2

I am developing a rails application in which I have two models User and Client. User is backed by devise and is responsible for authentication and has_one Client which holds the client details for a given user. This relation is always present as I ensure that a Client model is created whenever I create a User.

For the administration area I am using ActiveAdmin. Now, when I try to create a User through the administration interface I use a form like this:

form do |f|
  f.inputs :username, :email, :password
  f.inputs :name => "Client", :for => :client do |client|
    client.inputs :name, :address, ...
  end
end

The problem is that either the User nor the Client are saved and the page is reloaded with validation errors. I have checked rails console and there's a WARNING: Can't mass-assign protected attributes: client_attributes message every time I try to create a User.

I have searched over this issue and found that in order to allow for mass-assignment one had to define attr_accessible for each of the fields allowed for the assignment. So, I had put this directive in Client model for each of the fields mentioned above and the message keeps appearing, preventing the models to be properly saved.

Does anyone have a clue on this?

Tiago
  • 1,337
  • 11
  • 17

1 Answers1

5

The problem is not in your Client model, but in your User model - because this is the primary model you are trying to create. All you need to do is to add client_attributes to the list of attr_accessible attributes in your User model, just as the error message in the log files says, e.g.:

class User < ActiveRecord::Base
  attr_accessible :client_attributes
end

I imagine you already have a list of accessible attributes in the User class. So just add client_attributes to the end of that list.

The changes you made to your Client model (i.e. adding a list of attributes to attr_accessible) is not needed for this to work. If you want, you can also go ahead and undo that.

Thomas Watson
  • 6,507
  • 5
  • 33
  • 43
  • I have done what you told me to do and that suppresses the mass-assignment warning. However, it does not validate the client yet, redirecting me back to the `create user` with validation errors. – Tiago Sep 29 '11 at 15:09
  • Update: I can edit an exiting User already. But I still can't create a new one. – Tiago Sep 29 '11 at 15:18
  • If not all validation errors show, you can add <%= @user.errors.messages.inspect %> to the top of the page your are redirected back to. This will display the errors array containing all your errors – Thomas Watson Oct 10 '11 at 08:23
  • Sorry I took so long to answer. I actually solved the problem. The solution lies in what you said, but I had an 'after_initialize' callback to create the nested Client resource, which cleared the attributes sent by the browser before the save action happened. +1 for your solution though! – Tiago Nov 03 '11 at 19:34
  • 3
    Doesn't this make user.client exposed to form-inject attacks? – Dalibor Filus Mar 18 '12 at 22:21