When creating an object with partial validations like here, Wicked requires the object id in the url -
http://localhost:3000/pets/1/steps/identity
Does this mean that anyone can type this route and modify the data?
I need the form to be filled in by anyone (not logged in), but I don't want there to be any access by a third party to another users object.
I only need to create a simple multistep form like here, which allows standard back and forward button functionality.
Thanks for any help!
To solve this, you need an authorisation check of some sort. The Wicked Form gem doesn't handle that stuff.
Try CanCanCan. It's pretty solid and the code is clean. The README is easy to follow and shows you how to add a check to each controller action that will only allow the people you choose to edit.
In your case, you would want the following inside the Ability class:
can [:new, :create], Pet
can [:edit, :update], Pet, user: user
Showing that anyone can make a new pet, but you can only load and submit the edit form if the pet is yours.