you need to setup your params first. define a private method inside your class
private
def model_params
params.require(:model).permit(:list :all :your :attributes)
end
then when you do an update, use something like:
@model.update(model_params)
mass assignment is a cool thing in rails, but you need to make sure you are protected
hope that helps