Rails documentation doesn't make this very clear, but it seems that all uses of update_attributes constitutes mass assignment and all attributes need to be whitelisted if using attr_accessible. The docs for update_attributes makes no mention of this:
update_attributes(attributes)
Updates this resource with all the attributes from the passed-in Hash and requests that the record be saved.
If the saving fails because of a connection or remote service error, an exception will be raised. If saving fails because the resource is invalid then false will be returned.
Note: Though this request can be made with a partial set of the resource’s attributes, the full body of the request will still be sent in the save request to the remote service.
Are there any other methods I should be aware of that trigger this mass assigment restriction?
I think you should look here: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html
and watch this very old and very short railscast http://railscasts.com/episodes/26-hackers-love-mass-assignment
This will help you a lot with "mass assignment" topic :)
When using mass assignment, you should use attr_accessible to define which attributes may be updated, or attr_protected to define which shouldn't be updated.
More information on mass assignment here: https://stackoverflow.com/questions/tagged/mass-assignment
精彩评论