This probably sounds like a silly question to seasoned Rails developer. Do I need to protect against mass-assignment if a model does not have an associated controller? I'm guessing that I don't need to, but it would be great if anyone could confirm this.
Also, what about the scenario where there is a controller but no route to the create/update/destroy actions?
Thanks, Noel
I would say yes as a different controller (or a library method, cron job, delayed job, etc.) could now (or in the future) do an update on this model and thus raise the mass assignment issue of concern.
The route question depends a lot on rails version.
Rails2 usually has a default route that might get it to the controller.
Rails3 is more restrictive and does need a specified route unless the rails2 style default is added.