"WARNING: Can't mass-assign protected attributes"

ruby-on-rails activerecord devise

Solution 1:

Don't confuse attr_accessor with attr_accessible. Accessor is built into Ruby and defines a getter method - model_instance.foo # returns something - and a setter method - model_instance.foo = 'bar'.

Accessible is defined by Rails and makes the attribute mass-assignable (does the opposite of attr_protected).

If first_name is a field in your model's database table, then Rails has already defined getters and setters for that attribute. All you need to do is add attr_accessible :first_name.

Solution 2:

To hack your app together in an insecure way totally unfit for production mode:

Go to /config/application.rb Scroll down towards the end where you'll find

{config.active_record.whitelist_attributes = true}

Set it to false.

EDIT/btw (after 4 months of ruby-intensive work including an 11 week workshop): DHH believes that, for noobies (his words), "up and running" is more important than "very secure".

BE ADVISED: A a lot of experienced rails developers feel very passionate about not wanting you to do this.

UPDATE: 3 years later, another way to do this -- again, not secure, but better than the above solution probably because you have to do it for each model

class ModelName < ActiveRecord::Base
  column_names.each do |col|
    attr_accessible col.to_sym
  end
  ...
end

Solution 3:

Don't use attr_accessor here. ActiveRecord creates those automatically on the model. Also, ActiveRecord will not create a record if a validation or mass-assignment error is thrown.

EDIT: You don't need a doctors table, you need a users table with a type column to handle Rails Single Table Inheritance. The invitations will be on the users table. Ah, I see in your added code sample you do have type on users. Get rid of the doctors table, move invitations over to users, and I think you should be ok. Also get rid of the attr_accessor. Not needed.

Keep in mind that rails STI uses the same table for all classes and subclasses of a particular model. All of your Doctor records will be rows in the users table with a type of 'doctor'

EDIT: Also, are you sure you only want to validate presence of invitations on creation and not updates?

Solution 4:

Add attr_accessible : variable1, variable2 to your table route file.

Related

Are C++ enums slower to use than integers?
Automatically adjust height to contents in Ace Cloud 9 editor
How to set a variable inside a loop for /F
How to set multiple spans on a TextView's text on the same partial text?
What is the correct readonly attribute syntax for input text elements?
A simple "Hello World" needs 10G virtual memory on a 64-bit machine vs 1G at 32-bit?
Error loading project in Android Studio: cannot load modules
How do you know when to use design patterns? [closed]
Java MessageFormat - How can I insert values between single quotes?
How is it that json serialization is so much faster than yaml serialization in Python?
Rails: Should partials be aware of instance variables?
jQuery - disable selected options