I cloned your project and poked around. It's pretty good! I am going to write one thing that isn't fully in the curriculum (yet) but that you probably want to be aware of.
First some terms:
- Authentication: Figuring out who a user is.
- Authorization: I know who the user is (using authentication), and now I need to consider what they're allowed to do.
Your app of course has authentication implemented through devise. Another thing you'll want to consider going forward though is that 2nd thing: what are the current user's permissions?
For example, userA can invite other users to their event. But userA shouldn't be able to invite userB to userC's event. Only userB should be able to invite users to their event.
Now let's look at a quick bug/exploit that's available in your code.
In your site, I have one user logged in as josh. He's created a super secret birthday party event.
In another tab, I have a user named red hat. They can't see josh's event because they haven't been invited to it (this is good). red hat creates their own event that they're going to use to cause problems.
So red hat clicks on the show page for their event, and then they click on the "invite user" page, where they land here:
Now this form is all plain HTML running on my machine. I can inspect it with devtools, and I can change it with devtools. Inspecting it, I can read the action attribute on the form to see where it's getting submitted to. I see that it's wired to the event with id=4 (the event that red hat created).
But there's nothing to stop me from changing this. I can instead change form's action to point to the event with id=3 (this is the id of the event that josh created). I do this and fill in the name red hat. And now red hat has suddenly invited themselves to josh's event.
This would of course cause chaos in any app that allows things like this. Imagine if anyone could delete or edit your posts on discord, or delete your repos on GitHub. Not just anyone should have that control, only you (the owner of your content) or people with elevated permissions (moderators, admins, and so on).
Fortunately, a lot of these cases are solved very simply: just scope your queries to the current user.
# app/controllers/event_invitations_controller.rb
def create
# look for event id among ALL events
# this isn't good because this is a privileged action that only the event's owner should be allowed to do
event = Event.find(params[:event_id])
# instead, you can look for event id only among the *current user's* events
# this will succeed and proceed as normal if found, or raise an error if not
event = current_user.events.find(params[:event_id])
end