I am not sure whether you are referring to a specific project but usually hidden fields are used to transfer data invisibly between pages so my guess here would be the same.
However, my question is mainly focus on: could I just remove field after I have populated into the model, or will I have to stick with hidden field, is this a "security issue" that if I completely remove it the logic will be break somewhere (in fact, when I remove it I see no error).
But till I am not supper at Yii, I really need your help for my vague thought.
As bettor and riemann suggests, it depends on the meaning of "$this->_project->id".
What is it and how do you get it?
Note that your "actionCreate" is called at least twice: 1) before rendering the input form, and 2) after receiving the form submission. And in each call you will get "$this->_project->id".
Is it assured to be the same value?
If it is, then you can safely remove the hidden field.
If not, you have to pass the value of it from the 1st call to the 2nd call with a hidden field (or by a session data).