Adding foreign key when creating new user

I have these tables...

ACCOUNTS
id
company_name

USERS
id
username
password
account_id (foreign key)

I have a create new user form. Each user is supposed to have an
account_id from an accounts table. Of course, on my user.rb model file I
have to validate for the presence of an account_id. How can I add the
account_id to the users table?

1) Maybe after logging in I store the account id on a session. Then,
when the user tries to add another user I grab it from the session?

2) Orrr... so I won't use a session, when the user tries to add another
user, I can query the user's row, get his account_id and then use it.

Which approach would work better?

Now, once I have the account id, how can I go about adding it at user
creation? At the users controller?

Leonel *.* wrote in post #949930:

I have these tables...

ACCOUNTS
id
company_name

USERS
id
username
password
account_id (foreign key)

I have a create new user form. Each user is supposed to have an
account_id from an accounts table. Of course, on my user.rb model file I
have to validate for the presence of an account_id. How can I add the
account_id to the users table?

By setting it when you save the User object. The easiest way of doing
that is probably to have a hidden field in your user creation form,
assuming that the account ID is known at that time.

1) Maybe after logging in I store the account id on a session. Then,
when the user tries to add another user I grab it from the session?

2) Orrr... so I won't use a session, when the user tries to add another
user, I can query the user's row, get his account_id and then use it.

You don't need it separately in the session! If the current user is
only adding users to his own account, then you've already got the
account ID in the current user's info!

current_user.account.users.create :name => 'Another user'

Which approach would work better?

Do you even need to ask? The latter approach is simpler and avoids
repetition. Always do the simplest and least repetitious thing
possible!

Now, once I have the account id, how can I go about adding it at user
creation? At the users controller?

Wherever the User object is created.

Best,

You don't need it separately in the session! If the current user is
only adding users to his own account, then you've already got the
account ID in the current user's info!

Done.

  <div class="actions">
    <%= f.hidden_field :account_id, :value => @account_id %>
    <%= f.submit %>
  </div>

Leonel *.* wrote in post #949977:

You don't need it separately in the session! If the current user is
only adding users to his own account, then you've already got the
account ID in the current user's info!

Done.

  <div class="actions">
    <%= f.hidden_field :account_id, :value => @account_id %>
    <%= f.submit %>
  </div>

Actually, if you've already got it from the current user, then you don't
even need the hidden field.

Best,

Does using a hidden fields on a form allow for the possibility of
someone spoofing the data in the hidden fields that are posted back?

For instance, I have parent-child structure where I call
new_project_task(@project) which hits the tasks controller create
action, and on the page I do not want to show a field for the foreign
key (project_id) because I do not want the user to see or edit it.
However, if I leave the field off of the form, when the child record
is saved, the project_id is not saved on the record. So, I'm using a
hidden field to hold the foreign key value and it works properly
during post backs to get that value into the child task record.

However, if you view the page source that is rendered in the browser,
you can see the hidden field and the value, which maskes me wonder if
this is a risky technique in case someone tried to monkey with the raw
html content of before it was posted back. I don'y personally know how
to hack web pages in this way, but I've heard it can be done.

So, is there a better Rails way of handling this?

So, is there a better Rails way of handling this?

Since Marnen said "you don't even need the hidden field", I started
looking for an alternative. Seems like this worked for me.