Using attr_accessible: the right way

users_controller.rb

class UsersController < ApplicationController
  include ActiveModel::MassAssignmentSecurity

  attr_accessible :name, :age
  attr_accessible :name, :age, :admin, :as => :admin

  def create
    @user = User.create!(user_params)
    redirect_to @user
  end
  
  private
  def user_params
    role = current_user.admin? ? :admin : :default
    sanitize_for_mass_assignment(params[:user], role)
  end
end