Multiple object form parameter hash and post data manipulati

My apologies if this is a duplicate, but I have tried to post three
times now, and yet it does not appear???

Hi all,

Having created a form for an Exercise that has many Questions, which
in turn has many Answers, the params hash being returned has the id’s
correctly constructed for the Questions and Answers objects, but the
id is not included for the parent Exercise, nor is the hierarchy
represented in the returned hash (see below).

The first problem prevents the use of the Class.update
(params[:object].keys, params[:object].values) method, but can be
overcome by passing around the Exercise id, finding the object from
the db, and then using the objects update_attributes method. The
questions and answers objects are still able to be updated with the
class update method. The returned params are as follows.

{“commit”=>“Action 1”,
“questions”=>{“86”=>{“name”=>“Another new question name”,
“text”=>“Another new question text”}},
“exercise”=>{“name”=>“This is another new exercise 11”,
“answers”=>{“200”=>{“text”=>“Answer 1 text”},
“201”=>{“text”=>“Answer 2 text”}}}

Is this the correct approach? Is there a way to get the exercise id
constructed correctly in the exercise hash to allow the Exercise
update method to be used? Further, should I expect to be able to code
such that the hierarchy is represented in the returned params such
that I can rely on the construct to establish the relationships
between the questions and exercise, and the answers and their
corresponding questions? Something like this.

{“commit”=>“Action 1”,
{“98”=>{“name”=>“This is another new exercise 11”,
{“86”=>{“name”=>“Another new question name”,
“text”=>“Another new question text”},
{“200”=>{“text”=>“Answer 1
“201”=>{“text”=>“Answer 2
{“87”=>{“name”=>“Another new question name”,
“text”=>“Another new question text”},
{“202”=>{“text”=>“Answer 1
“203”=>{“text”=>“Answer 2

In a somewhat related question, what methods exist to prevent users
from constructing http posts that update records for which they do not
have authorization? In other words, given my current blind update of
record ID’s from a post, what is to stop someone from constructing a
post with different id thereby updating/corrupting records of their
choice? Is there something inherent in Rails that can prevent such or
do I need to track id of objects server side making sure the ID that
is returned by the client side is the same as they started working