Radiant use update_attributes method to update data in a lot of places. The
parameter passed to update_attributes is a params hash passed in from user
request. However I checked Radiant's models like Page, PagePart, they don't
have *attr_accessible *to white list those fields allowed for updating. This
is mass assignment. It is quite dangerous. What if the user manipulate the
input param and add the parameter and set himself as a administrator? Maybe
I missed out any other parts where Radiant did protect this?