2

I'm currently in the process of upgrading an application from Rails 2.3.8 to Rails 3.2.7, and am having some trouble with mass-assignment.
When I try and save any model, I get the following error:

Can't mass-assign protected attributes: a,b,c,d

I noticed that Rails had set the default for whitelisting attributes to:

config.active_record.whitelist_attributes = false

So I changed it to true, but the errors kept coming up. We use attr_protected for a few things but it seems to ignore those and protect everything. I'm guessing it is due to the model using 'accepts_nested_attributes_for', but those are necessary.

Is there any other way to solve this problem without using 'attr_accessible'?

Breathtender
  • 490
  • 5
  • 15
  • `attr_accessible` is what would enable mass-assigning of attributes for a model. Is there a reason why you want to avoid using it? – Jason Kim Aug 14 '12 at 19:03
  • It's a pretty large application, so getting everything up to date would take a while, and the website is purely for internal company use, so security isn't really much of an issue. – Breathtender Aug 14 '12 at 19:25

1 Answers1

1

Any time you use attr_accessible or attr_protected, you have enabled mass assignment protection for that model. If the website is purely for internal use as you mention in your comments, the only way to solve this without using attr_accessible, would be to remove attr_protected from the model or any models that it touches using accepts_nested_attributes_for.

sgrif
  • 3,702
  • 24
  • 30
  • Removing attr_protected doesn't seem to have any effect, as long as accepts_nested_attributes_for is there, which is necessary. – Breathtender Aug 15 '12 at 15:16
  • Does the model you're accepting nested attributes for use attr_protected? Note: In the long run you're probably better off just using attr_accessible regardless – sgrif Aug 15 '12 at 15:30
  • No, it doesn't, although I suppose you're right, I'm going to have to get everything using attr_accessible sooner or later anyways. – Breathtender Aug 16 '12 at 15:20