I have these nested routes, and I want to hide the id
param from the url.
resources :shares, only: [:index, :create, :update] do
resource :wizard, path: "trade" do
get :first_object
get :second_object
get :confirmation
post :validate_step
end
end
Each page has a form_for
that looks like this up top:
<%= form_for [@object, @trade_wizard], as: :trade_wizard, url: validate_step_share_wizard_path(@object) do |f| %>
So the user adds the first_object
to the wizard, and gets redirected to the following url: /shares/113/trade/second_object
. After adding second_object
(which is obviously different from the first), the user is redirected to to /shares/106/trade/confirmation
. I'm not sure if this represents a potential security violation, and my tests seem to work just fine, so I'm thinking it should be ok if I find some way to hide that id part of the url?
Or is my use case for nested routes incorrect?