Forms on both pages contain this code user_id in hidden input field:
<%= hidden_input f, :user_id %>
There could be beginners reading the book that wouldn’t understand why this is bad approach, so I suggest you don’t use the user_id from the params, but instead use the one from the current_user when saving survey data.
Agreed. I also found it pretty odd. This is how I did instead:
defp save_demographic(socket, params) do
params
|> assign_current_user_param(socket)
|> Survey.create_demographic()
|> case do
{:ok, demographic} ->
send(self(), {:created_demographic, demographic})
socket
{:error, %Ecto.Changeset{} = changeset} ->
assign(socket, :changeset, changeset)
end
end
defp assign_current_user_param(params, socket) do
Map.put(params, "user_id", socket.assigns.current_user.id)
end
Also got rid of the assignment and field entirely!
Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.
I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:
For page 196, I removed the hidden input fields:
<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>
And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):
defp save_rating(
%{assigns: %{product_index: product_index, product: product}} = socket,
rating_params
) do
rating_params
|> add_user_id_param(socket)
|> add_product_id_param(socket)
|> Survey.create_rating()
|> case do
{:ok, %Rating{} = rating} ->
product = %{product | ratings: [rating]}
send(self(), {:created_rating, product, product_index})
socket
{:error, %Ecto.Changeset{} = changeset} ->
assign(socket, changeset: changeset)
end
end
defp add_user_id_param(rating_params, socket) do
Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
defp add_product_id_param(rating_params, socket) do
Map.put(rating_params, "product_id", socket.assigns.product.id)
end