Rails3: ActiveRecord accepts_nested_attributes_for not working (can’tmass-assign protected attributes)

In one of my applications I ran into a situation where I needed to have a single form handle a model as well as several of its associations. Meaning I needed the form to handle CRUD events for the model plus the associated models auto-magically. With that objective I remembered a RailsCast.com video cast explaining how to use the ActiveRecord ‘accepts_nested_attributes_for’ method.

So I jumped on the web and coded along while I watched the cast. But for some strange reason the code from the cast just wouldn’t work. When I saved the survey no associated questions were saved to the database despite the fact that the survey came back as successfully saved. So I triple checked that I had it all correct. Once I was satisfied that it was correct I started digging deeper when I noticed in the passenger logs in my console the following error message hidden nicely within the POST printout and the SQL statements.


WARNING: Can’t mass-assign protected attributes: questions_attributes


That made me think, Rails has started doing a much better job protecting our applications from Mass-Assignment attacks by requiring us to explicitly set the model attributes which are accessible and can be directly updated via a form post. I then reviewed the POST parameters to see what was being returned by the form (see below).


Parameters: {“utf8″=>”✓”, “authenticity_token”=>”8XugXn/UwE+m4m2BR2pfTy7oVfUI+jKnPYaSNwKiD1s=”, “survey”=>{“name”=>”test”, “questions_attributes”=>{“0″=>{“content”=>”question1”}, “1”=>{“content”=>”question2”}, “2”=>{“content”=>”question3”}}}, “commit”=>”Submit”}


Within the parameter list for the survey sent back by the form I noticed the addition of the ‘questions_attributes’ hash which holds each question with its associated hash of fields and values. Being that the ‘questions_attribute’ is a newly introduced attribute to a survey via the ‘accepts_nested_attributes_for’ method it now becomes filtered by Rails as NOT mass-assignable.

Once I added ‘questions_attributes’ to the survey model’s ‘attr_accessible’ method and retested it worked without an issue. Hope this helps those who might be stuck trying to get nested forms to work.

Published by

Tim Clark

Experienced Business Owner, Chief Information Officer, Vice President, Chief Software Architect, Application Architect, Project Manager, Software Developer, Senior Web Developer, Graphic Designer & 3D Modeler, University Instructor, University Program Chair, Academic Director. Specialties: Ruby, Ruby on Rails, JavaScript, JQuery, AJAX, Node.js, React.js, Angular.js, MySQL, PostgreSQL, MongoDB, SQL Server, Responsive Design, HTML5, XHTML, CSS3, C#, ASP.net, Project Management, System Design/Architecture, Web Design, Web Development, Adobe CS6 (Photoshop, Illustrator)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s