> Seems like this was not just a security vulnerability but intended and
> documented behavior.
It was poorly considered intended behaviour because of the problems
with :allow_destroy. That's not to say we can't come up with something
nicer, but the original patch isn't it
> What should be done h
My app relied on the security vulnerability fixed in Rails 3.0.1.
While I did specify attributes such as name and email, my main goal
was to use an existing record by specifying the id. The 3.0.1 patch
does not make it possible to specify id in nested attributes. It now
raises a raise_nested_attrib