- some tests should be passing again now

Rails 4 accepts that as a parameter thus setting the id to nil
thus thinking it'd be a new record when we just want to update
it

For some reason it doesn't correctly set the bind variables
when called through an association with non-standard
keys. Probably a Rails bug.

Remove :without_protection from call in the posts fetcher and fix a couple hundreds specs as a side effect

Heisenbugs ftw.

Just a minor change, supplied attributes now go before the
standard ones

Rails 4 seem to allow setting the id through supplied parameters
The controllers ported to strong_parameters should guard against
attacks over this vector, but I didn't want to remove the specs
that test this here

See https://coderwall.com/p/45ombq