From 8c482120acea1b7305af16c4c8c3731ef4c56ddb Mon Sep 17 00:00:00 2001
From: David Winiecki <david.winiecki@gmail.com>
Date: Sun, 15 Nov 2015 23:11:01 -0800
Subject: [PATCH] Correct readme migration path instructions

Without the extra steps added to the readme in this commit, the migration to Rails 4 instructions will cause ActiveModel::MassAssignmentSecurity::Error to be raised on any model that has had necessary attr_accessible declarations removed (as the instructions direct), because `config.active_record.whitelist_attributes = true` in config/application.rb, which is the default setting, requires all models to whitelist mass-assigned attributes.

The extra steps added to the readme in this commit make it possible to update and deploy one model at a time, which is valuable.

I'm not very familiar with this, but it appears that attr_protected works because it signals that the model secures mass assignment with a blacklist, and then an empty black list makes all attributes accessible and leaves the responsibility of mass assignment protection to strong_parameters.

More info:

http://stackoverflow.com/a/14252971/724752

https://github.com/rails/strong_parameters/issues/226

An alternative to this commit might be to just put an `attr_protected` with no arguments in ActiveModel::ForbiddenAttributesProtection, but I'm not ready to investigate that now.
---
 README.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8b7b582..83c9f7a 100644
--- a/README.md
+++ b/README.md
@@ -224,11 +224,12 @@ For each model:
 
 #### 3.1 Add Protection
 
-Remove any `attr_accessible` or `attr_protected` declarations and include
+Remove any `attr_accessible` declarations, create an `attr_protected` declaration with no arguments, and include
 `ActiveModel::ForbiddenAttributesProtection`:
 
 ``` ruby
 class Post < ActiveRecord::Base
+  attr_protected
   include ActiveModel::ForbiddenAttributesProtection
 end
 ```
@@ -257,16 +258,17 @@ Ready to work on the next model.
 
 ### 4 Add Protection Globally
 
-Once all models are done, remove their inclusion of the protecting module:
+Once all models are done, remove their inclusion of the protecting module and the `attr_protected`:
 
 ``` ruby
 class Post < ActiveRecord::Base
-  # REMOVE THIS LINE IN EVERY PERSISTENT MODEL
+  # REMOVE THESE TWO LINES IN EVERY PERSISTENT MODEL
+  attr_protected
   include ActiveModel::ForbiddenAttributesProtection
 end
 ```
 
-and add it globally in an initializer:
+and add the the protecting module globally in an initializer:
 
 ``` ruby
 # config/initializers/strong_parameters.rb
@@ -275,6 +277,12 @@ ActiveRecord::Base.class_eval do
 end
 ```
 
+Also delete this line from `config/application.rb` or set it to false:
+
+``` ruby
+config.active_record.whitelist_attributes = true
+```
+
 ### 5 Upgrade to Rails 4
 
 To upgrade to Rails 4 just remove the previous initializer, everything else is