Mass-assignement error in fields_for form using Devise user with multiple roles

Question

I looked on plenty of issues related to mass-assignement in nested attributes but none of them helped me out...

I am using Devise and have one User model with different types, as the Client one:

class User < ActiveRecord::Base
  attr_accessible :email, :name, :password, :password_confirmation, :remember_me, :rolable_type
  belongs_to :rolable, :polymorphic => true
  accepts_nested_attributes_for :rolable
end

class Client < ActiveRecord::Base
  has_one :user, :as => :rolable
  attr_accessible :specialty, :address
end

I have the following form for creating a new user with the client type and client attributes and which is working:

[...]

  resource.rolable = child_class_name.constantize.new if resource.rolable.nil?

<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>

[...]

  <% # customized code begin %>
  <%= fields_for resource.rolable do |rf| %>
    <% if rolable_type == 'client' %>

    <div><%= rf.label :specialty %><br />
    <%= rf.text_field :specialty %></div>

[...]

    <% end %>
  <% end %>

  <%= hidden_field :user, :rolable_type, :value => rolable_type %>
  <% # customized code end %>

[...]

  <div><%= f.submit "Sign up" %></div>
<% end %>

I have the following for editing the same user and which is not working: I am getting the following error : ActiveModel::MassAssignmentSecurity::Error in UsersController#update : Can't mass-assign protected attributes: client

    <%= form_for(@user) do |f| %>
       <%= render 'shared/error_messages', object: f.object %>

[...]

      <% f.fields_for(@user.rolable) do |rf| -%>

        <div><%= rf.label :specialty %><br />
        <%= rf.text_field :specialty %></div>

        <div><%= rf.label :address %><br />
        <%= rf.text_field :address %></div>
      <% end %>

[...]

Here is my UsersControllerupdate action:

  def update
    @user = User.find(params[:id])
    if @user.update_attributes(params[:user])
      flash[:success] = "Profile updated"
      sign_in @user
      redirect_to @user
    else
      render 'edit'
    end
  end

the weirdest thing is that I still run into a `mass-assignement error` even when I set `config.active_record.whitelist_attributes = false`.... — lgerard, Jun 11 '13 at 09:24

score 0 · Answer 1 · edited May 23 '17 at 11:57

0

you need an accepts_nested_attributes_for :rolable in User class

See: Rails 3.1: accepts_nested_attributes_for and has_one association - won't work?

edited May 23 '17 at 11:57

Community

1
1

answered Jun 11 '13 at 05:41

Robert Roach

1
1

I run now into a mass-assignement error whereas I added `accepts_nested_attributes_for :rolable` in `User` class : `Can't mass-assign protected attributes: client` (thank you for your help!) – lgerard Jun 11 '13 at 07:28
try changing it to accepts_nested_attributes_for :client and i think you need to add :client to your attr_accessible list – Robert Roach Jun 11 '13 at 10:24

score 0 · Answer 2 · answered Apr 30 '18 at 14:48

0

Solution by OP.

I changed <% f.fields_for(@user.rolable) do |rf| %> for <%= f.fields_for :rolable do |rf| %>.

And it worked

answered Apr 30 '18 at 14:48

Cœur

37,241
25
195
267

Mass-assignement error in fields_for form using Devise user with multiple roles

2 Answers2