== The Problem = The attr_protected and attr_accessible declarations are too static. They''re no different when a model is created vs when it''s updated, and they have no concept of user permissions. They''re also very hidden and out-of-mind when you''re coding the controller. How many times have you forgotten to add a field to attr_accessible and wondered why you couldn''t set a value, only to comb the logs and find the "could not assign" message? And how up-to-date is your attr_protected blacklist? == The Plugin = mass_assignment for ActiveRecord does two things: First, it adds an assign() method that accepts both a hash of new attributes and an optional set of assignable fields. This simple difference makes it easy to specify a list of allowed fields according to your user''s role and any other detail of the situation. It also puts the whitelist exactly where you''ll see it. Second, it allows inheritable mass assignment policies. These act as defaults when you use the assign() method but don''t provide a set of assignable attributes. If you want all your models to start from a hardcore secure blacklist, you can. Or if you want to globally disable mass assignment to _id fields unless otherwise specified, you can. == The Links = Hosted at http://github.com/cainlevy/mass_assignment Announced at http://codelevy.com/2009/05/25/mass-assignment-in-activerecord -Lance