Rails Way to Restrict Page Access Without Sessions

Question

Context

I'm building a super simple, knock-your-socks-off sexy sign-up page at http://hivechatter.com. (Yes, I feel strongly about her.)

The root page is the new user action, where I ask for email only. If the visitor submits a valid email, a new user is created and I redirect to that user's edit page and ask for additional, optional info.

Problem

The edit page url is of the usual form: http://hivechatter.com/users/19/edit. One can visit any user's edit page by simply visiting this url with whichever id number they choose.

Question

How do I restrict access to the edit user page so that it can only be visited once, and only immediately after having created that user_id from the root new user page?

I can think of a variety of methods to explore. I'd appreciate a pointer on the most elegant, rails way to do this. Note that I don't need any additional functionality like sessions, etc. This two step sign-up process is the extent of what I need right now.

Thanks!

Answer 1

Add new column to your users table. Let it be opened_once:boolean with DEFAULT false

Then in your users_controller

def edit
  @user = User.find( params[:id], :conditions => ['opened_once => ?', false] ) rescue ActiveRecord::RecordNotFound
  @user.update_attribute :opened_once, true
  ...
end

so now it can be showed only once right after creating new user when you redirect to edit page

UPD

What you can do more Rails way? Without adding new stuff to your database and so on. You can remove your edit action at all, so your edit view will rendered at create:

def create
  @user = User.new params[:user]
  respond_to do |format|
    if @user.save
      format.html{ render :action => :edit }
    else 
      format.html{ render :action => :new }
    end
  end
end

User will see edit form only once if validation passed and his profile created.

So this is specific "Rails way" :)