Strong params in rails

Question

I removed mass assignment vulnerability of the below line :

friend = Friend.find(params[:id])
friend.update_attributes(params[:name])

by rewriting it as :

friend = Friend.find(params[:id])
friend.update_attributes(params.permit(:name))

But this gave me this error :

ActiveModel::MassAssignmentSecurity::Error (Can't mass-assign protected attributes for Friend: name):
Unpermitted parameters: id

Any idea why I am getting this error?

Edit :

I added attr_accessible :status_id and params.permit(:id, :name) and the error got removed. But is adding attr_accessible the right way to do it as we write strong params to remove this line, isn't it?

Show `params.inspect`. Be sure you are checking right part of code - maybe you edit update method, but triggering a create method. — Astery, Jun 16 '15 at 15:52
I have removed `attr_accessible` from my model and doing `params.permit(:name, :id)` doesn't work — Hellboy, Jun 16 '15 at 18:04
One quick way to fix this issue is to not send `id` from frontend at all as you have mentioned here "`params = {"name"=>"John", "id"=>"15"}`". because anyway you are not saving it to database — Abhinay, Jul 10 '15 at 07:00

score 0 · Answer 1 · answered Jun 16 '15 at 15:57

0

Try updating your code as friend.update_attributes(params.permit(:name, :id)) to allow that parameter.

answered Jun 16 '15 at 15:57

WhyEnBe

295
7
22

Didn't work. Getting this `ActiveModel::MassAssignmentSecurity::Error (Can't mass-assign protected attributes for Friend: id, name)` – Hellboy Jun 16 '15 at 18:05

rob · Answer 2 · 2015-06-16T18:25:46.610

0

you should do

friend.update_attributes(params.require(:friend).permit(:name))

or put this into an private method

private
def object_params
  params.require(:friend).permit(:name)
end

and then call via

friend.update_attributes object_params

edit: i'm assuming that your params look like

{friend:{name:'xxxxx'},id:xx}

edited Jun 16 '15 at 18:25

answered Jun 16 '15 at 18:23

rob

2,136
8
29
37

I can't do this as I get the params as named `params` from the front end. – Hellboy Jun 16 '15 at 18:24
look again at the example. i just put the params into an private controller method. :). you can use allready this `friend.update_attributes(params.require(:friend).permit(:name))` – rob Jun 16 '15 at 18:29
Your assumption is wrong, my params look like : `params = {"name"=>"John", "id"=>"15"}` – Hellboy Jun 16 '15 at 18:30
oh ok. thank you. your model becomes an hash with name and id, and you just allow name. so the error is correct, because you dont want to put the id into the update_attribute. try `params.slice(:name).permit(:name)` for the update – rob Jun 16 '15 at 18:40
Do I still need to use `attr_accessible :name` because it doesn't work without this line – Hellboy Jun 16 '15 at 18:43
no. its just because of passing parameters which contains field which are allowed. you try my last comment? – rob Jun 16 '15 at 18:46
Yeah, even your last comment didn't fix the problem – Hellboy Jun 16 '15 at 18:47
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/80698/discussion-between-rob-and-hellboy). – rob Jun 16 '15 at 18:54
theres another hint (http://stackoverflow.com/questions/17637253/mass-assign-protected-attributes-in-rail-4) dont forget to bundle after this. – rob Jun 16 '15 at 19:00

score 0 · Answer 3 · edited Jul 10 '15 at 07:25

0

Don't write the attr_accessible in model, Rails 4 uses the strong parameter.

Try this code .

friend = Friend.find(params[:id])
friend.update_attributes(friend_params)

private

  def friend_params    
    params.require(:friend).permit!    
  end

edited Jul 10 '15 at 07:25

Abhinay

1,796
4
28
52

answered Jun 17 '15 at 15:47

Chitra

1,294
2
13
28

As I told, I am getting my params as `params`, not as `friend ` – Hellboy Jun 17 '15 at 19:39
As you are getting the params of friend so you need to require the friend to permit the params of fiend model. Does my code work? – Chitra Jun 18 '15 at 06:49

Strong params in rails

3 Answers3