create edit URL route that doesn't show :id

Question

I'm in the midst of trying to clean up my routing. I have a company model that can log in and create applications. They can create several.

Currently this is my setup:

Routes

get 'applications/edit/:id', to: 'applications#edit'

Applications_controller

def edit
 @application = current_company.applications.find(params[:id])
end 

def update
 @application = Application.find(params[:id])
 if @application.update(application_params)
  redirect_to dashboard_path
 else
  render 'edit'
 end
end

Each company have their own dashboard. Here's my code from /dashboard

Your active applications

<% @applications.all.each do |f| %>
 <%= link_to "Application",   show_path + "/#{f.id}" %> | <%= link_to "Edit", edit_application_path("#{f.id}") %>
   <br>
<% end %>

Now this all works, if I go to edit_application/11 f.ex I see it.

The thing I'd like changed is to remove the :id from the URL.

Thus make it more secure and to give a nicer feel. Now it took me 5 minutes before I realised I could just change the :id url and edit everything. Thus I added the current_company.applications to stop that. Yet I don't feel like this is very secure.

I don't get it. You want the parameter not to be in the url? — Jorge de los Santos, Jun 25 '14 at 12:22
I want to change it so that instead of this /edit/12 (where 12 is the current ID f.ex) that it just says /edit and gets the ID from the link in the @applications.all.each — user2755537, Jun 25 '14 at 12:27
try: `get 'applications/edit/:id', to: 'applications#edit' as: :edit_app` — Abdul Baig, Jun 25 '14 at 12:55

score 2 · Accepted Answer · edited May 23 '17 at 10:26

If you want to remove the :id, you'll still need a way to find the data you want.

As long as you have the url /edit/12 and as long as you use the id 12 in the GET url to find your content, it will show in the browser bar. The only way to "hide" it (but it's not more secure at all, because it's easily found out), is to use a POST request with a form containing a hidden field with the id (can be made in JavaScript). You are asking the application to get the id from the link in the @applications.all.each but the only way it can do that is to include it somewhere in the request (be it GET, POST, COOKIES/SESSION, ...).

For another (possibly better) solution, read on.

A very common practice is to use slugs: you create a unique key for each content, for example, if your title is "My great app", the slug will be my-great-app. Thus there is no id in your URL (and it cannot be found out if you always use slugs as references). The advantage is that you'll still find a quick match for what you're searching for (creating an unique index on the slugs).

Some further reading about slugs:

http://rubysnippets.com/2013/02/04/rails-seo-pretty-urls-in-rails/

What is the etymology of 'slug'?

create edit URL route that doesn't show :id

Your active applications

1 Answers1