>The JSON HTTP response for updating our own profile contained the "roles" parameter, something that might allow us to escalate privileges if the PUT request was vulnerable to mass assignment. We began looking through the JavaScript for any logic related to this parameter.

Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!