Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

tomasz154's Profile

GitHub User: tomasz154

Comments by

Avatar

Hey Ryan!

I'm new to Rails and I really like Your screencasts.
However, I think I've found kind of security flaw in this one.

In password_resets_controller.rb you do:

ruby
@user.update_attributes(params[:user])

It allows the user to change any attribute he wants using prepared form/request.

I realize this is just an example, and in production you probably wouldn't do it, but still, it's not good example IMHO.

Correct me if I'm wrong.