Getting started guide: warn about mass assignment?


The mass assignment in the code example

  respond_to do |format|
    if @post.update_attributes(params[:post])
      format.html { redirect_to(@post,

allows to edit the comments, too. This is not a problem because later,
authentication is added for this method. However, I think that
newcomers (who the guides are for) will think that update_attributes
(without any security measurements) is a good practise to update their

For instance, I didn't realize the security hole in the following code
until now:
class A
  has_many :b
class B
  belongs_to :a

and then in the b controller:
@a = A.find params[:a_id]
@b = a.find params[:b_id]
@b.update_attributes params[:b]

this will allow the user to assign B to another A which is not wanted
in most cases.

So, I would ask if you think that a warning of mass-assignment without
attr_accessible and to read the security guide would be a good thing
at the end of the "Editing posts" section.

could be more detailled.

Do you think it makes sense when I write some lines for it?