Use strong parameters for User

app/controllers/users_controller.rb

@@ -17,7 +17,7 @@ class UsersController < ApplicationController
   end
 
   def update
-    success = @user.update_attributes params[:user]
+    success = @user.update_attributes user_params
     respond_to do |format|
       format.html {
         if success
@@ -41,6 +41,11 @@ class UsersController < ApplicationController
 
   protected
 
+  def user_params
+    params.require(:user).permit(:owned_closet_hangers_visibility,
+      :wanted_closet_hangers_visibility, :contact_neopets_connection_id)
+  end
+
   def find_and_authorize_user!
     if current_user.id == params[:id].to_i
       @user = current_user

app/models/user.rb

@@ -21,9 +21,6 @@ class User < ActiveRecord::Base
 
   devise :rememberable
 
-  attr_accessible :owned_closet_hangers_visibility,
-    :wanted_closet_hangers_visibility, :contact_neopets_connection_id
-
   def admin?
     name == 'matchu' # you know that's right.
   end