Rails - Can't mass-assign protected attributes

Question

I read lot of things about this error:

WARNING: Can't mass-assign protected attributes: contact_id, country_id, winery

But I don't understand why it appeared. I used Rails 3.0.5 (and don't want to switch to 3.1 at the time).

My log:

Started POST "/ws/webapp/services/push_item" for 127.0.0.1 at Thu Mar 01 18:45:16 +0100 2012
  Processing by Webapp::ServicesController#push_item as JSON
  Parameters: {"wine"=>{"contact_id"=>"<null>", "country_id"=>"1", "id"=>"3FAE414B-97B2-4C05-8A02-8AAC3F3B89F6", "winery"=>"New wine"}, "authenticity_token"=>"Da/2MDivaxxmS1zb7x6EK63xARnd/RrpmFoWtsOHock=", "locale"=>"ws"}
  Wine Load (0.4ms)  SELECT `wines`.* FROM `wines` WHERE `wines`.`id` = '3FAE414B-97B2-4C05-8A02-8AAC3F3B89F6' AND `wines`.`user_id` = 1 LIMIT 1
WARNING: Can't mass-assign protected attributes: contact_id, country_id, winery
3FAE414B-97B2-4C05-8A02-8AAC3F3B89F6
  SQL (0.2ms)  BEGIN
  SQL (0.2ms)  ROLLBACK
Completed 200 OK in 245ms (Views: 6.1ms | ActiveRecord: 9.5ms)

So the request (update) doesn't work. The 3 fields contact_id, country_id, winery are in my database.

Any idea ?

Answer 1

Rails uses an authenticity token when generating forms to prevent CSRF/XSS attacks. If you're making a call from a mobile application, this token won't be present, and you'll receive some sort of error.

If your app needs to accept requests outside of the Rails app, you'll need to disable these protections for those actions using:

protect_from_forgery :except => :update

or

skip_before_filter :verify_authenticity_token

Answer 2

You're probably using attr_protected in your model, with a line like this somewhere in it:

attr_protected :contact_id, :country_id, :winery

If you want to be able to mass-assign those attributes, you'll need to remove that line.