Hi, Radiant use update_attributes method to update data in a lot of places. The parameter passed to update_attributes is a params hash passed in from user request. However I checked Radiant's models like Page, PagePart, they don't have *attr_accessible *to white list those fields allowed for updating. This is mass assignment. It is quite dangerous. What if the user manipulate the input param and add the parameter and set himself as a administrator? Maybe I missed out any other parts where Radiant did protect this?
Thank you.
