ActiveModel::ForbiddenAttributesError in PasswordResetsController#update

Question

I have seen Ryan railcasts episode 274 I am using rails 4 and encountered one problem.

In password_resets_controller.rb

elsif @user.update_attributes(params[:user])

IN console it showing

ActiveModel::ForbiddenAttributesError in PasswordResetsController#update

when I modified update_attributes to update_attribute it shows

wrong number of arguments (1 for 2)

params[:user] showing two value password and password_confirmation but i am using password in my login page

I do not know how to solve this issue.

`update_attribute` is used to update single column and requires two parameters one is column name and second value for that column like `@user.update_attribute('password', params[:user][:password])` Ref:- http://stackoverflow.com/questions/2778522/rails-update-attribute-vs-update-attributes/2778671#2778671 — Salil, Jul 10 '13 at 11:06
This is a good question and has a great answer. As the OP it's your job to flag it as the accepted answer, just click that checkmark beside it. — Peter Wooster, Jun 16 '14 at 10:54

score 32 · Answer 1 · answered Jul 10 '13 at 10:56

32

This is because of Strong parameters feature in Rails 4. It will be raised when forbidden attributes are used for mass assignment.

You have to permit the attributes in your controller. Like this

@user.update_attributes(params.require(:user).permit(:password, :password_confirmation))

answered Jul 10 '13 at 10:56

Santhosh

28,097
9
82
87

Thank you all now I am able to reset password – user2567129 Jul 10 '13 at 12:27
1

Is this safe? Does this expose the password or anything? I'm still trying to learn how this works... – Jake Smith Feb 22 '14 at 09:29
1

Thanks for this @santhosh, there was a lot of resource on having a private method on the user controller, but not many for how to do this outside of that situation. – Aaron Moodie Oct 18 '15 at 18:22

Phil_ish · Answer 2 · 2015-12-03T06:02:35.767

Had the identical issue - getting same error message when attempting to make any change to any of my resources from within Active Admin. Strong parameters were whitelisted correctly in the model's controller but it wasn't until after reviewing the documentation I realized that I needed to include the model attributes to be whitelisted in the model within app/admin/your_model.rb. Once I did this all worked correctly from within Active Admin.

app/admin/your_model.rb

ActiveAdmin.register Your_model do
  permit_params :attribute_1, :attribute_2, :attribute_3, :etc, :etc
end

This worked on my local server. After pushing changes to git and deploying to VPS it worked there as well. Make sure you restart your app. In one case I had to restart my instance. Hopefully this helps someone.

score 0 · Answer 3 · answered May 15 '20 at 22:53

I spent days wondering why mine was not working, yet i had done almost as every correct answer suggested. It was a legacy codebase and whoever wrote it back then decide to do it in the following manner:

def update_params
  params.require(:user).permit(:email, :password)

  params
end

# And it was being called in the following manner
@user.update(update_params[:user])

I laboured for days before I found @Santhosh's answer above, tried it on the console and it worked.

The only fix that I had to make was to remove the return params in the update_params method, and only pass update_params to the call to update itself.

def update_params
  params.require(:user).permit(:email, :password)
end

# And it was being called in the following manner
@user.update(update_params) # Remove [:user]

ActiveModel::ForbiddenAttributesError in PasswordResetsController#update

3 Answers3

Related