Not to mention that that's a trivial security mistake. ActiveRecord makes it very easy to just "read" the id, and ignore whether or not the user actually has access to it, or just guessed the id. Any operation using an id needs to be checking if you actually have rights to the object. Yes it requires an extra SELECT before you UPDATE or an extra condition (my ORM doesn't do that), but it's secure.