validate confirmation with hidden field Rails 4

Question

I have SMS payment system that works just great. Now I am facing problem.

When user hits new advertisement:

  def new
    @advertisement = Advertisement.new    
    retries = 0
    loop do
      @advertisement.identifier = ('0'..'9').to_a.shuffle.first(5).join
      retries += 1
      break if retries == 5 || Advertisement.find_by(identifier: @advertisement.identifier)
    end

    @int = @advertisement.identifier.to_i
      @compare_identifier = ((@int + 99)*7)+2
   respond_with(@advertisement)
  end

So identifier and compare_identifier are generated.

Before user can create new advertisement he need to pay via sms.

SMS looks like this ABC 12345 - ABC is a service identifier, 12345 is advertisement identifier.

Incoming payments will be handled in SMS#RECEIVE controller, where first of all will identify advertisement and then generate compare_identifier by the same function as in Advertisement#new :

 @int = @advertisement.identifier.to_i
          @compare_identifier = ((@int + 99)*7)+2

Then this compare_identifier is sent back to user who sent SMS. Then he inputs this code and if it matches he can create that advertisement.

In Advertisement#_form:

    <%= form_for @advertisement,:html => {:multipart => true, :class => "form-horizontal advertisement" } do |f| %>
    .....

    <%= f.hidden_field :smsidentifier, :value => @compare_identifier%>
    <%= f.text_field :smsidentifier_confirmation %> 

       <%= f.submit nil, :class => 'btn btn-primary' %>
       <%= link_to t('.cancel', :default => t("helpers.links.cancel")),
                 advertisements_path, :class => 'btn btn-default' %>

  <% end %>

Advertisement.rb

   validates :smsidentifier, confirmation: true
   validates :smsidentifier_confirmation, presence: true

Then I got this error:Smsidentifier confirmation translation missing: lv.activerecord.errors.models.advertisement.attributes.smsidentifier_confirmation.blank

I believe this is because of that hidden_field ? It is very important to keep that field hidden, so there wouldn't be security breach.

Params hash when I try to create advertisement:

  Parameters: {"utf8"=>"✓", "authenticity_token"=>"ZIevYutJzBvZoAxseuaAvIqhqKWfL2Qr4PBxsO4zvJs=", "advertisement"=>{"user_id"=>"24", "name"=>"liu", "country_id"=>"1", "region_id"=>"4", "age"=>"41", "height"=>"152", "phone_number"=>"2222222", "weight"=>"58", "email"=>"[email protected]", "description"=>"4141", "provaider"=>"ipo", "your_ip"=>"i;", "terms_of_service"=>"1", "smsidentifier"=>"588807", "smsidentifier_confirmation"=>"588807"}, "hour_ids"=>["1"], "service_ids"=>["2", "7"], "images"=>[#<ActionDispatch::Http::UploadedFile:0x00000005e8d078 @tempfile=#<Tempfile:/tmp/RackMultipart20141217-13535-1glcbic>, @original_filename="sludinajums_ruby1.jpg", @content_type="image/jpeg", @headers="Content-Disposition: form-data; name=\"images[]\"; filename=\"sludinajums_ruby1.jpg\"\r\nContent-Type: image/jpeg\r\n">], "commit"=>"Create Advertisement", "locale"=>"lv"}

Is there any other way to do this? Or my approach is bad?

Answer 1

Have you whitelisted that field in Strong Params?

https://github.com/rails/strong_parameters

If not it will get nullified in the controller.

Answer 2

I think smsidentifier creation and checking is best done in create method. So, you just need the smsidentifier_confirmation field in the form and you can remove the hidden field.