Multiple object form parameter hash and post data manipulation check

My apologies if this is a duplicate, but I have tried to post three times now, and yet it does not appear???

Hi all,

Having created a form for an Exercise that has many Questions, which in turn has many Answers, the params hash being returned has the id's correctly constructed for the Questions and Answers objects, but the id is not included for the parent Exercise, nor is the hierarchy represented in the returned hash (see below).

The first problem prevents the use of the Class.update (params[:object].keys, params[:object].values) method, but can be overcome by passing around the Exercise id, finding the object from the db, and then using the objects update_attributes method. The questions and answers objects are still able to be updated with the class update method. The returned params are as follows.

{"commit"=>"Action 1", "questions"=>{"86"=>{"name"=>"Another new question name", "text"=>"Another new question text"}}, "id"=>"98", "exercise"=>{"name"=>"This is another new exercise 11", "exhibit_type"=>"", "difficulty"=>"", "instructions"=>"", "keywords"=>""}, "answers"=>{"200"=>{"text"=>"Answer 1 text"}, "201"=>{"text"=>"Answer 2 text"}}}

Is this the correct approach? Is there a way to get the exercise id constructed correctly in the exercise hash to allow the Exercise update method to be used? Further, should I expect to be able to code such that the hierarchy is represented in the returned params such that I can rely on the construct to establish the relationships between the questions and exercise, and the answers and their corresponding questions? Something like this.

{"commit"=>"Action 1", "exercise"=>     {"98"=>{"name"=>"This is another new exercise 11",                   "exhibit_type"=>"",                   "difficulty"=>"",                   "instructions"=>"",                   "keywords"=>""},                   "questions"=>                        {"86"=>{"name"=>"Another new question name",                                "text"=>"Another new question text"},                                "answers"=>                                       {"200"=>{"text"=>"Answer 1 text"},                                        "201"=>{"text"=>"Answer 2 text"}}                        {"87"=>{"name"=>"Another new question name",                                "text"=>"Another new question text"},                                "answers"=>                                       {"202"=>{"text"=>"Answer 1 text"},                                        "203"=>{"text"=>"Answer 2 text"}}}

In a somewhat related question, what methods exist to prevent users from constructing http posts that update records for which they do not have authorization? In other words, given my current blind update of record ID's from a post, what is to stop someone from constructing a post with different id thereby updating/corrupting records of their choice? Is there something inherent in Rails that can prevent such or do I need to track id of objects server side making sure the ID that is returned by the client side is the same as they started working with?