Mass assignment is one of the worst practices in typical rails apps. And their fix is to move everything to the models. All so they can have "skinny controllers" with one liners like @user.update_attributes(params[:user]).
Seems crazy to me. I've never used attr_protected, or attr_accessible because controllers should actually parse out the params and then explicitly define what's needed to update the models.
It's more glue code, but you're making rails controllers do what they're supposed to do... parse http form input and return results.
As someone that's never worked in rails before, the fact that rails allows you to take parameters from the url, and directly update a database object with them is shocking to me. That's like the first thing you learn about securing websites.
As someone who's never driven a Ford (or, indeed, a car), I would not dream of driving one off a cliff, nor would the Github team. It's entirely possible that I would forget to use attr_protected. Github certainly did.
Seems crazy to me. I've never used attr_protected, or attr_accessible because controllers should actually parse out the params and then explicitly define what's needed to update the models.
It's more glue code, but you're making rails controllers do what they're supposed to do... parse http form input and return results.