I'm doing a security audit on a Rails 2.3.8 application and one of the things that has come up is our lack of attr_protected or attr_accessible in my model definitions. I understand the reasoning behind them, and have even written a gem to assist with mass assignment, but I'm looking for attributes that I might potentially be missing.

The problem I have is determining which fields should be protected. Are there any rules that people generally follow for this? I'm thinking attributes like foreign keys and booleans like admin? would make sense to protect. I'm also wondering about fields like STI type, and polymorphic *_type/*_id fields. I see that Rails 3 introduced attributes protected by default, but it doesn't appear that Rails 2.3.8 has this.

Any guidance on this would be greatly appreciated.

My general rule of thumb is that any attribute you don't want users to modify should be protected.

So in my models, I use attr_accessible for all attributes that are present as fields in forms. All others are protected. (I'd rather have everything protected by default.)

In other words: assume all data sent by clients will be maliciously tampered.

Edit: relevant blog post http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/

I guess every "potentially dangerous" attribute should be protected, like an admin flag for a user.

In my opinion, ideally, every model should have attr_accessible for all attributes that can be updated. It's the safer solution.