I want to register various clicks on a webpage, e.g. toggle visibility of elements.
The clicks come from users not logged in.
I have an Impression model with an actions attribute that stores key-value pairs of actions made on a certain page.
On a click event I'm updating a record with this function:
function sendAjax(id, data) {
$.ajax({
type: "PATCH",
url: '/impressions/update',
data: {'impression_id' : id, 'actions' : data},
success: function(events){
}
});
}
But I'm realizing that this is not secure at all, the user could theoretically update whatever record she wants.
How could I do this more securely, can I take advantage of Rails' protect_from_forgery in any way with my use case?
I don't think this is a necessary feature. Maybe you think too much :)
Even in Google Analytic you can't stop a visitor from manipulating his action, theoretically. One can push any events he want just in console.
Also it's not necessary for analytic tool to be 100% secure and precise. There must be noises, you can ease them but can't really avoid them, or avoid them in a reasonable cost.