as the user is available in the controller directly through a method,
there is no need to use a hidden field or pass it with the form in any
other way. Besides, this would enable users to play with the form data
and e.g. post comments under another users id.
Instead, user this approach:
@comment = current_user.comments.build(params[:comment])
# .... and so on, usual stuff
Buy building the object though the associations #build method, the
user_id column is automatically filled in, and for the user there is
no way of hacking another id into this.
This approach should be used in othert similar situations with nested
resources as well. it makes the code cleaner and more secure in