I have User and Profile models. User has_one Profile which belongs_to User. Profile also accepts_nested_attributes_for :user and I am building a form for Profile, which takes some attributes for user too.
In order to have my profile.user updated (not created), I must provide an id under the nested attributes for user form, which I do it through a hidden input.
The problem is that I don't think this is safe because one might change the id on the client side and the server would update another user instance, other than the profile's one.
To avoid this, on Profile's controller, I manually append the id for user_attributes on params which corresponds to the current_user.id, but I think that's not the best way to do it.
Is there any other way to ensure that Rails will be updating the actual profile's user or, in case the client supplies an user id different of its profile.user, it would prevent it?
Aucun commentaire:
Enregistrer un commentaire