Assuming your associations are kosher and notes are never created without a parent property, I'd rely on Rails Magic(tm) do the note create via the Property model and leave the session alone altogether:
notes_controller: def create @note = Property.find(params[:id]).notes.create(params[:note]) ... end Once you're back in the view, you can still get the property via the reflexive association in @note via @note.property -eric On Nov 17, 12:30 pm, "Todd A. Jacobs" <tjacobs-sndr- [email protected]> wrote: > I have a problem with the way I'm currently propagating the object id > from the current view to child objects. Right now, I'm doing this: > > # properties_controller.rb > def show > @property = Property.find(params[:id]) > session[:property] = params[:id] > # snipped for brevity > end > > # notes_controller.rb > def create > @note = Note.new(params[:note]) > @note.property_id = session[:property] > # snipped for brevity > end > > This populates the foreign key in the note with the parent object's id. > > This works so far as it goes, but there's a problem here. Basically, if > more than one browser window is open at a time, then the > @note.property_id is set to whatever window was opened last, rather than > the using the id from the property view that linked to the create > action. This can result in notes being assigned to the wrong > property--ugh! > > How can I *safely* propagate the property.id to note.property_id if I'm > not using a nested form? I don't want to pass it as a hidden form field > (vulnerable to tampering by the client), and I can't necessarily trust > request.referer either, except possibly to validate whether the session > value matches the referer. > > I can't be the first person to encounter this sort of issue. What is a > good rails-centric way of doing this securely? > > -- > "Oh, look: rocks!" > -- Doctor Who, "Destiny of the Daleks" -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=.
