Hi,

Radiant use update_attributes method to update data in a lot of places. The 
parameter passed to update_attributes is a params hash passed in from user 
request. However I checked Radiant's models like Page, PagePart, they don't 
have *attr_accessible *to white list those fields allowed for updating. This 
is mass assignment. It is quite dangerous. What if the user manipulate the 
input param and add the parameter and set himself as a administrator? Maybe 
I missed out any other parts where Radiant did protect this? 

Thank you.

Reply via email to