Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
As part of my app, users get to approve certain “requests” via email. Requests have their own model and therefore each has a unique id.
Users get an email with a named route in a link: ‘approve/:id’ where :id is the id of the request. The approve method then handles the approval logic, etc.
How can I prevent a user from approving requests made to other users without having the user login beforehand? Since the ids are freely displayed in the URL, I guess a GUID would be needed or?
If you really want to do that, then yes, you’d need a GUID of some sort. Perhaps a cryptographic hash of the user_id or email address(?). so you end up using
/approve/:id/:GUID.I’m surprised you don’t want the user to login though, remember that if they login you can redirect them on to the approval automatically. Also if the cookie is still valid a user may already be logged in.