Nick Zadrozny

less everything Use attr_protected or we will hack you

Great point. Here’s a spec to help all us Rails developers against that sort of attack. Now you really have no excuses.

describing User do
  it "should not set admin flag via mass assignment" do
    user = create_user(:is_admin => true)
    user.is_admin?.should_not == true
  end
  def create_user(options={})
    User.create({
      # your default values here
    }.merge(options))
  end
end