Item belongs_to :user
is this safe? Item.user_id is still protected, and Item.user can't be
set by mass assignment from a web request because the parameters are
all strings - trying to assign a string to Item.user raises
AssociationTypeMismatch. Even setting params['item']['user'] to an
empty string would raise an error.
The benefit of this approach is that I can still use mass assignment
of associations in my own code.