For 3.2 upgrade, and to improve protection against mass-assignment exploits, we recently changed an app to use a more strict "whitelist" approach. In case you missed it, there was a lot of drama recently around the exploit: http://www.infoq.com/news/2012/03/GitHub-Compromised. Basically, the power of Rails can be used to sneak in extra attributes (that are not presented in the UI) into requests, attributes that map to database properties. This Rails magic happens with any method that ultimately calls ActiveRecord update_attributes.
One way to tighten this up is by setting the following in application.rb:
config.active_record.whitelist_attributes = true
With that set, only attributes that are explicitly defined by attr_accessible are eligible for update from update_attributes. This includes nested attributes that correspond to accepts_nested_attributes_for, for example :line_item_attributes.