Ok, i just found out that in the User model there is unprotected_attributes and in preferences_controller there is valid_params? method that will check only these unprotected_attributes will be updated. so there is no way that user can modify the params and update the database.
- [Radiant] Radiant CMS and mass assignment Shanison
- [Radiant] Re: Radiant CMS and mass assignment Shanison