Like attr_protected, a role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.
如同 attr_protected，添加的 attributes 是他的一个选项，如果没有角色被提供，那么会使用:default 选项。一个属性 role 可以在定义的时候使用:as 选项（定制别名）
This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.