In Rails 3.2, the default recommendation is now to through an exception on mass-assignment of protected attributes in development and test environments.
In CanCan, even if one protects attributes, it is common to override some of them when building a resource. For example, in ability.rb:
can :manage, Thing, :user_id => user.id
build_resource will apply the specified user id to the newly created Thing, but does so only after mass assigning all params, and only if the attribute was not in the parameter. It seems that maybe it should work differently --> if an attribute was specified in ability.rb, then only use that attribute, and don't allow assigning any params otherwise in build_resource
Can you try the most recent version to see if your issue has been resolved? This issue is tagged 2.0, so you'll want to use the master branch.
This is one of the oldest CanCan issues with no discussion. CanCan is struggling right now to implement support for rails 4, and the issue count is nearing 200. It would be a big help if we could close a few old issues and get the issue count down. Thanks!
Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.
CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.
If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.
We hope to see you on the other side!