Ruby on Rails

Does it make sense to not have this hidden_field in the form but instead add this info inside the controller while saving the object? For instance: 

Response.new(response_params)

def response_params

  params.require(:response).permit(:response_text).merge(user_id: current_user.id)

end

On Fri, Jul 31, 2015 at 4:37 AM, Colin Law <cla...@gmail.com> wrote:

On 30 July 2015 at 23:06, Scott Goci <sco...@gmail.com> wrote:
> At the end of my email, I do just that -- you notice that in the params I
> suggest, there is no user_id present, and instead I break apart the params
> and inject the user_id more manually, but breaking out the params seems
> messy to validate against, so I'm wondering if there is a more "cleaner"
> method of doing it.

That is not quite what I was suggesting, your question indicated you
were happy with the hidden field concept, apart from the fact that
someone might inject a false id.  My suggestion was to use the hidden
field but then to verify it against current_user in the controller.
So just one test to insert in the controller.

Colin

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAL%3D0gLumg6ZRnRutgEa-f6KFbT3oZ4B%3Da9fLkgZEsp_x8EuotQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Fernando Kakimoto
http://www.twitter.com/nandokakimoto