Strong parameters - Devise 3.0.0 and Rails 4. "Unpermitted parameters: name"

Question

I am currently using Rails 4 and Devise 3.0.0. I have tried to add a custom field of "Name" to the sign up form and edit registration form. Whenever I submit the form, the following errors arise:

Unpermitted parameters: name

WARNING: Can't mass-assign protected attributes for User: email, password, password_confirmation.

I understand that this has something to do with the way Rails 4 handles parameters, but I do not understand what I am supposed to do about it right now. I have searched around and have seen that I am supposed to add some lines to a User model involving "params."

My user model currently looks like this:

class User < ActiveRecord::Base

  devise :database_authenticatable, :registerable, #:recoverable,
          :rememberable, :trackable, :validatable

  attr_accessible :name, :password, :password_confirmation, :remember_me, :email
end

According to How is attr_accessible used in Rails 4?, I am supposed to add the following code to "The controller."

class PeopleController < ApplicationController
  def create
    Person.create(person_params)
  end

  private

  def person_params
    params.require(:person).permit(:name, :age)
  end
end

What controller? And is this literal code? Since I am dealing with User, do I have to use User.create(user_params)? instead of Person.create(person_params)?

Answer 1

Rails 4 has moved parameter sanitisation to the Controller from the Model. Devise handles it for 3 actions, sign_in, sign_up and account_update. For sign_up, the permitted parameters are authentication key (which is :email by default), password and password_confirmation.

If you want to add :name to the User model and use it for sign_up, either change config.authentication_keys = [ :email ] to config.authentication_keys = [ :name ] in /config/initializers/devise.rb or, if you want to use both :email and :name, add this to the ApplicationController

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end    
end

Also check- https://github.com/plataformatec/devise#strong-parameters

Answer 2

Yes, you should add one line which is like:-

attr_accessible :name

in your model to allow name to assigned and if it does not work try this How is attr_accessible used in Rails 4?

Answer 3

You have to add this in controller where you have written User.create(user_params). I am assuming that UsersController.

class UsersController < ApplicationController
  def create
    User.create(user_params)
  end

  private

  def user_params
#assumption: user params are coming in params[:user]
    params.require(:user).permit(:name, :age, :and_other_params_you_want_to_allow)
  end
end

Answer 4

I have similar problem. So, to fix it I created custom registration controller inherit form DeviseRegistration controller. Check Devise documentation and define controller like this.

class RegistrationsController < Devise::RegistrationsController
  before_filter :update_sanitized_params, if: :devise_controller?


  def update_sanitized_params
   devise_parameter_sanitizer.for(:sign_up) {|u| u.permit(:name, :email, :)}
 end
end

Make sure you have define this routes for this controller in config/routes.rb

  devise_for :users, :controllers => {:registrations => "registrations" } , :path => '', :path_names => {
    :sign_in => 'login', 
    :sign_out => 'logout'
  }

Check this documentation of devise for strong parameter.

Answer 5

i had similar issues, this was my fix:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:account_update) { |u| u.permit!}
  end
end