Hey there Serhij,

It’s bad practise to cast foreign keys in changesets as malicious users will be able to insert arbitrary associations.

For example, let’s say you have a form which makes a Post and in that form you have a user_id field which is casted as the author. This way, a user would be able to assign the post to any other user they want. This is a soft example, but you get the idea.

In this situation, “This should be handled in your controller” means you should manually insert user_id in to your changeset from the currently logged in user, rather than trusting form data. It’s much safer.

I hope that helps!