I have the following link:
link_to("Toggle", "/jobs/#{job.id}/toggle_is_money_paid", :remote => true)
which toggles the is_money_paid field of a job using an Ajax request:
def toggle_is_money_paid
job = Job.find(params[:id])
job.update_attributes(:is_money_paid => !job.is_money_paid)
render :nothing => true
end
# config/routes.rb
match "/jobs/:id/toggle_is_money_paid" => "jobs#toggle_is_money_paid"
However, if user types directly:
http://localhost:3001/jobs/200/toggle_is_money_paid
in the browser, it will toggle the is_money_paid field of job #200.
How could I prevent this, such that users could toggle the field only by pressing the link.
You could prevent this by not defining the route using match, but instead by using one of the HTTP verbs that isn't get. More than likely, you'll want to use put:
put "/jobs/:id/toggle_is_money_paid" => "jobs#toggle_is_money_paid"
Then you'll change your link_to to this:
link_to("Toggle", "/jobs/#{job.id}/toggle_is_money_paid", :remote => true, :method => :put)