ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes:

Question

I am following along the tutorial Ruby on Rail 3 Essential Training from Lynda.com. I am having a difficult time creating an Active Record Entry. This is the error I get in my console.

1.9.3p125 :007 > user = User.new(:first_name => "Mike", :last_name => "Jones")
ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: first_name, last_name
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activemodel-3.2.3/lib/active_model/mass_assignment_security/sanitizer.rb:48:in `process_removed_attributes'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activemodel-3.2.3/lib/active_model/mass_assignment_security/sanitizer.rb:20:in `debug_protected_attribute_removal'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activemodel-3.2.3/lib/active_model/mass_assignment_security/sanitizer.rb:12:in `sanitize'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activemodel-3.2.3/lib/active_model/mass_assignment_security.rb:230:in `sanitize_for_mass_assignment'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activerecord-3.2.3/lib/active_record/attribute_assignment.rb:75:in `assign_attributes'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/activerecord-3.2.3/lib/active_record/base.rb:498:in `initialize'
    from (irb):7:in `new'
    from (irb):7
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/railties-3.2.3/lib/rails/commands/console.rb:47:in `start'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/railties-3.2.3/lib/rails/commands/console.rb:8:in `start'
    from /home/mark/.rvm/gems/ruby-1.9.3-p125/gems/railties-3.2.3/lib/rails/commands.rb:41:in `<top (required)>'
    from script/rails:6:in `require'
    from script/rails:6:in `<main>`

This is what I have in my Model:

class User < ActiveRecord::Base
  attr_accessible :first_name, :last_name
end

What am I doing wrong. I have rails 3.2.3

Answer 1

I was too following along the tutorial Ruby on Rail 3 Essential Training from Lynda.com, if anybody had the same problem here is what worked for me,

Turn off the security setting. Open config/application.rb and change config.active_record.whitelist_attributes to false instead of true. This makes your app a little less secure, but allows you to quickly move forward with the tutorial. this is from: http://www.lynda.com/Ruby-on-Rails-3-tutorials/essential-training/55960-2/faqs

Answer 2

Make sure to put attr_accessible :first_name, :last_name in the User model and not in the controller.

Answer 3

I just added the attr_accessible :first_name, :last_name, :username line to the models file. This worked for me.

Answer 4

Without any precautions Mass-assignment allows attackers to set any database column’s value, hence it has been disabled by default.

def signup
  params[:user] # => {:name => “ow3ned”, :admin => true}
  @user = User.new(params[:user])
end

The detailed description is in the Ruby On Rails Security Guide.

Answer 5

From what I know that lynda course was developed on rails3 and in rails 3.2.3 there is no mass assignment by default. You have to go your model and add attr_accessible :name, :position, :visible. Basically you have to add every attribute you want to mass assign.

Answer 6

Try to restart the console. If you have created the model for user after the console was launched, you should restart it.