Getting Started with Rails official Tutorial, ForbiddenAttributesError

Question

I have followed the tutorial letter for letter and I am still getting a forbidden attributes error. I have rails 4.1.4 and ruby 2.1.2. here are my controller methods for a new article

def create
    @article = Article.new(params[:article])

    if @article.save
      redirect_to @article
    else  
      render 'new'
    end
end
private

  def article_params
    params.require(:article).permit(:title, :text)
  end

I'm sure it's just one singular/plural thing I mistyped or something stupid, but I've been at this one stupid error for more than hour now, so any help is appreciated

Answer 1

Up in the first line, you need to change params[:article] to article_params.

Rails 4+ refuses to initialize an Active Model object unless the attributes passed to it have been explicitly whitelisted. This is a Rails security feature known as strong parameters that was introduced to better protect against mass assignment — "a computer vulnerability where an active record pattern in web application is abused to modify data items that the user should be not normally allowed to access".

params[:article] is an unsanitized hash passed to the create action via a POST request to /articles. It could contain data that sets attributes of the Article model in unintended and unexpected ways. Rails 4+ does you a favor by throwing an exception and not allowing such code to run, rather than leave the onus of security solely on you.

article_params is a call to the private method listed in your example ArticlesController. Notice that it explicitly requires an :article parameter and only permits :title and :text attributes. This prevents a malicious user from authoring a particularly offensive article and then, say, posting it under an innocent individual's name by passing that person's :user_id along with the offensive article.

For a real world example of a mass assignment exploit in Rails, here's an Errata Security article summarizing the Github hack of 2012.