This repository has been archived by the owner. It is now read-only.

Rails 3.2.8 Controller Only #67

ready4god2513 opened this Issue Dec 12, 2012 · 3 comments


None yet
4 participants

This video states that it is possible to protect the input coming in via the controller yet still be able to do mass assignment via models and specs. However, I have not seen this documented as a feature when using strong_parameters in 3.2.8.

I understand that I need to mix in ActiveModel::ForbiddenAttributesProtection into my models and set config.active_record.whitelist_attributes = false in config/application.rb. I have also pulled all of my attr_accessible calls from the model.

With or without the mixin I am getting mass assignment errors.

ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: home_phone, cell_phone

Am I missing something?

Similar issue here, without attr_accessible in some of my models keep saying WARNING: Can't mass-assign protected attributes: account_id.

EDIT: Never mind, It was me, I had a pair of strays 'attr_accessible' that I forget to get rid of.

I have the same issue, using rails 3.2.12

I have set the config.active_record.whitelist_attributes = false in application.rb
but if i go into rails console and type MyApp::Application.config.active_record.whitelist_attributes it returns nil

A little late on the train, but it could be helpful for anyone googling this issue: make sure you don't have config.active_record.mass_assignment_sanitizer = :strict in your configuration. This would cause MassAssignmentSecurity errors even though you set config.active_record.whitelist_attributes = false.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.