I have several Rails models that I'm trying to expose via a REST api. I'm looking for a simple way to allow mass assignment in certain contexts (through the api or admin interface) but to disallow when populating from user based forms.
There are a few catches as well. First, I'm populating a bunch of child objects using accepts_nested_attributes_for. Second, I'm using resource_controller plugin which automatically applies params correctly for you in standard update case. The api controllers are in their own "namespace" so I'm open to something DRY that could be implemented in a base controller.
Several solutions come to mind but no clean solution presents itself at the moment. Any suggestions?