Search code examples
ruby-on-rails-3ruby-on-rails-3.2mass-assignment

Private methods not passing MassAssignmentSecurity in rails 3.2.8

after upgrading to rails 3.2.8 my private methods that passes mass assignment in rails 3.2.6 no longer passes i keep getting the mass assignment error.

my controller is 

class AddressesController < BaseController
  # GET /addresses
  # GET /addresses.json
  def index
    @address = Address.new

    form_info
    respond_to do |format|
      format.html # index.html.erb
      format.json { render json: @addresses }
    end
  end

  # GET /addresses/1
  # GET /addresses/1.json
  def show
    @address = Address.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @address }
    end
  end

  # GET /addresses/new
  # GET /addresses/new.json
  def new
    @address = Address.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @address }
    end
  end

  # GET /addresses/1/edit
  def edit
    @address = Address.find(params[:id])
  end

  # POST /addresses
  # POST /addresses.json
  def create
    if params[:address].present?
      @address = current_user.addresses.new(params[:address])
      @address.default = true          if current_user.default_shipping_address.nil?
      @address.save_default_address(current_user, params[:address])
    elsif params[:address_id].present?
      @address = current_user.addresses.find(params[:address_id])
    end
    respond_to do |format|

      if @address.id
        update_order_address_id(@address.id)
        format.html { redirect_to(orders_url, :notice => 'Address was successfully created.') }
      else
        form_info
        format.html { render :action => "index" }
      end
    end
  end

  # PUT /addresses/1
  # PUT /addresses/1.json
  def update
    @address = Address.find(params[:id])

    respond_to do |format|
      if @address.update_attributes(params[:address])
        format.html { redirect_to @address, notice: 'Address was successfully updated.' }
        format.json { head :no_content }
      else
        format.html { render action: "edit" }
        format.json { render json: @address.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /addresses/1
  # DELETE /addresses/1.json
  def destroy
    @address = Address.find(params[:id])
    @address.destroy

    respond_to do |format|
      format.html { redirect_to addresses_url }
      format.json { head :no_content }
    end
  end

  private

  def update_order_address_id(id)
    session_order.update_attributes(
        :address_id => id
    )
  end

  def form_info
    @addresses = current_user.addresses
  end



end

after creating an address i expect it to perform update_order_address_id(id) method but it keeps telling me

Can't mass-assign protected attributes: address_id

All this started after upgrading to rails 3.2.8. Does any body know how i can fix this please or any suggestions towards this.

Solution

  • Try to add this line to the model

    attr_accessible :address_id

    https://stackoverflow.com/a/4538861/643500

    Edit:

    Not sure if you read this

    class AccountsController < ApplicationController
  include ActiveModel::MassAssignmentSecurity

  attr_accessible :first_name, :last_name
  attr_accessible :first_name, :last_name, :plan_id, :as => :admin

  def update
    ...
    @account.update_attributes(account_params)
    ...
  end

  protected

  def account_params
    role = admin ? :admin : :default
    sanitize_for_mass_assignment(params[:account], role)
  end

end

    http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html