Even if some parameters are not visible or editable in the HTML, it does not mean a user won't be able to change them. This way a user can potentially do malicious actions in your app. Make sure that only expected attributes are editable, using strong params!

Episode source code: https://github.com/corsego/77-strong-params-authorization/commit/4609d17e23b5b5f244e554d91b32e68d852b6ae8

Text version: https://blog.corsego.com/permit-params-by-current-user-roles

Rails Docs: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html