Securing your rails describes a common issue when updating a record directly from POST data. It recommends the use of attr_protected and attr_accessible.
The problem is these methods always protect the given attributes but you might want to conditionally allow ‘mass assignment’ in your app
for these situations, you can filter your form data before passing it to the AR object :
# @params['user'] contains the attributes we want to add
# allowed_attr specifies which attributes are allowed
if some_flag
allowed_attr = ['name','email','password','status','balance']
else
allowed_attr = ['name','email','password']
end
# use delete_if so the hash only contains valid attributes
@params['user'].delete_if {|k,v| not allowed_attr.include? k}
# mass assign our cleaned attributes to the object
user = User.new(@params['user'])