Topic: AWD page 106 "Trapping Erroneous Requests"? How far should we go?

I am studying AWD page 106 where he shows how to trap for erroneous requests that are sent into the program. In this very simple example he sends a "/store/add_to_cart/wibble" and blows as "wibble" is not a product id.
I am using RESTful routings with a very hierchical nesting down to FOUR layers of tables. In other words, if I'm going to test erroneous values being passed in as requests, I've got a SHITLOAD of testing to do. Should I just be 'vulnerable' for people who want to mess with the application? Or, have you seen a modification of this code to makes it test for many distinct parameters being passed in ex: \project\project_id\ecase\ecase_id\item\item_id\tx\tx_id.
Here's Dave Thomas' example if you (RyanB) wanted to show how I should modify it.
def add_to_cart
  begin
    product = Product.find(params[:id])
  rescue ActiveRecord::RecordNotFound
    logger.error("Attempt to access invalid product #{params[:id]}")
    flash[:notice] = "Invalid Product"
    redirect_to :action => :index
  else
    @cart = find.cart
    @cart.add_product(product)
  end
end
Thanks, (RyanB)
P.S. Is Flash kept in the Session or not? If so, why isn't it called session[:flash][:notice]?

Re: AWD page 106 "Trapping Erroneous Requests"? How far should we go?

BraveDave wrote:

Should I just be 'vulnerable' for people who want to mess with the application?

This isn't about vulernability, this is about displaying an error message which is more helpful to the user. Generally you don't need to do this. It is possible to catch all of these error messages globally using rescue_actions_in_public in the ApplicationController if you want though.

BraveDave wrote:

P.S. Is Flash kept in the Session or not?

Yes, it's kept in the session.

BraveDave wrote:

If so, why isn't it called session[:flash][:notice]?

It's a little smarter than a simple hash. It needs to be automatically removed on the next request.

Railscasts - Free Ruby on Rails Screencasts