edit (show edit form) checks that it's your photo to edit
update (make changes to photo) does not, you can update anyone's photo to anything
destroy (delete the photo) does not, you can delete anyone's photo w/ the id.
This is stuff you just DON'T DO in a web app. It's something any self respecting web developer, especially Rails developer, will look at and shudder. And those are the simple things that immediately stand out. Who knows what kind of security failures are built into this system due to ignorance or just plain lack of care.
But none of that matters because they've picked a project that they have to get right, and that in the long run is going to be defined in large part by design security.
I was expecting some integral libraries that would encapsulate privacy and authentication logic which would be reused for the entire framework. I don't really care if this was 'only' 3 months of work. That lack of security/privacy checking in that photo update section speaks volumes about where the developers and entire project are at.
Is it doomed? Probably not - apparently even Duke Nukem Forever has a new release date(?) - but they've got a long way to go to convince early adopter techies (people like me) to install this and evangelize on their next round.
A code review by frickin entire world???
This will help them WHEN THEY DO THEIR ALPHA RELEASE. Thanks...
Reading all this actually is the first moment I imagined that diaspora wouldn't be the total disaster it threatened to be.