mass-assign protected attributes: user, format, action, controller

Question

I'm trying to create devise users via POST using JSON.

The current code of the controller is

class V1::UsersController < ApplicationController
  load_and_authorize_resource
  respond_to :json

  def create
    @user = User.create(params)
    if @user.save
      render json: @user, status: :created
    else
      render json: @user.errors, status: :unprocesssable_entry
    end
  end

end

I'm sending the following JSON as POST to http://localhost:3000/v1/users.json

{"user":{"active":true,"email":"test@email.com","username":"test"}, "auth_token":"my token"}

The problem is that I'm seeing an error requiring to whitelist some attributes that seems to be Rails Internal. I don't have user, format, action, controller as attributes of my user model. I tried adding attr_accesible to them in User model but then the POST return that those attributes were not found.

<h1>
  ActiveModel::MassAssignmentSecurity::Error
    in V1::UsersController#create
</h1>
<pre>Can&#x27;t mass-assign protected attributes: user, format, action, controller</pre>

Any idea how to solve this?

Answer 1

You have to refer to params[:user] not params:

@user = User.create(params[:user])