such, as this one: <%= link_to "Add to my wishlist", new_wish_path()
%>
and the user would be presented with a Wish form (fields showing:
Note, Status, whilst other fields: item_id and user_id would not be
shown)
User would submit the form and the wish would be created.
One thing, I would prefer not to use hidden fields with pre-populated
item_id and user_id as I understand these can be tempered with fairly
easily.
I'm not entirely sure what your question is but ... You can certainly
add extra parameters to new_wish_path (for example :item_id =>
@item.id).
An alternative design is to have a nested resource where you instead
have a path helper called new_item_wish_path(@item). All this changes
is the url that your user sees, in the first case it would be
something along the lines of wishes/new?item_id=xxx in the second case
it would be items/xxx/wishes/new
You are entirely right about hidden fields being easily tampered with
- you can't trust anything you receive from a user. Typically the user
would be logged in so you would have some concept of the current user
and you would create the wish for that user. If you need to restrict
which items a wish can be created for then it's up to you to perform
that check at the point at which you create the wish.