params[:token].present? && user = User.find_by_token(params[:token].to_s) user.password = params[:password] user.save else render status: 404 end end end
can add extra form fields, either by editing the HTML page in their browser or by submitting requests via other tools • Consider a malicious user who themselves adds <input type="hidden" name="user[admin]" value="1">