[bradleyland]

It looks like they're using Devise for authentication, but there is no attention to security beyond that. Devise is just the beginning of a robust security model. I haven't followed their mailing list/twitter/whatever, so I don't know what's going on internally, but here's how I'd rationalize this. Honestly, I don't care one way or another, but I enjoy playing the devil's advocate from time to time.

Rails 3 has been in beta for the better part of the summer. This means that many plug-ins (Devise included) haven't been able to keep up 100% compatibility. It's entirely possible that they've only implemented Devise for login authentication, but plan on expanding with something like Warden or Clearance for model/controller level security as the plug-ins come up to speed.

Our group started on a Rails 3 app back in March, and we learned early on that we should stick to our core app development, avoiding plug-in implementations until things stabilize. Hell, look at Bundler. The jump from 0.9.x to 1.0 broke our app deployment methodology between the beta3 release and Rails 1.0. We never even got around to beta4. When you develop using a beta framework that evolves quickly and breaks compatibility, you have to be careful where you place your efforts.

I'm not ready to lay down on the tracks and defend them here, but I don't think it's an impossible to assume that they just haven't addressed security yet. Maybe they haven't arrived at a framework choice. The fact that there is literally no security would seem to suggest this is true more so than if they had sparse security.

One aspect remains true, however. Anyone who deploys this and puts anything of value in it is asking to get body slammed.