Should nested resources and strong params use 'model' or 'model_attributes' and why? (unpermitted parameter: model)

Question

I have a nested form that creates an @address with each successful @purchase.

My schema and model associations are set up so that Purchase holds the foreign keys for everything else:

address.rb

belongs_to :user
has_many :purchases, foreign_key: :address_id
has_many :items, foreign_key: :address_id

purchase.rb

belongs_to :sender, class_name: "User"
belongs_to :recipient, class_name: "User"
belongs_to :address
belongs_to :item
accepts_nested_attributes_for :address

item.rb

belongs_to :user
has_many :purchases, foreign_key: :item_id
belongs_to :address

I've found some answers that suggest whitelisting the nested attribute params in my controller with a .permit(address_attributes: [:name]) in the controller instead of .permit(address: [:name]), but neither of the two create the record.

purchases_controller.rb

def confirmation
 @item = Item.friendly.find(params[:item_id])
 @address = @transaction_wizard.transaction.build_address
end

def confirm
 current_step = params[:current_step]
 @item = Item.friendly.find(params[:item_id])
 @transaction_wizard = wizard_transaction_for_step(current_step)
 @transaction_wizard.transaction.attributes = address_params
 session[:transaction_attributes] = @transaction_wizard.transaction.attributes

 if @transaction_wizard.valid?
  next_step = wizard_transaction_next_step(current_step)
  create and return unless next_step

  redirect_to action: next_step
 else
  redirect_to action: current_step
 end
end

def create
 if @transaction_wizard.transaction.save
  redirect_to root_path, notice: "Bid sent. If you would like to cancel before it's approved, you can do so #{view_context.link_to('here', transactions_sent_unapproved_path)}.".html_safe
 else
  redirect_to item_path(@transaction_wizard.transaction.item), notice: 'There was a problem making this bid.'
 end
end

private
def address_params
 params.require(:transaction_wizard).permit(address_attributes: [:name, :street, :street_2, :city, :state, :zip_code])
end

Whether I use address_attributes or address, the result is the same:

Parameters: {"transaction_wizard"=>
             {"address"=>
              {"name"=>"name", 
               "street"=>"123 st", 
               "street_2"=>"apt 5", 
               "state"=>"AL", 
               "zip_code"=>"48489"}
             }, 
             "current_step"=>"confirmation", 
             "commit"=>"Complete offer", 
             "item_id"=>"friendly-item-id"
            }
Unpermitted parameter: address

This is my form:

<%= form_for @transaction_wizard, as: :transaction_wizard, url: confirm_item_transaction_wizard_path(@item) do |f| %>
 <%= f.fields_for :address do |address| %>
  <%= address.text_field :name %>
  <%= address.text_field :street %>
  <%= address.text_field :street_2 %>
  <%= address.text_field :city %>
  <%= address.text_field :state %>
  <%= address.text_field :zip_code %>
 <% end %>

 <%= f.submit "Submit" } %>
<% end %>

What gives? How can I make my controller accept these params?

---

Update: Changing address to addresses requires that I change that @address variable in the controller to @address = @transaction_wizard.transaction.build_addresses. This causes an uninitialized constant Transaction::Addresses error.

Answer 1

You should use address_attributes. The problems is your relations:

To use the accepts_nested_attributes_for you must use has_many or has_one, and you using belongs_to.

In your case, relations are inverted, see:

Purchase belongs_to Address

Address has_many purchases

You can't create a address because according your relations, address is a parent model (of purchase) see this link.

Nested Attributes is a feature that allows you to save attributes of a record through its associated parent.

Answer 2

You can setup nested attributes through a belongs_to association but the association must be set as optional (unless you are using Rails 4 or earlier):

class Address < ApplicationRecord
  has_many :purcases
end

class Purchase < ApplicationRecord
  belongs_to :address, optional: true
  accepts_nested_attributes_for :address
end

---

require 'rails_helper'

RSpec.describe Purchase, type: :model do
  it "accepts nested attributes" do
    purchase = Purchase.create!(address_attributes: { name:  'foo', street: 'bar' })
    address = purchase.address
    expect(address.persisted?).to be_truthy
    expect(address.name).to eq 'foo'
    expect(address.street).to eq 'bar'
  end
end

This is because nested attributes is built to work with has_one associations so the "parent" record is validated before the nested record so that the foreign key (the parent id) can be set on the nested record.

You should be whitelisting address_attributes. Nested attributes creates a setter based on the first argument:

accepts_nested_attributes_for :foo
accepts_nested_attributes_for :bars

This will accept foo_attributes= and bars_attributes=. This of course should follow the plurization of your assocation (singular for has_one/belongs_to, plural for has_many).

The address= setter on your model has nothing to with nested attributes - its created by the belongs_to :address association and takes an Address instance. In fact if you whitelisted that param you will get an ActiveRecord::AssociationTypeMismatch exception.

irb(main):004:0> Purchase.new.address = { street: 'foo' }
ActiveRecord::AssociationTypeMismatch: Address(#70264542836680) expected, got {:street=>"foo"} which is an instance of Hash(#70264511691080)
    from (irb):4

You also need to setup the form as:

<%= f.fields_for :address do |address| %>
  # ...
<% end %>

When using fields_for just pass the name of the association. You should not need to pass an instance and using as: :address gives the wrong parameter.