Another agreed here since hidden input fields are still visible client-side (in the code) so those values can be used by bad actors.
I did the same concept as @vrcca for save_demographic/2, and for save_rating/2:
For page 196, I removed the hidden input fields:
<%= hidden_input f, :user_id%>
<%= hidden_input f, :product_id%>
And modified save_rating/2 on page 199 to add user_id and product_id from the values already in the socket assigns (rather than from the hidden input field):
defp save_rating(
%{assigns: %{product_index: product_index, product: product}} = socket,
rating_params
) do
rating_params
|> add_user_id_param(socket)
|> add_product_id_param(socket)
|> Survey.create_rating()
|> case do
{:ok, %Rating{} = rating} ->
product = %{product | ratings: [rating]}
send(self(), {:created_rating, product, product_index})
socket
{:error, %Ecto.Changeset{} = changeset} ->
assign(socket, changeset: changeset)
end
end
defp add_user_id_param(rating_params, socket) do
Map.put(rating_params, "user_id", socket.assigns.current_user.id)
end
defp add_product_id_param(rating_params, socket) do
Map.put(rating_params, "product_id", socket.assigns.product.id)
end