Ah that's right, in this case he's trying to make something that belongs to him belong to someone else. Regardless, something like user_id should be protected and really if you're setting up a website whose primary audience is made up of hackers you should be whitelisting on every model.