As a result, the admin tests should pass:

As a final step, let’s update our sample data populator to make the first user an admin by default (Listing 9.41). 

Then reset the database and re-populate the sample data:

Revisiting attr accessible

You might have noticed that Listing 9.41 makes the user an admin with toggle!(:admin), but why not just add admin: true to the initialization hash?
The answer is, it won’t work, and this is by design: Only attr_accessible attributes can be assigned through mass assignment, and the admin attribute isn’t accessible. Listing 9.42 reproduces the most recent list of attr_accessible attributes—note that :admin is not on the list. 

Explicitly defining accessible attributes is crucial for good sitesecurity. If we omitted the attr_accessible list in the User model (or foolishly added :admin to the list), a malicious user could send a PUT request as follows:7

This request would make user 17 an admin, which would be a potentially serious security breach, to say the least. Because of this danger, it is a good practice to define attr_accessible for every model. In fact, it’s a good idea to write a test for any attribute that isn’t accessible; writing such a test for the admin attribute is left as an exercise (Section 9.6).