[tptacek]

All I can say is, I looked under the hood at the application we're talking about and thought these might be useful suggestions. Particularly attr_accessible.

I've found a lot of Rails apps over the last couple years that were diligent about having an attr_accessible in every model, but not diligent about what went in the attr_accessible. Following the Rails idiom, they were doing all their attribute assignment through update-style params[:model] model[foo] model[bar] stuff, and attr_accessible "breaks" that.

The Rails tutorial is good (and ambitious) --- just know, this stuff trips up solid, experienced Rails developers all the time.

[danneu]

When I was starting out, every tutorial seemed to assume that I even knew what "mass assignment" implied. Creating a bunch of bad things at once? Changing a lot of existing things in a bad way at once like their creator_id so a bad guy could access them?

I think "mass assignment" and "attr_accessible" in tutorials should always link to the API documentation[1] that explains the implications and the tools at your disposal + example code.

[1]: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmen...

[sc00ter]

Worse still, I started off with Beginning Rails 3 by Apress, and it makes only one obscure reference to attr_accessible, and not in the context of security, doesn't mention mass assignment at all, and has no chapter on even basic security. Beginners need to learn this stuff early, so Apress' oversight is unforgivable. mhartl OTOH is to be applauded.