Right, im building an order form for a site that doesn't require any kind of user signup or authentication. The form has three models: Order, OrderImage, Print. An order form has many OrderImage's and an OrderImage has many Prints.
A user requires the ability to Upload images (OrderImage's) with their order and also the ability to go back and edit each OrderImage before the Order is confirmed and submitted.
The form is multistep and made up of four stage:
This is fine and everything is working as planned and data is stored to the database throughout the Order process as the user enters more details or uploads more images.
However, this means URL's such as "/upload?order=5" exist which isn't good. Because there is no authentication this means anyone could potentially guess the URL of an Order and change it.
So i'm just wondering what the best way of managing this process is? I've got a couple of ideas in mind, but not sure if any of them are the best solution for the problem:
Generate a random order number within 6 digits for example so the url would be more like: "/upload?order=645029". This would result in there being less chance of someone guessing an order number, but really not very secure still.
Combining the above idea with a status on the order, such as "Complete". So when an Order is finally submitted, it is marked as complete. I could then prevent any "Complete" orders from being accessed again. However, during the Order process, the order number could still be guessed and tampered with.
Making use of the session and storing the order number here instead of in the URL, or as a hidden value in the form.
I have watched Ryan Bates' Railscast on Multistep forms in which he stores data in the session. However, Ryan himself concedes that storing complex Models and objects this way isn't practical.
So any suggestions on the best way for handling a non-authenticated order form would be much appreciated, thanks.
I would go with option #3. You're right that it's not good to store complex objects in the session, but all you need to store is the ID number of the order, then you can look it up in the database. You can use a before_filter to ensure that the requested order belongs to the current user:
class OrdersController < ApplicationController
before_filter :check_ownership, :except => [:new, :create]
private
def check_ownership
redirect_to '/' unless params[:id] == session[:current_order_id]
end
end
This example could easily be extended later to allow users with accounts to view their order history (rather than just the current order). Options #1 and #2 are only masking the problem, and would probably be more difficult to extend later.