So let's walk through a quick scenario on your site. I'm signed in as the user "joshodin" and I have one upcoming event (one that I'm hosting). Now there's another user named "usern2" who has a private event set up. I shouldn't be able to see or interact with this event. So far, so good.
Now let me click on my event "Event Title". I'm taken to a page where I can take a variety of actions. I can invite people, edit the event, cancel the event, etc. Another thing I can do is declare that I'd like to attend this event. Let's examine this "Attend Event" button in devtools:
Rails automatically wraps your button in a small form where the action is set to determine what should happen when your POST request is submitted. Notice that I can see the params that will be passed to the controller. I can also edit them. That attended_event_id%5D=1
-- I can control that. Let's change the 1
to a 2
and click the button.
And now I've registered my attendance to usern2's private event without having been invited.