david-a-wheeler
commented
8 years ago You can always do more review for security, but we've done a reasonable pass, documented in Security.md. We now do strong input filtering, and tools like Brakeman don't find anything. There have been a few specific potential issues, hardening suggestions, and permissions-related enhancements (e.g., #93, #103, #136), but those are being tracked separately. Let's track specific recommendations as separate issues, and close this one out.
We need to a basic security review of BadgeApp.
The Rails guide here will help: http://guides.rubyonrails.org/security.html
Hardening the inputs will help, as will adding tests to ensure that only users who shouldn't be able to edit certain things are specifically rejected.