All fields in a user object are shown by default, including the persistence-token, crypted password, salt, email address and openid.
You can disable the formatted routes, or you can sanitize these fields by overriding to_xml, to_json, etc to always use the
:only => [...whitelisted fields...]
flag. (The attr_visible plugin http://github.com/mrflip/attr_visible helps implement the latter)