attr_protected and Foreign Keys

Say you have a site that allows users to create favourites, and a favourite is composed of a url and a user_id. How is it best to stop users trying to add favourites to other people's accounts? I know this seems like an unlikely scenario but I think it's a point that highlights other security issues.

One approach I thought about was using attrprotected :userid, which I think would do the job, but am I missing something about the way Rails works?

As always, I'd appreciate any thoughts.