ruby on rails - Can params field that is not part of params.require.permit be modified by user? -

if have nested resources, such as

resources :club     resources :agenda end 

and relationships follow:

 club has_many agendas    agenda belongs_to club 

if agenda's create action takes in params[:club_id] , assign agenda's club reference, safe assume user cannot modify field (club_id not part of params.require.permit)?

what mean is, still need check whether club_id belongs current user before creating agenda params[:club_id], or can trust params[:club_id] cannot tampered user.

i'm worried user can create agenda club modifying params' hashes.

fyi, related gems i'm using devise , cancan.

first thing need read on authorization (great railscast here)

---

system

then need ensure system set correctly:

if users cannot modify specific resources, need authorization before they're able edit / submit them. this, can use cancan gem determine whether user can edit / create resource @ controller level:

  #app/controllers/agendas_controller.rb   load_and_authorize_resource 

this firstly ensures you're able determine if current_user able change club begin with

---

params

the second thing ensure params handled correctly

strong params allows send specific params through model, includes club_id.

the problem have don't want injecting different param after form has been submitted. prevent this, should only assign club_id in controller - ensure front-end cannot set value:

params.require(:adgenda).permit(:your, :params).merge(club_id: params[:club_id])

by setting value in controller, means server has access value, allowing submit accordingly

this, coupled front-end authorization, should provide base level of security app