In my application I have a course model that belongs to three other models: user, subject, and student_level (they include has many in model descriptions).
To be able to create a course, I declared foreign keys for two models in course model as attr_accessible.
class Course < ActiveRecord::Base
attr_accessible :objectives, :title, :subject_id, :student_level_id
belongs_to :user
belongs_to :subject
belongs_to :student_level
This is my _fields.html.slim file for creating a course:
= render 'shared/error_messages', object: f.object
= f.label :title, t("activerecord.attributes.course.title")
= f.text_field :title
= f.label :subject_id, t("activerecord.attributes.subject.title")
= f.collection_select(:subject_id, Subject.all, :id, :title_for_select)
= f.label :student_level_id, t("activerecord.attributes.student_level.title")
= f.collection_select(:student_level_id, StudentLevel.all, :id, :title_for_select)
= f.label :objectives, t("activerecord.attributes.course.objectives")
= f.text_area :objectives, rows: 15, cols: 10
And this is my new method in courses_controller.rb
#GET /courses/new
def new
@course = current_user.courses.new
# @subjects = Subject.all
# @student_levels = StudentLevel.all
end
Above code shows that I am mass-assigning subject and student level attributes.
What is bothering me, is that in Hartl's Ruby on Rails Tutorial for version 3.2 (for example, p. 536, listing 10.7) these foreign keys should be protected. And there is an example for protected foreign key assignment.
Right now everything works fine. Also, my config/application.rb contains
config.active_record.whitelist_attributes = true
Right now if I remove subject_id and student_level_id from attr_accessible (so they become protected), the application gives
ActiveModel::MassAssignmentSecurity::Error in CoursesController#create
Can't mass-assign protected attributes: subject_id, student_level_id
My question: what is the best practice when creating an entity with two foreign keys, is there a way to create/edit without exposing foreign keys as attr_accessible for mass-assignment?
Thank you very much!
UPDATE:
#POST /courses/
def create
@course = current_user.courses.new(params[:course])
if @course.save
flash[:success] = t("messages.course_created")
redirect_to @course
else
render 'new'
end
end