File upload using CarrierWave, SimpleForm, InheritedResources and polymorphic associations

Question

I am having trouble getting nested attributes to work with file uploads using polymorphism. Here is the relevant sourcecde from my app.

app/uploaders/image_uploader.rb

# encoding: utf-8

class ImageUploader < CarrierWave::Uploader::Base
  include CarrierWave::RMagick
  storage :file

  version :thumb do
    process resize_to_fill: [50, 50]
    process convert: 'jpg'
  end

  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end
end

app/models/photo.rb

class Photo < ActiveRecord::Base
  attr_accessible :image, :imageable_id, :imageable_type
  belongs_to :imageable, polymorphic: true 
  mount_uploader :image, ImageUploader
  validates_presence_of :image, :imageable_id, :imageable_type
end

app/controllers/photos_controller.rb

  class PhotosController < InheritedResources::Base
    def create
      # TODO enforce imageable_id belongs to current account
      @photo = Photo.new(params[:photo])
      if @photo.save
        redirect_to @photo.imageable, notice: 'Photo saved'
      else
        flash[:error] = 'Photo could not be saved'
        redirect_to(:back)
      end
    end
  end

app/models/listing.rb

class Listing < ActiveRecord::Base
    attr_accessible :photos_attributes
    has_many :photos, :as => :imageable, :dependent => :destroy
    accepts_nested_attributes_for :photos
    mount_uploader :logo, ImageUploader
end

app/views/listings/show.html.haml

%p
  %b Photos:
  %ul.inline
    - @listing.photos.each do |photo| 
      %li= link_to(image_tag(photo.image_url(:thumb)), photo.image_url)

= simple_form_for @listing.photos.new do |f|
  = f.hidden_field :imageable_id
  = f.hidden_field :imageable_type
  = f.input :image, as: :file
  = f.submit 'Upload'

The above form works, but passing :imageable_id and :imageable_type feels hackish to me and can easily lead to mass assignment security issues. Plus this requires that I have attr_accessible in Photo and a photos_controller.rb and RESTful routes to :photos. This all seems very wrong.

Here is my original form that felt more the Rails way, but it did not work. It seems that the polymorphic association is somehow interfering. I think that the photos attributes should post with the params[:listing] instead of a separate params[:photo].

app/views/listings/_form.html.haml

= simple_form_for @listing do |f|
  = simple_fields_for :photos, @listing.photos.new do |pf|
    = pf.input :image, :as => :file
  = f.submit 'Upload'

Can someone show the correct way to do this?