Rails: Hide Paramater in URL

Question

In order to reply to a message received from User A, I am passing in User A's id through the link_to tag:

<%= link_to "Reply", new_message_path(:id => @user.id), class: "button" %>

I can then make sure that the recipient is @user. But the issue is that when the new view opens with the send message form, the URL also has User A's id. How can I hide that? Because someone can easily change the parameter and the message can then be sent to another User instead of User A.

Answer 1

You can't.

I mean you could hide it and use a POST method and an hidden field for the id, but the risk would be the same: anybody could change the id.

You need to ask yourself the question "how to secure my message system so users cannot send messages to other users". I would suggest to create a token field in your message (like a long random string) and use this token to verify that the message is sent to the correct user. It require a bit of coding, but is your application needs security you can't avoid it

Answer 2

With this syntax you still have this trouble?

<%= link_to "Reply", new_message_path(@user), class: "button" %>

What code in your controller action 'create' ?

Answer 3

If you need the id, you need to send the parameter somehow. You can't and probably don't want to hide it.

If someone changes the url to send the message to another user, he does so willingly.

If you want to make sure a user can only send messages to certain users, you should do so by setting up permissions.

Hiding the parameter won't gain you anything.