Rails "mass assignment" - what exactly constitutes this?

Rails documentation doesn't make this very clear, but it seems that all uses of update_attributes constitutes mass assignment and all attributes need to be whitelisted if using attr_accessible. The docs for update_attributes makes no mention of this:

update_attributes(attributes)

Updates this resource with all the attributes from the passed-in Hash and requests that the record be saved.

If the saving fails because of a connection or remote service error, an exception will be raised. If saving fails because the resource is invalid then false will be returned.

Note: Though this request can be made with a partial set of the resource’s attributes, the full body of the request will still be sent in the save request to the remote service.

Are there any other methods I should be aware of that trigger this mass assigment restriction?

I think you should look here: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html

and watch this very old and very short railscast http://railscasts.com/episodes/26-hackers-love-mass-assignment

This will help you a lot with "mass assignment" topic :)

When using mass assignment, you should use attr_accessible to define which attributes may be updated, or attr_protected to define which shouldn't be updated.

More information on mass assignment here: https://stackoverflow.com/questions/tagged/mass-assignment