Challenge 2: A Serializer — Solution # app/serializers/comment_serializer.rb class CommentSerializer < ActiveModel::Serializer attributes :id, :body, :created_at belongs_to :user, serializer: UserSerializer end # app/serializers/user_serializer.rb class UserSerializer < ActiveModel::Serializer attributes :id, :name # no email, no password_digest end =begin Notes: - attributes :id, :body, :created_at is an explicit allowlist -- any other column Comment has in the database (a moderation flag, an internal score, etc.) is left out automatically, simply by not being named here. - belongs_to :user, serializer: UserSerializer nests the associated user under the comment's JSON, but routes that nested data through its own serializer rather than dumping the full User model -- so a column added to User later doesn't leak through Comment's API response by accident. - UserSerializer's own allowlist (:id, :name) is what actually keeps email/password_digest out -- the protection lives on User's serializer, not on Comment's, since that's the model that actually owns those columns. - CommentSerializer is picked up automatically by render json: comment via naming convention (Comment -> CommentSerializer), no manual wiring required in the controller. =end