Security Interview Problem

0_user.rb

# app/models/user.rb
# username              :string, null: false
# email                 :string, null: false
# password              :string, null: false
# admin                 :boolean, null: false, default: false 

class User < ApplicationRecord
  # Fields
  validates :admin, inclusion: { in: [true, false] }
end

1_new.html.erb

<%= form_for :user, url: create_user_path do |f| %>
  <%= f.text_field :username %>
  <%= f.text_field :email %>
  <%= f.password_field :password %>
  <%= f.submit "Create User" %>
<% end %>

1_user_controller.rb

# InsecureController.rb
class UserController < ApplicationController
  def new 
  end 
  
  def create
    sql = "INSERT INTO users (#{params[:user].keys.join(',')}) VALUES (#{params[:user].values.join(',')})"
    user_id = ActiveRecord::Base.connection.execute(sql)
    @user = User.find(user_id)
    redirect_to user_path(@user)
  end
end

3_admin_index.html.erb

<!-- app/views/users/index.html.erb -->
<h1>List of Users</h1>

<table>
  <thead>
    <tr>
      <th>Email</th>
      <th>Username</th>
      <th>Password</th>
      <th>Admin</th>
      <th>Actions</th>
    </tr>
  </thead>
  <tbody>
    <% @users.each do |user| %>
      <tr>
        <td><%= raw user.email %></td>
        <td><%= raw user.username %></td>
        <td><%= raw user.password %></td>
        <td><%= user.admin ? 'Yes' : 'No' %></td>
        <td>
          <%= link_to "Edit", edit_user_path(user) %>
          <%= link_to "Delete", user, method: :delete, data: { confirm: 'Are you sure?' } %>
        </td>
      </tr>
    <% end %>
  </tbody>
</table>

<%= link_to "New User", new_user_path %>

3_admin_users_controller.rb

class UsersController < ApplicationController
  before_action :set_user, only: [:show, :edit, :update, :destroy]
  
  # GET /users
  def index
    @users = User.all
  end

  # Other actions (show, new, create, edit, update, destroy) go here

  private

  def set_user
    @user = User.find(params[:id])
  end
end