CODEWITHSUNDEEP
ruby-on-railsrubycontroller
Rubyuser
Rubyuser

Reputation: 79

ActiveModel::MassAssignmentSecurity

I get a ActiveModel::MassAssignmentSecurity::Error when I try to running my app to save the login and password details. got the following error

Can't mass-assign protected attributes: name, password, password_confirmation, salt app/controllers/users_controller.rb:43:in new' app/controllers/users_controller.rb:43:increate'

here is the code from the control file

class UsersController < ApplicationController
  # GET /users
  # GET /users.json
  def index
    @users = User.all

    respond_to do |format|
      format.html # index.html.erb
      format.json { render json: @users }
    end
  end

  # GET /users/1
  # GET /users/1.json
  def show
    @user = User.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/new
  # GET /users/new.json
  def new
    @user = User.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/1/edit
  def edit
    @user = User.find(params[:id])
  end

  # POST /users
  # POST /users.json
  def create
    @user = User.new(params[:user])

    respond_to do |format|
      if @user.save
        format.html { redirect_to @user, notice: 'User was successfully created.' }
        format.json { render json: @user, status: :created, location: @user }
      else
        format.html { render action: "new" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # PUT /users/1
  # PUT /users/1.json
  def update
    @user = User.find(params[:id])

    respond_to do |format|
      if @user.update_attributes(params[:user])
        format.html { redirect_to @user, notice: 'User was successfully updated.' }
        format.json { head :no_content }
      else
        format.html { render action: "edit" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /users/1
  # DELETE /users/1.json
  def destroy
    @user = User.find(params[:id])
    @user.destroy

    respond_to do |format|
      format.html { redirect_to users_url }
      format.json { head :no_content }
    end
  end
end

Upvotes: 0

Views: 749

Answers (3)

rodacato
rodacato

Reputation: 21

Like waldyr.ar said, also you can use attr_protected

Upvotes: 0

icantbecool
icantbecool

Reputation: 492

I think you forgot to add the attr_accessible parameters in your model. Check out Rails API for more information regarding attr_accessbile and what it protects from.

Upvotes: 0

waldyr.ar
waldyr.ar

Reputation: 15244

Answer in Stack Overflow and credits for Damien Mathieu

In your model, you need to add tag_attributes to the attr_accessible call.

For example :

class User < ActiveRecord::Base
  attr_accessible :tags_attributes
end

If you already call it once, you can either add this field as an argument of the method, or make a second call. Both options are equivalent.

Having to specify all accessible parameters wasn't a default until a few months. This guide has been updated to reflect the change of default. But the new version hasn't been deployed yet, this is why it's not specified.

Upvotes: 2

Related Questions