This repository was archived by the owner on Aug 17, 2017. It is now read-only.
This repository was archived by the owner on Aug 17, 2017. It is now read-only.
developers can easily bypass mass assignment protection without noticing #205
tainted information will not be passed when params[:user].symbolize_keys or params.to_hash (any method that may change the type) is called, because only ActionController::Parameters has permitted? method. So developers can easily accidentally bypass this strong parameter protection. Did strong parameter consider this?