rails attribute changes in spite of not being in form

Question

I have rails app where users can assign tasks to each other. Every task has one assigner and one executor. By default the task creator(current_user) is always the assigner.

Answer 1

def task_params
  params.require(:task).permit(:executor_id, :name, :content, :deadline, :task_name_company).merge(assigner_id: current_user.id)
end

You are setting the assigner id to current_user every time you pass in the params.

I would remove the merge, and just have strong params like this:

params.require(:task).permit(:executor_id, :name, :content, :deadline, :task_name_company, :assigner_id)

Then, in your create action, before you do:

@task.save

Add this:

@task.assigner_id = current_user.id

Then you can define your permissions however you choose (must be assigner, must be executor), but as long as you don't add anything crazy to update, it'll work fine.