Is it necessary?


#1

hi, i’ve a simple question. i’m developing a simple application in which
i’ve an users and news controllers plus models (users and news). a news
have an user and must be exist, to write a news the user must be logged
and when he sends the news i create it setting the news.user_id =
session[:user_id]
ok, i think for now is correct
but the real question is: now i’ve in the news validate something like
this:
errors.add(:user_id, ‘is not valid’) if !self.user, do you think is
necessary ? i don’t know, because i set it in the controller, but is
possible by other ways to send (with an own made form) the form with a
different user_id (i set it before create the object, so i think is
impossible, but i don’t know)?


#2

errors.add(:user_id, ‘is not valid’) if !self.user, do you think is
necessary ? i don’t know, because i set it in the controller, but is
possible by other ways to send (with an own made form) the form with a
different user_id (i set it before create the object, so i think is
impossible, but i don’t know)?

Setting the user from the session should be safe. Session data cannot
be manipulated by spoofing a form. But its a good idea for the model
to validate the presence of a user_id. You can do this with
validates_presence_of (easier than writing a custom validation).

validates_presence_of :user_id

Aaron