I'm working on an app which has a :featured_at in Users and Groups tables. The attribute enables a site admin to set records to a :featured_at datetime. There's named spaced admin controllers for the Users and Groups. The problem is, to set the :featured_at in the admin controllers for users and groups, the attribute had to be exposed under attr_accessible in User.rb and Group.rb. This means we're open to mass assignment hacks on this attribute. Is there a more elegant route to avoiding hacks than setting the params[:user][:featured_at] = nil (same for groups) in the public facing controllers for :create and :update actions?