← Back to Upcase

Experiencing ForbiddenAttributesError when creating Deck in Intro Workshop

(Rick Peyton) #1

I am working through the Intro Rails Workshop, but I am running into an error ActiveModel::ForbiddenAttributesError in DecksController#create in my DecksController create method.

Admittedly I am not following the instructions as I am running Rails 4.1.1 and Ruby 2.1.2 rather than the prescribed versions. But this certainly seems like something I am going to need to learn how to resolve.

Here is my form

<%= link_to "New deck", "/decks/new" %>

<% @decks.each do |deck| %>
  <div><%= link_to deck.name, "/decks/#{deck.id}" %></div>
<% end %>

And here is my method

  def create
    @deck = Deck.new(params["deck"])
    redirect_to "/decks"

I would appreciate any help you can give to assist me in understanding this error.

Rails is telling me this line is causing the error.

@deck = Deck.new(params["deck"])


(Rick Peyton) #2


I was able to resolve the error with the following modification to my code.

But even though this works – is this correct?

  def create
    @deck = Deck.new(deck_params)
    redirect_to "/decks"

    def deck_params

(Geoff Harcourt) #3

Rails 4 makes strong parameters the default. This means that unless you override the protections, you have to filter your parameters using #permit (what you’ve done here on parameter filtering looks OK). The idea is to prevent mass assignment security holes, such as someone submitting an admin: true item when updating their password, and then making themselves an admin, etc.

This change moves parameter filtering from the model to the controller, which is a win because different controllers or methods or roles can have different rules for what parameters get filtered.

(Rick Peyton) #4

Very helpful. I appreciate the reply!