Like I said, we think the best way to restrict attributes to certain roles is to use the strong parameters gem that DHH introduced recently. This will also be part of Rails4 thankfully.

Even if it doesn’t fit, it’s a good idea to start integrating the principles as it will make your Rails 3 to 4 upgrade easier.

If you have a Railscasts Pro membership, Ryan Bates has made another fantastic tutorial on it.

In brief, here’s what’s recommended in that Railscast.

After installing the gem, remove attr_accessible from your model.

Add this to an initializer:

ActiveRecord::Base.send(:include,  ActiveModel::ForbiddenAttributesProtection)

Alter your update action in your controller::

def update
  @topic = Topic.find(params[:id])
  if @topic.update_attributes(topic_params)
    redirect_to topics_url, notice: "Updated topic."
  else
    render :edit
  end
end 

Create a private method in your controller:

 def topic_params
   if current_user && current_user.admin?
     params[:topic].permit(:name, :sticky)
    else
      params[:topic].permit(:name)
    end
  end

In your situation, like we do, you’d have to change the topic_params method to use your roles.

There’s a few more suggestions in the RailsCast and it’s really worth the $9! (I’m in no way affiliated with the site, it’s just proven invaluable to us)

Let me know if this helps.