[adrianmsmith]

I think making the mistake of "unscoped find" that "atom_enger" was referring to is just as easy a mistake to make when writing a REST backend (to support a SPA front-end framework) as when using a traditional non-SPA web framework.

It's tempting, when writing a REST backend, to respond to e.g. "PUT /message/:id" by just executing "UPDATE ... WHERE message_id=?" from the parameter, without checking that that message belonged to the user whose credentials have been used to access the call.

That's possible with a non-SPA web framework, and it's also possible when writing REST backends.

[tptacek]

Authz bugs are the most common bugs in every application, and no framework has a particular edge on stamping them out. I'm just responding to the claim about Rails having a security edge due to XSS protection, which it does not; in fact, it's become somewhat the opposite.