Rails security issue

I know this is not a REAL security issue, but I think it could be and
this seems very "unrails" like. What's to keep a user from modifying the
post hash they send to the server to set ANY attributes they want for an
AR object? attr_protected? So I have to write an attr_protected line in
my model for EVERY relationship I set up? This seems bad:

1. It's redundant and not what I would expect in rails.
2. If I forget to attr_protect a foreign key attribute I all of a sudden
have a possible security issue.

Let's pretend a User belongs to a user group, has and belongs to many
roles, and has many orders. So I need to do the following to make my
model secure?

attr_protected :user_group_id, :role_ids, :order_ids

Am I missing something or am I the only person that thinks something is
wrong with this?

attr_accessible is what I think you want
I found out about it at http://railscasts.com/episodes/26

Hey Ben,
and remember that if you use the 'attr_accessible' macro, that all
attributes *not* defined will be protected.

Adam

attr_accessible is only a partial solution for a narrow field of cases. Allowed fields in a POST or GET need to be defined on a case by case, for by form basis -- _not_ on a model-wide basis.

Allowing field x to be submitted in form A may be ok, but allowing it to be submitted in form B may not.

In my own frameworks I have always had a server-side definition in the processing of every specific form of which fields were allowed. That was one of the very first things I found myself writing a little method for in Rails. I have a library of misc Security Utility methods. This is one of them:

def SecurityUtilities.distill_params(allowed_inputs, input_params)
   input_params.delete_if do |input_name, input_value|
     !(allowed_inputs.include?(input_name.to_sym))
   end
end

Prior to any form process, I first weed out the garbage from params by defining the allowed_inputs:

allowed_inputs = [
   :userType, :pswd1, :pswd2,
   :userFirstName, :userLastName,
   :userEmail, :userHint, :userHosts]

which gets passed along with the params to filter unwnted k-v pairs from params.