I’m creating what is essentially a public-facing site with a protected admin backend (i.e. the only users will be the admins themselves).

As my app stands now, users can be created via the app (though Users#new and Users#edit are accessible only to existing admins). In keeping with security best practices, I’ve kept my :admin boolean attribute out of my attr_acessible, so a user’s admin status cannot be assigned or toggled via mass assignment.

class User < ActiveRecord::Base

  attr_accessible :name, :email, :password, :password_confirmation

end

I’m currently only able to assign admin status via the console, but I’d like for my clients to be able to create new users and give them admin status from within the app.

How would I handle the equivalent of user.toggle!(:admin) from within the app, without mass assignment?