Home/ Questions/Q 8560985
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T16:24:02+00:00

I am trying to have a nested form on my users/new page, where it

  • 0

I am trying to have a nested form on my users/new page, where it accepts user-attributes and also company-attributes. When you submit the form:

Here’s what my error message reads:

ActiveModel::MassAssignmentSecurity::Error in UsersController#create
Can't mass-assign protected attributes: companies
app/controllers/users_controller.rb:12:in `create'

Here’s the code for my form:

<%= form_for @user do |f| %>
      <%= render 'shared/error_messages', object: f.object %> 

      <%= f.fields_for :companies do |c| %>

      <%= c.label :name, "Company Name"%>
      <%= c.text_field :name %>

      <% end %>

      <%= f.label :name %>
      <%= f.text_field :name %>

      <%= f.label :email %>
      <%= f.text_field :email %>

      <%= f.label :password %>
      <%= f.password_field :password %>

      <%= f.label :password_confirmation %>
      <%= f.password_field :password_confirmation %>
      <br>
      <% if current_page?(signup_path) %>
      <%= f.submit "Sign Up", class: "btn btn-large btn-primary" %>     Or, <%= link_to "Login", login_path %>
      <% else %>
      <%= f.submit "Update User", class: "btn btn-large btn-primary" %>
      <% end %>
<% end %>

Users Controller:

   class UsersController < ApplicationController

  def index
    @user = User.all
  end

  def new
    @user = User.new
  end

  def create
    @user = User.create(params[:user])
    if @user.save
      session[:user_id] = @user.id #once user account has been created, a session is not automatically created. This fixes that by setting their session id.  This could be put into Controller action to clean up duplication.
      flash[:success] = "Your account has been created!"
      redirect_to tasks_path
    else
       render 'new'
    end
  end

  def show
    @user = User.find(params[:id])
    @tasks = @user.tasks
  end

  def edit
    @user = User.find(params[:id])
  end

  def update
    @user = User.find(params[:id])
    if @user.update_attributes(params[:user])
      flash[:success] = @user.name.possessive + " profile has been updated"
      redirect_to @user
    else
      render 'edit'
    end

    #if @task.update_attributes params[:task]
    #redirect_to users_path
    #flash[:success] = "User was successfully updated."
    #end
end

  def destroy
    @user = User.find(params[:id])
    unless current_user == @user
      @user.destroy
      flash[:success] = "The User has been deleted."
    end
    redirect_to users_path
    flash[:error] = "Error. You can't delete yourself!"
  end

end

Company Controller

    class CompaniesController < ApplicationController

  def index
    @companies = Company.all
  end

  def new
    @company = Company.new
  end

  def edit
    @company = Company.find(params[:id])
  end

  def create
    @company = Company.create(params[:company])
    #if @company.save
      #session[:user_id] = @user.id #once user account has been created, a session is not automatically created. This fixes that by setting their session id.  This could be put into Controller action to clean up duplication.
      #flash[:success] = "Your account has been created!"
      #redirect_to tasks_path
    #else
       #render 'new'
    #end
  end

  def show
    @comnpany = Company.find(params[:id])
  end

end

User model

class User < ActiveRecord::Base
  has_secure_password

  attr_accessible :name, :email, :password, :password_confirmation
  has_many :tasks, dependent: :destroy
  belongs_to :company
  accepts_nested_attributes_for :company

  validates :name, presence: true, length: { maximum: 50 }
  VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
  validates :email, presence:   true,
                    format:     { with: VALID_EMAIL_REGEX },
                    uniqueness: { case_sensitive: false }
  validates :password, length: { minimum: 6 }
  #below not needed anymore, due to has_secure_password
  #validates :password_confirmation, presence: true  
end

Company Model

    class Company < ActiveRecord::Base
  attr_accessible :name
  has_and_belongs_to_many :users
end
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First for debugging put the bang on the create in the two controllers like so: create! Your log may spit out more.

    Then, if that sucked, try it the old fashioned way of Building the two Objects and assigning each one with the params.

    I assume also that this is it for attributes, no after saves that should have more to the schema then you are showing.

    Lastly, you are missing 

    def new
  @user = User.new
  @company = @user.companies.build
end

    Print out the params too, just in case it says something wonky but adding this line: as @Beerlington said should work too :company_attributes, maybe companies_attributes… spit balling here.

    • 0