Home/ Questions/Q 8212909
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T10:55:51+00:00

Based on a previous Q&A on StackOverlfow, I added the following to application.rb: config.active_record.whitelist_attributes

  • 0

Based on a previous Q&A on StackOverlfow, I added the following to application.rb:

 config.active_record.whitelist_attributes = false

as I was getting errors of the type Can’t mass-assign protected attributes

After I did that, it seemed as if everything was working fine. I am now getting that same error, but it’s a false negative. Note that even though I am getting an error, the column is actually updated.

Here’s the debugger output:

Started PUT "/categories/5" for 127.0.0.1 at 2012-07-09 11:26:40 -0700
Processing by CategoriesController#update as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"SifcfX29c+mGRIJXvUWGnZ8mBelMm4uZloYsoO317SY=", "admin_selections"=>{"admin1"=>"56", "admin2"=>"55", "admin3"=>"", "admin4"=>"", "admin5"=>"", "admin6"=>"", "admin7"=>"", "admin8"=>""}, "category"=>{"update_admins_field"=>"1"}, "commit"=>"Update Category", "id"=>"5"}
  Category Load (0.2ms)  SELECT `categories`.* FROM `categories` WHERE `categories`.`id` = 5 LIMIT 1
   (0.1ms)  BEGIN
   (0.2ms)  UPDATE `categories` SET `admins` = '[\"56\",\"55\",\"\"]', `updated_at` = '2012-07-09 18:26:40' WHERE `categories`.`id` = 5
   (1.3ms)  COMMIT
   (0.1ms)  BEGIN
   (0.1ms)  ROLLBACK
Completed 500 Internal Server Error in 5ms

ActiveModel::MassAssignmentSecurity::Error (Can't mass-assign protected attributes: utf8, _method, authenticity_token, category, commit, action, controller, id):
  app/controllers/categories_controller.rb:74:in `block in update'
  app/controllers/categories_controller.rb:62:in `update'

It seems as if the MySQL code is properly generated, but then there’s a rollback and 500 error.

Here’s the relevant code from categories_controller.rb:

def update
  @category = Category.find(params[:id])
  respond_to do |format| #this is line 62
    if params[:category][:update_admins_field]
      params['admins'] = return_admins_json (params)
      if @category.update_attribute(:admins,params['admins'])
        format.html { redirect_to @category, notice: 'Category was successfully updated.' } #line 66
        format.json { head :no_content }
      end
    else
      format.html { redirect_to @category, notice: 'Category was not successfully updated.' }
      format.json { head :no_content }
    end

    if @category.update_attributes(params)  #line 74
      format.html { redirect_to @category, notice: 'Category was successfully updated.' }
      format.json { head :no_content }
    else
      format.html { render action: "edit" }
      format.json { render json: @category.errors, status: :unprocessable_entity }
    end
  end
end

Why is it getting to line 74? should’t the user have been redirected at line 66? Why am I also getting an error when the update takes place?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should set whitelist_attributes to true, and use attr_accessible in each model for security reasons. Here is information on that:

    http://guides.rubyonrails.org/security.html#mass-assignment

    Also, read Niiru’s commment above.

    Edit:

    In your control flow, I think its not doing what you want. If it gets to line 74, it probably passed the first if conditional 

    if params[:category][:update_admins_field]

    And then failed the second if 

    if @category.update_attribute(:admins,params['admins'])

    And then exited that if/else/end and continued to line 74 as no return had been called yet. To fix this, I think you want something like this:

    if admin category
   if update admin
      return success
   else
      return failure
   end
else
   if update normal
      return success
   else
      return failure
   end
end
    • 0