As noted on blog.wolfman.com, there is a security problem when using the scaffolded respond_to set-up. By default, all columns in a given record will be displayed.

The write-safety mechanism provided by attr_accessible doesn’t help in this situation, but having to write a custom to_xml method that steps through each of these already-whitelisted attributes is a bit silly and not very DRY.

My solution is to do something like:

Breaking that out, as I do, into a SecureModel mix-in seems like a good move.