ruby - Rails 4 Passing existing/previous record values to new record -
i'll try explain thoroughly possible. i'm trying figure out best way of passing existing data should not tampered hidden value through form -- or if there better way send data on rails new "create" method.
basically i'm trying achieve is, first transaction created , stores group_id, owner_id, user_id, message , status. when user "accepts" request, new transaction created same information (group_id, owner_id, , user_id), except status , message can changed.
so here's how flow goes: user first creates request such:
request.create("gid" => 1, "user_id" => 2, "owner_id" => 4, "message" => "bla bla", "status" => 'pending') then owner of request views request, , able accept or reject transaction. bare in mind, requests in same page, there many accepts, , rejects on same page, each iterated through @request = requests.where(:owner_id => 4).
the problem hidden input can tamper change columns aren't supposed to. i'm trying figure out is, if there way pass values accept method, both new (message) , old (group_id, user_id, owner_id) create new row with?
the new transaction such:
request.accept("gid" => ori_trans, "user_id" => ori_trans, "owner_id" => ori_trans, "message" => "new message", "appointment" => ori_trans, "status" => 'accepted') def accept @request = request.new(request_params) @request.status = 'accepted' @request.expert_id = current_user.id respond_to |format| if @request.save format.html { redirect_to @request, notice: 'request created.' } format.json { render action: 'show', status: :created, location: @request } else format.html { render action: 'new' } format.json { render json: @request.errors, status: :unprocessable_entity } end end end def request_params params.require(:request).permit(:gid, :user_id, :message) end problem whitelisting gid , user_id users can temper forms allow field changed. ideally, i'd want permit :message come through params.
hope explains i'm trying - let me know if have suggestions.
i think following code should want:
def accept original_request = request.find(params[:request][:id]) if original_request.owner_id != current_user.id #do here, logout maybe? return end @request = original_request.dup @request.message = params[:request][:message] @request.status = 'accepted' respond_to |format| if @request.save format.html { redirect_to @request, notice: 'request created.' } format.json { render action: 'show', status: :created, location: @request } else format.html { render action: 'new' } format.json { render json: @request.errors, status: :unprocessable_entity } end end end with code, if tampers request id parameter, if try , accept request don't own, fail.
Comments
Post a Comment