

I only need to create a simple multistep form like here, which allows standard back and forward button functionality.

Thanks for any help!

AndrewJL
  • 128
  • 2
  • 12

1 Answers1

0

To solve this, you need an authorisation check of some sort. The Wicked Form gem doesn't handle that stuff.

Try CanCanCan. It's pretty solid and the code is clean. The README is easy to follow and shows you how to add a check to each controller action that will only allow the people you choose to edit.

In your case, you would want the following inside the Ability class:

can [:new, :create], Pet
can [:edit, :update], Pet, user: user

Showing that anyone can make a new pet, but you can only load and submit the edit form if the pet is yours.

Matt Gibson
  • 14,616
  • 7
  • 47
  • 79
  • Thanks Matt, but does cancancan only work with checks against a logged in user? – AndrewJL Nov 05 '16 at 09:52
  • No, you can use it for non-logged in users too, Just assume that `user` is nil and don't use it as in the first line of code above. then make a block starting with `if user` and put the ones for the logged in users inside. – Matt Gibson Nov 07 '16 at 11:33
  • Thanks again Matt but I don't think it'll work, this form will never need to be used by a logged in user. It's just a standard form that I want anyone to be able to fill in. – AndrewJL Nov 07 '16 at 18:00
  • Ah, I see. In that case, you can create temporary ones something like this: https://github.com/plataformatec/devise/wiki/How-To:-Create-a-guest-user – Matt Gibson Nov 07 '16 at 20:57
  • A fantastic thanks I'll check that out, I was wondering if it was possible with standard server sessions. – AndrewJL Nov 11 '16 at 12:25