In addition to using post as mentioned in the answer from palainum above, if needed, you could add a string (instead of an ID) in any place in your game where the URL could be edited and is visible.
Background - I had a similar problem in one of my apps (where if a URL was changed people could deduce / edit the number and cheat). The way I overcame it was to generate a unique code for the item in the URL.
To do this, I would add a string attribute to Winning
model called url_code
, make it required and indexable:
add_column :winning, string :url_code, :null => false, :index => true
in your model add an after_initialize
callback:
Class Winning
validates :url_code, :uniqueness => true
after_initialize :create_url_code
def create_url_code
self.url_code=SecureRandom.hex(4) if self.url_code.nil?
end
And use that as a parameter in the cases using an ID is a problem (similar to this in your controller)...
@winning = Winning.find_by_url_code(params[:id])
Also, you could do the same thing for your users URL (or if you need to display it every in URL) by using the user.name as a friendly_id.
edit - just fixed a typo where I had offer_code instead of url_code.