ForbiddenAttributesError in ruby on rails when update_attributes use

Question

I am createing simple ruby blog app I am updating a post but it's showing thi type error error

        def edit
            @post = Post.find(params[:id])
        end

        def update
            @post = Post.find(params[:id])
            if @post
                puts "******************dd*********************"
                puts params[:post]
                puts "**************************************"
                @post.update_attributes(params[:post])


                redirect_to post_path, :notice => "you post  has been updated"
            else
                render "edit"
            end
        end

but when I using this

        @post.update_attributes({"title"=>"2nd", "body"=>"this is second post body", "category_id"=>"2"})

it is work

score 0 · Accepted Answer · answered Dec 12 '18 at 09:50

You should use strong parameters, Rails prevent you from assigning unfiltered params coming from outside world for security reasons.

def update
  # ...
  @post.update_attributes(post_params)
  # ...
end

# ...

private

def post_params
  params.require(:post).permit(:title, :body, :category_id)
end

score 0 · Answer 2 · answered Dec 12 '18 at 09:51

Attributes should be whitelisted for updating.

Below is the code:

        def edit
            @post = Post.find(params[:id])
        end

        def update
           @post = Post.find(params[:id])
           if @post
              @post.update_attributes(post_params)
              redirect_to post_path, :notice => "you post  has been updated"
           else
              render "edit"
           end
        end

   private

    def post_params
      params.require(:post).permit(:title, :body, :category_id)
    end

score 0 · Answer 3 · answered Dec 12 '18 at 09:54

ActiveModel::ForbiddenAttributesError is only raised if you pass unsanitized objects to the record update call.

@post.update_attributes(params[:post]) # This would be an issue

Post.where(params[:post]) # This would not

@post.update_attributes(post_params) # Neither would this

def post_params
  params.require(:post).permit(:title, :body, :category_id)
end

ForbiddenAttributesError in ruby on rails when update_attributes use

3 Answers3