Well, you can change your hidden_field to:
<%= hidden_field_tag :event_id, @event.id %>
And now in your controller, you can access that variable with:
Event.find(params[:event_id])
This should circumvent the mass-assign error. However, now any malicious user can edit that hidden field and add a video to any event he wishes. To fix this, you should find the event through an association. So if you have a current_user
or current_content_partner
, you should find the event like this:
current_content_partner.events.find(params[:event_id])
Now, a user is only able to access events he owns.