adding an item to a list of wishes - noobie question on link_to helper

Hi,
I'm a new kid here. Hello!

Have a question, regarding my favourite web framework:

I have a User, Item and Wish models.

User have many Items and Wishes
Item have many Wishes
Wish belongs to User and Item

ItemsController

def show
    @item = Item.find(params[:id])
  end

WishesController

  def new
    @wish = current_user.wishes.build
  end

  def create
    @wish = current_user.wishes.new(params[:wish])
    if @wish.save
      redirect_to wishes_url, :notice => "Wish added!"
    else
      render :action => 'new'
    end
  end

From Items show.html.erb template, I would the user to be able to
click a link

such, as this one: <%= link_to "Add to my wishlist", new_wish_path()
%>

and the user would be presented with a Wish form (fields showing:
Note, Status, whilst other fields: item_id and user_id would not be
shown)

User would submit the form and the wish would be created.

One thing, I would prefer not to use hidden fields with pre-populated
item_id and user_id as I understand these can be tempered with fairly
easily.

Hope you can help.
Thanks!
Piotr

such, as this one: <%= link_to "Add to my wishlist", new_wish_path()
%>

and the user would be presented with a Wish form (fields showing:
Note, Status, whilst other fields: item_id and user_id would not be
shown)

User would submit the form and the wish would be created.

One thing, I would prefer not to use hidden fields with pre-populated
item_id and user_id as I understand these can be tempered with fairly
easily.

I'm not entirely sure what your question is but ... You can certainly
add extra parameters to new_wish_path (for example :item_id =>
@item.id).
An alternative design is to have a nested resource where you instead
have a path helper called new_item_wish_path(@item). All this changes
is the url that your user sees, in the first case it would be
something along the lines of wishes/new?item_id=xxx in the second case
it would be items/xxx/wishes/new

You are entirely right about hidden fields being easily tampered with
- you can't trust anything you receive from a user. Typically the user
would be logged in so you would have some concept of the current user
and you would create the wish for that user. If you need to restrict
which items a wish can be created for then it's up to you to perform
that check at the point at which you create the wish.

Fred