On branch strong-params

Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.

I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin

app/controllers/users_controller.rb

@@ -7,7 +7,7 @@ class UsersController < ApplicationController
   end
 
   def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
     user.build_benefits_data
     if user.save
       session[:user_id] = user.user_id
@@ -35,7 +35,7 @@ class UsersController < ApplicationController
     if user
       user.skip_user_id_assign = true
       user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
       if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
         user.skip_hash_password = false
         user.password = params[:user][:password]
@@ -50,4 +50,15 @@ class UsersController < ApplicationController
       redirect_to user_account_settings_path(:user_id => current_user.user_id)
     end
   end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end