I have a question on a solution I think is secure, but would like a second opinion:
In our application we have a user model, which has a 'roles' attribute. Normally, i'd not have this attribute mass-assignable, as users have the possibility to update their own information and could manipulate the post hash to include 'roles'.
In this particular case however, we are working with a rails engine that would require a lot of tinkering (which we would rather avoid) unless we leave the attribute mass-assignable.
Now, our solution is the following: In the user#update action in the controller we simply strip the roles attribute from the params hash before it gets updated:
params[:user].delete(:roles)
Although I understand this is not an ideal solution, is it secure?
Thanks for your expertise,
Erwin
Your solution works but is not that ideal.
I think this screencast is at the state of the art:
http://railscasts.com/episodes/237-dynamic-attr-accessible