how to securely pass a related Class_id through a hidden form field

I hav开发者_Go百科e a GroupCoach model, Group Coaches has_many :groups. On my new Group form I want to pass a group_coach_id to the Group object in a hidden field so that a group gets associated with a GroupCoach without the user having to select one.

So in my Groups_Controller

 @group = Group.new
 @group_coach = GroupCoach.first(:order => "RAND()")

This will get a random GroupCoach. and then in the new Group view I have a hidden field

<%= f.hidden_field @group_coach  %>

This obviously doesn't work 100% right. It does pass the group_coach_id but its not telling the form what column to save it in...

I have also heard this is very insecure...

Make a token column. Simply SHA1 encrypt it (or whatever your choice is) and pass that instead. It's much harder to guess.

I used the following code to resolve this issue

<%= f.hidden_field :group_coach_id, :value => @group_coach.id   %>

But is this the most secure? Seems pretty insecure as I could change the value in Firebug or something...