[aaronbrethorst]

Same thing is true with UsersController#update (http://github.com/diaspora/diaspora/blob/master/app/controll...). At least they had the good sense not to implement #destroy.

[patio11]

And if you want to wait a week or two, I will explain why that one function lets you comprehensively compromise any Diaspora user in any way you want. The team thinks it only changes their first name, last name, and profile (not login) email.