Why slicing the params hash poses a security issue on mass-assignment?

Question

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not

Answer 1

Just removing the :name from the params hash works to prevent setting that attribute for that action. It works only for the actions you remember protecting.

However, this practice doesn't protect you from abuse using all the methods automatically added for associations.

class User < ActiveRecord::Base
  has_many :comments
end

will leave you vulnerable for someone setting the comments_ids attribute, even when you delete the comments attribute from params.

Since there are quite a lot of methods added for associations, and since they might change in the future, the best practice is to protect your attributes on the model using attr_accessible. This will stop these kind of attacks most effectively.