theReq

Suppose you have a Rails User model as follows:

class User < ActiveRecord::Base
   # Properties of this model are string:name and boolean:is_admin
end

The is_admin property is used to denote whether or not a user should be granted administrative privileges. Only users who are admins should be able to grant admin privileges to users.

Suppose you expose a form in your application in which any user may edit their name. For example

<%= form_for @user %>
   <%= f.label :given_name %>  
   <%= f.text_field :given_name %>
   <%= f.submit "Update"  %>
<% end %>

Explain how you've just opened up a security hole in your application. How can you fix this?

Ruby On Rails
Easy

online coding interviews

[why?] [how?]

Rails Security: Mass Assignment