Can't mass-assign protected attributes: category_id

Question

def create
  @author = User.find(current_user)
  pub_params = params[:publication]
  ##
  #bcids = pub_params['categorizations_attributes']['0']['book_category_id']
  #pub_params.delete('categorizations_attributes')
  #pub_params['categorizations_attributes'] = Hash.new()
  #bcids.each_with_index do |i, bcid|
  #  if i.to_i > 0
  #    pub_params['categorizations_attributes'][i] = Hash.new()
  #    pub_params['categorizations_attributes'][i]['book_category_id'] = bcid
  #  end
  #end
  @publication = @author.publications.new(pub_params)
  #setup_sti_model

  respond_to do |format|
    if @publication.save
      format.html { redirect_to @publication, notice: 'Publication was successfully created.' }
      format.json { render json: @publication, status: :created, location: @publication }
    else
      format.html { render action: "new" }
      format.json { render json: @publication.errors, status: :unprocessable_entity }
    end
  end
end

# PUT /publications/1 # PUT /publications/1.json

I'm getting this error whenever I tried to add new publication.

Search for the error "Can't mass-assign protected attributes" and read some - do any of the problems/reasons apply? (If the previous answer was "No", look again :) — user2246674, May 04 '13 at 19:13
possible duplicate of ["WARNING: Can't mass-assign protected attributes"](http://stackoverflow.com/questions/3944288/warning-cant-mass-assign-protected-attributes) — aromero, May 04 '13 at 20:51

score 2 · Answer 1 · answered May 04 '13 at 19:22

2

attr_accessible :category_id

Section 6 Mass Assignment

http://guides.rubyonrails.org/security.html

answered May 04 '13 at 19:22

Kiattisak Anoochitarom

2,157
1
20
15

score 1 · Answer 2 · edited May 23 '17 at 11:52

1

In you model use

attr_accessible :category_id

Read this and this to know the reason behind using it. You are giving access to write data to this field.

edited May 23 '17 at 11:52

Community

1
1

answered May 04 '13 at 19:14

Quazi Marufur Rahman

2,603
5
33
51

You can accept this clicking the tick icon if it solves your problem – Quazi Marufur Rahman May 05 '13 at 09:01
Thanks for the answer but I'm getting this error: undefined method `attr_accessible' for # – user1896696 May 05 '13 at 14:21

score 0 · Answer 3 · answered May 04 '13 at 20:43

Not to beat a dead horse but the other two responders are correct. To prevent mass assignment vulnerabilities, you need to explicitly state which fields can be mass updated.

You can also use attr_protected which sets a blacklist for fields that can't be mass updated, but whitelisting through attr_accessible is the preferred method.

Can't mass-assign protected attributes: category_id

3 Answers3