Mass Assignment

This makes code less verbose and much easier to read, but when used insecurely this approach can allow an attacker to update state they shouldn't have access to.

controllers/people_controller.rb

   class PeopleController < ActionController::Base

  # Danger: this will create a Person object with any parameters an attacker wishes to pass.
  def create
    Person.create(params :person])
  end

  # Danger: this allows an attack update a parameters on any Person they please.
  def update
    redirect_to current_account.people.find(params :id]).tap { |person|
      person.update!(params :person])
    }
  end
end 