I'll try to explain this as thoroughly as possible. I'm trying to figure out what the best way of passing existing data that should not be tampered with as a hidden value through a form -- or if there is a better way to send data on rails to a new "create" method.
Basically what I'm trying to achieve is, first a transaction created and stores group_id, owner_id, user_id, message and status. Then when the user "accepts" the request, a new transaction is created with basically all the same information (group_id, owner_id, and user_id), except the status and message can be changed.
So here's how the flow goes:
A user first creates a request as such:
Request.create("gid" => 1, "user_id" => 2, "owner_id" => 4, "message" => "Bla Bla", "status" => 'pending')
Then the owner of that request views that request, and is able to accept or reject the transaction. Bare in mind, all the requests are in the same page, so there will be many accepts, and rejects on the same page, but each is iterated through the @request = Requests.where(:owner_id => 4).
The problem with hidden input is that you can tamper with it easily to change columns you aren't supposed to. What I'm trying to figure out is, if there is a way to pass the values into the accept method, with both new (message) and old (group_id, user_id, owner_id) to create a new row with?
The new transaction will basically be as such:
Request.accept("gid" => ori_trans, "user_id" => ori_trans, "owner_id" => ori_trans, "message" => "New Message", "appointment" => ori_trans, "status" => 'accepted')
def accept
@request = Request.new(request_params)
@request.status = 'accepted'
@request.expert_id = current_user.id
respond_to do |format|
if @request.save
format.html { redirect_to @request, notice: 'Request was successfully created.' }
format.json { render action: 'show', status: :created, location: @request }
else
format.html { render action: 'new' }
format.json { render json: @request.errors, status: :unprocessable_entity }
end
end
end
def request_params
params.require(:request).permit(:gid, :user_id, :message)
end
Problem with whitelisting GID and user_id is that users can temper with forms to allow for this field to be changed. Ideally, I'd only want to permit :message to come through from the params.
Hope this explains what I'm trying to do - let me know if you have any suggestions.