2

Right, im building an order form for a site that doesn't require any kind of user signup or authentication. The form has three models: Order, OrderImage, Print. An order form has many OrderImage's and an OrderImage has many Prints.

A user requires the ability to Upload images (OrderImage's) with their order and also the ability to go back and edit each OrderImage before the Order is confirmed and submitted.

The form is multistep and made up of four stage:

  1. Upload Images
  2. Review Uploads
  3. Your Details
  4. Confirm Uploads

This is fine and everything is working as planned and data is stored to the database throughout the Order process as the user enters more details or uploads more images.

However, this means URL's such as "/upload?order=5" exist which isn't good. Because there is no authentication this means anyone could potentially guess the URL of an Order and change it.

So i'm just wondering what the best way of managing this process is? I've got a couple of ideas in mind, but not sure if any of them are the best solution for the problem:

  1. Generate a random order number within 6 digits for example so the url would be more like: "/upload?order=645029". This would result in there being less chance of someone guessing an order number, but really not very secure still.

  2. Combining the above idea with a status on the order, such as "Complete". So when an Order is finally submitted, it is marked as complete. I could then prevent any "Complete" orders from being accessed again. However, during the Order process, the order number could still be guessed and tampered with.

  3. Making use of the session and storing the order number here instead of in the URL, or as a hidden value in the form.

I have watched Ryan Bates' Railscast on Multistep forms in which he stores data in the session. However, Ryan himself concedes that storing complex Models and objects this way isn't practical.

So any suggestions on the best way for handling a non-authenticated order form would be much appreciated, thanks.

Pete
  • 1,472
  • 2
  • 15
  • 32

2 Answers2

0

I hate to respond with a question... but: How does a user find his order when he come back to the site later?

Without registration, you have to find a way to associate a User with the order!.

I can't see how you could do that securely, whitout at least asking him a unique username.

But then, anyone would be able to guess this username and get to the order!.

I would say, if you don't want authentication... then you should not care that other user see orders of anyone!

If this is a problem, you will need a simple form of auth.

Cygnusx1
  • 5,329
  • 2
  • 27
  • 39
  • The user does not require access to the Order once it has been submitted. Once submitted the Order is processed and invoiced offline. – Pete Sep 12 '11 at 15:41
  • @Cygnusx1, it doesn't seem to be a requirement that users can access their orders after submitting them, but it would be really easy to email the user a link with a generated access token, e.g., `/orders/42?access_token=988881adc9fc3655077dc2d4d757d480b5ea0e11`. – David Sep 12 '11 at 15:56
  • ok i missread i think..: "and also the ability to go back and edit each OrderImage before the Order is confirmed and submitted." i understood the user can come back and change his order!. but i guess you all want to do this inside a single session? – Cygnusx1 Sep 12 '11 at 17:09
  • Yeah sorry that probably isn't hugely clear. Your right, the user needs the ability to edit the OrderImage's within the same session. – Pete Sep 12 '11 at 17:39
  • ok i see... ;-) well in this case, you can use the session like someone else already proposed. have a good day. – Cygnusx1 Sep 12 '11 at 17:42
0

I would go with option #3. You're right that it's not good to store complex objects in the session, but all you need to store is the ID number of the order, then you can look it up in the database. You can use a before_filter to ensure that the requested order belongs to the current user:

class OrdersController < ApplicationController
  before_filter :check_ownership, :except => [:new, :create]

  private

  def check_ownership
    redirect_to '/' unless params[:id] == session[:current_order_id]
  end
end

This example could easily be extended later to allow users with accounts to view their order history (rather than just the current order). Options #1 and #2 are only masking the problem, and would probably be more difficult to extend later.

David
  • 2,311
  • 1
  • 15
  • 13
  • Btw, if you use this example, be careful of the types. `params[:id]` is likely to be a string, and `session[:current_order_id]` might be a string or an integer. – David Sep 12 '11 at 15:58