GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
This video states that it is possible to protect the input coming in via the controller yet still be able to do mass assignment via models and specs. However, I have not seen this documented as a feature when using strong_parameters in 3.2.8.
I understand that I need to mix in ActiveModel::ForbiddenAttributesProtection into my models and set config.active_record.whitelist_attributes = false in config/application.rb. I have also pulled all of my attr_accessible calls from the model.
config.active_record.whitelist_attributes = false
With or without the mixin I am getting mass assignment errors.
ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: home_phone, cell_phone
Am I missing something?
Similar issue here, without attr_accessible in some of my models keep saying WARNING: Can't mass-assign protected attributes: account_id.
EDIT: Never mind, It was me, I had a pair of strays 'attr_accessible' that I forget to get rid of.
I have the same issue, using rails 3.2.12
I have set the config.active_record.whitelist_attributes = false in application.rb
but if i go into rails console and type MyApp::Application.config.active_record.whitelist_attributes it returns nil
A little late on the train, but it could be helpful for anyone googling this issue: make sure you don't have config.active_record.mass_assignment_sanitizer = :strict in your configuration. This would cause MassAssignmentSecurity errors even though you set config.active_record.whitelist_attributes = false.
config.active_record.mass_assignment_sanitizer = :strict