References: * http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ * http://guides.rubyonrails.org/security.html#mass-assignment * http://weblog.rubyonrails.org/2012/3/30/ann-rails-3-2-3-has-been-released/ * https://github.com/rails/rails/issues/5228
At a glance it looks to me like the sample depot code suffers from this same mass assignment issue.
More generally, searching back through the PDF now, it seems to me Agile Web Development with Rails does not give sufficient treatment of the topic of security, for example I can find no mention of attr_accessible. IMHO, at a minimum the book should clearly mention that it doesn’t sufficiently treat security, and point to good online resources that ought to be followed. Better would be to explain all that needs doing, and publish errata promptly when security issues pop up :-)
Worse, the book currently does give the illusion of tackling all the key security topics, since at various points it does talk about SQL injection, securing passwords, and such. Based on all this, I had assumed that rails 3.x defaults were properly secure and that following along the examples in the book would lead me to a properly secured application.