Protect foreign keys from mass assignment

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the security category.

Last Updated: 2021-05-16

The most important non-obvious fields to prevent from being mass-assigned in user-facing forms are those pertaining to foreign keys (e.g. user_id in project_s). This is because changes in foreign keys references can bubble into being changes in access control and information privacy.