Edit 1 : This is related to CanCan gem.
This is a nested_attributes issue. On single form the user can create an Account, a User account (as 'owner') and a Team --- all linked to the account. The form works fine with the Owner-only nested attribute, but once I add the Team nested attributes I get an ActiveModel::ForbiddenAttributesError. I've researched the build method for nested models, and I think my syntax is correct in my accounts controller -- note the difference between has_one and has_many. I really hit a wall... Thanks for any help.
My models are :
class Account < ActiveRecord::Base
RESTRICTED_SUBDOMAINS = %w(www)
has_one :owner, class_name: 'User'
has_many :teams
validates :owner, presence: true
validates :name, presence: true
accepts_nested_attributes_for :owner, :teams
class Team < ActiveRecord::Base
acts_as_tenant :account
has_many :users
belongs_to :account
validates_inclusion_of :active, :in => [true, false]
validates :name, presence: true, allow_nil: false
validates_uniqueness_to_tenant :name
class User < ActiveRecord::Base
devise :invitable, :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
acts_as_tenant :account
belongs_to :team
validates :lastname, presence: true, allow_nil: false
validates :firstname, presence: true, allow_nil: false
validates_uniqueness_to_tenant :email
def self.current_id
Thread.current_user[:user_id]
end
My Accounts controller :
Edit 2 : if I comment out load_and_authorize_resourceit works.
class AccountsController < ApplicationController
skip_before_filter :authenticate_user!, only: [:new, :create]
#load_and_authorize_resource
def new
@account = Account.new
@account.build_owner
@account.teams.build
#@account.teams.build(teams_params) # tried this
#@account.teams.build(params[:team]) # tried this
end
def create
@account = Account.new(account_params)
respond_to do |format|
if @account.save
format.html { redirect_to new_user_session_url(subdomain: @account.subdomain) }
else
format.html { render action: 'new' }
format.json { render json: @account.errors, status: :unprocessable_entity }
end
end
end
Private
def account_params
params.require(:account).permit(:subdomain, :name, :logo, :owner_id, :time_zone, :default_language, :publish_to_wall_new_employee, :publish_to_wall_new_document, :publish_to_wall_published_schedule, :publish_to_wall_modified_schedule, teams_attributes: [:id, :name, :account_id], owner_attributes: [:lastname, :firstname, :email, :password, :password_confirmation, :account_id])
end
end
In my Teams controller, I have :
private
def team_params
params.require(:team).permit(:name, :active, :account_id)
end
In my Users controller, I have :
private
def user_params
params.require(:user).permit(:firstname, :lastname, :email, :account_id, :avatar, :role, :street_address, :zip, :city, :phone, :dob, :pob, :citizenship, :team_id, :contract_time)
end
My form is quite long, so this is just an excerpt :
<%= form_for @account, html: {id: 'accounts-new-form'} do |f| %>
<%= f.fields_for :owner do |o| %>
<%= o.label :firstname, "Your firstname" %>
<%= o.text_field :firstname, options = {class: "form-control required", rel: "FirstName"} %>
<% end %>
<%= f.label :subdomain, "Choose a subdomain" %>
<%= f.text_field :subdomain, options = {class: "form-control required", rel: "Subdomain"} %>
<%= f.fields_for :teams do |t| %>
<%= t.label :name, "Choose a team name" %>
<%= t.text_field :name, options = {class: "form-control required", rel: "Team"} %>
<% end %>
<%= f.submit class: 'btn btn-primary' %>
Below beginning of full error message :
Processing by AccountsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"UTdyTCq3hpxR/w23JzJnWYozOLQhxpfOZPLql6b5+m8=", "account"=>{"owner_attributes"=>{"firstname"=>"john", "lastname"=>"Doe", "email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "name"=>"Test8 Inc", "subdomain"=>"test8", "teams_attributes"=>{"0"=>{"name"=>"Test8-Team-A"}}}, "commit"=>"Create Account"}
Account Load (0.6ms) SELECT "accounts".* FROM "accounts" WHERE "accounts"."subdomain" IS NULL ORDER BY "accounts"."id" ASC LIMIT 1
Account Load (0.4ms) SELECT "accounts".* FROM "accounts" WHERE "accounts"."subdomain" = '' LIMIT 1
Completed 500 Internal Server Error in 10ms
ActiveModel::ForbiddenAttributesError - ActiveModel::ForbiddenAttributesError:
activemodel (4.1.1) lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment'
activerecord (4.1.1) lib/active_record/attribute_assignment.rb:24:in `assign_attributes'
activerecord (4.1.1) lib/active_record/core.rb:452:in `init_attributes'
activerecord (4.1.1) lib/active_record/core.rb:198:in `initialize'
activerecord (4.1.1) lib/active_record/inheritance.rb:30:in `new'
cancan (1.6.10) lib/cancan/controller_resource.rb:85:in `build_resource'
cancan (1.6.10) lib/cancan/controller_resource.rb:66:in `load_resource_instance'
cancan (1.6.10) lib/cancan/controller_resource.rb:32:in `load_resource'
cancan (1.6.10) lib/cancan/controller_resource.rb:25:in `load_and_authorize_resource'
cancan (1.6.10) lib/cancan/controller_resource.rb:10:in `block in add_before_filter'
activesupport (4.1.1) lib/active_support/callbacks.rb:440:in `block in make_lambda'
activesupport (4.1.1) lib/active_support/callbacks.rb:160:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
activesupport (4.1.1) lib/active_support/callbacks.rb:166:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
activesupport (4.1.1) lib/active_support/callbacks.rb:166:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:166:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:229:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:166:in `block in halting'
activesupport (4.1.1) lib/active_support/callbacks.rb:86:in `run_callbacks'
Edit 3 : this is my ability.rb :
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
can :create, Account
# only owner can read & manage Account details
can :manage, Account if user.role == "owner"
cannot :read, Account if user.role == "employee"
cannot :read, Account if user.role == "manager"
# owner has full access to User details, manager can create/edit all User details, employee can read/list other User details
# employee can edit own details except contract information
can :manage, User if user.role == "owner"
can :manage, User if user.role == "manager"
cannot :update, User if user.role == "employee"
can :update, User, :id => user.id # a user can only update its own record
can :avatar, User, :id => user.id # a user can only edit own photo
can :address, User, :id => user.id # a user can only update its own address
can :view_contract, User, :id => user.id # a user cannot updedit own contract infos
can :read, User if user.role == "employee"
can :home, User if user.role == "employee"
end
end
In your fields_for for team:
<%= f.fields_for :teams do |t| %>
Apparently Rails is not generating teams_attributes for parameter, but just team. As you don't whitelist team, you get this error.