Whitelist all attribute assignment by default.

Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.

activerecord/lib/rails/generators/active_record/model/model_generator.rb

@@ -30,6 +30,10 @@ module ActiveRecord
         attributes.select { |a| a.has_index? || (a.reference? && options[:indexes]) }
       end
 
+      def accessible_attributes
+        attributes.reject(&:reference?)
+      end
+
       hook_for :test_framework
 
       protected

activerecord/lib/rails/generators/active_record/model/templates/model.rb

@@ -3,5 +3,10 @@ class <%= class_name %> < <%= parent_class_name.classify %>
 <% attributes.select {|attr| attr.reference? }.each do |attribute| -%>
   belongs_to :<%= attribute.name %>
 <% end -%>
+<% if  !accessible_attributes.empty? -%>
+  attr_accessible <%= accessible_attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>
+<% else  -%>
+  # attr_accessible :title, :body
+<% end -%>
 end
 <% end  -%>

railties/lib/rails/generators/rails/app/templates/config/application.rb

@@ -58,7 +58,7 @@ module <%= app_const_base %>
     # This will create an empty whitelist of attributes available for mass-assignment for all models
     # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
     # parameters by using an attr_accessible or attr_protected declaration.
-    # config.active_record.whitelist_attributes = true
+    config.active_record.whitelist_attributes = true
 
 <% unless  options.skip_sprockets? -%>
     # Enable the asset pipeline

railties/test/generators/model_generator_test.rb

@@ -319,4 +319,14 @@ class ModelGeneratorTest < Rails::Generators::TestCase
       end
     end
   end
+
+  def test_attr_accessible_added_with_non_reference_attributes
+    run_generator
+    assert_file 'app/models/account.rb', /attr_accessible :age, :name/
+  end
+
+  def test_attr_accessible_added_with_comments_when_no_attributes_present
+    run_generator ["Account"]
+    assert_file 'app/models/account.rb', /# attr_accessible :title, :body/
+  end
 end