The fact that this is even a discussion is sufficient for me to consider it a bug. It's irresponsible of the Rails team to leave this default the way it is given that it's long been a known risk.

That they like to consider it a "feature" doesn't make it any better - it just makes them look like idiots

I was going to say the same thing.

The Security guide does describe the issue, and even describes attr_accessible as a "Countermeasure". http://guides.rubyonrails.org/security.html#mass-assignment

Without any precautions Model.new(params[:model]) allows attackers to set any database column’s value.

Unbelieveable! PHP showed long ago that allowing a web request to auto-populate arbitrary members in app objects is just a spectacularly bad idea.

Even the canonical "Hello Rails" example code neglects to specify attr_accessible. http://guides.rubyonrails.org/getting_started.html#hello-rai...

The general attitude of Rails developers towards security here is really shocking. I don't think I could recommend anyone use Rails.

Er.. that's because there's nothing malicious an attacker can do with the mass-assignment vulnerability in the "Hello Rails" app?

Being able to change the :id or timestamps of the post isn't anywhere near the SQL injection vulnerabilities I've seen in many tutorials in other languages/frameworks.

I agree, though, I wouldn't recommend Rails to people who can't bother to read documentation.