[danneu]

When I was starting out, every tutorial seemed to assume that I even knew what "mass assignment" implied. Creating a bunch of bad things at once? Changing a lot of existing things in a bad way at once like their creator_id so a bad guy could access them?

I think "mass assignment" and "attr_accessible" in tutorials should always link to the API documentation[1] that explains the implications and the tools at your disposal + example code.

[1]: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmen...

[sc00ter]

Worse still, I started off with Beginning Rails 3 by Apress, and it makes only one obscure reference to attr_accessible, and not in the context of security, doesn't mention mass assignment at all, and has no chapter on even basic security. Beginners need to learn this stuff early, so Apress' oversight is unforgivable. mhartl OTOH is to be applauded.