It seems to me that it may be possible to integrate the rails 3 mass assignment protection with cancan ?
so we could define our controllers simple, e.g. with a :default and :admin role
class AccountsController < ApplicationController
#(cancan could include this for convenience => ) include ActiveModel::MassAssignmentSecurity
attr_accessible :first_name, :last_name # this is :as => :default
attr_accessible :first_name, :last_name, :plan_id, :rating, :as => :admin
In cancan we would say:
can [:read, :update], Accounts # :as => default if not specified
can :manage, Accounts, :as => :admin
cancan would sanitize the params & instance variables for us, based on the roles so the controllers don't have to change at all for mass assignment security. Is this possible or usefull?