== The Problem ==
The attr_protected and attr_accessible declarations are too static.
They're no different when a model is created vs when it's updated, and
they have no concept of user permissions.
They're also very hidden and out-of-mind when you're coding the
controller. How many times have you forgotten to add a field to
attr_accessible and wondered why you couldn't set a value, only to
comb the logs and find the "could not assign" message?
And how up-to-date is your attr_protected blacklist?
== The Plugin ==
mass_assignment for ActiveRecord does two things:
First, it adds an assign() method that accepts both a hash of new
attributes and an optional set of assignable fields. This simple
difference makes it easy to specify a list of allowed fields according
to your user's role and any other detail of the situation. It also
puts the whitelist exactly where you'll see it.
Second, it allows inheritable mass assignment policies. These act as
defaults when you use the assign() method but don't provide a set of
assignable attributes. If you want all your models to start from a
hardcore secure blacklist, you can. Or if you want to globally disable
mass assignment to _id fields unless otherwise specified, you can.
== The Links ==