Affects Version/s: 0.9.168
Fix Version/s: 0.9.172
Unprotected mass assignment near line 15: Preference.create(:user_id => User.find_by_login(params[:us...
Confidence level is "Weak," so we may or may not need to change something here.
How to test:
89% test coverage.
It looks like this particular line relates to creating preferences if the user doesn't already have any, so I'd suggest creating a new account, activating it, and then:
1. Log in
2. Hi, username! > My Preferences
3. Use the form to change your preferences
4. Press Update
If the preferences page loads and you can update it, this should be good.
Note that if you don't have invitations in your account on staging, you'll need to get someone with admin access to either (a) send you an invitation or (b) enable account creation without an invitation.
We didn't need strong parameters here – we removed the unnecessary "create preferences if they don't exist" fallback instead.