This repository has been archived by the owner. It is now read-only.

MassAssignment protection still applies to associations named 'type' #81

josephlord opened this Issue Jan 14, 2013 · 3 comments


None yet
3 participants

I'm not sure if this is a Rails issue (and whether it will apply to Rails 4) or properly belongs here.

I have a Project model and a ProjectType model. Projects belong_to ProjectTypes. The foreign key (and the attribute) is named project_type_id but I had named the association as 'type' so that I could refer to project.type which seemed natural. This (seemed to) work while using attr_accessible but when I changed the Project model over to use strong_parameters I got MassAssignmentSecurity::Error as "id" and "type" appear to be protected by default.

It may have been foolish to use 'type' as an association name but no useful errors were reported and finding documentation to this effect isn't easy either.

For my purposes this is no longer an important issue as I have renamed the association but I thought by raising the issue here at the very least it could provide documentation for any others looking to understand why MassAssignmentSecurity::Error are occuring with all attr_protected/attr_accessible removed from the project and "config.active_record.whitelist_attributes = false" set in application.rb.

+1 This is a problem.

Same here, can't use STI with strong_parameters :(

Any progress here?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.