All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.
The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.
It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.
Neil Lalonde
Ian Christian Myers
Sam
Chris Hunt
Régis Hanol
Sarah Vessels
Jakub Arnold
Robin Ward