Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/group.rb:667

Notification.create!(:notification_type => Notification.types[:membership_request_accepted], :user_id => user.id, :data => { :group_id => id, :group_name => name }.to_json)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/group.rb or mark it as false positive.