well i would suggest not to use a hidden field here ...
you can always identify the user adding a recipe though his session, as
shown in your first question.
so why add the name to the form?
1) It's prone for abuse by manipulating the sent username in the POST
arguments of the request
(not such a big deal in a recipe app i guess, but bad nonetheless
2) to prevent this, you have to check if the sent username is the
username of the user currently logged in.
so why add it to the form at all?
@recipe = Recipe.new(params[:recipe]
@recipe.user_id = current_user.id
@recipe.username = current_user.login
- i added the user's id as it should be added for Model Relationships
- adding the username was therefore useless but i did it nonetheless.