WARNING:“Can't mass-assign protected attributes: created_at, updated_at”,when I use gem ''omniauth-identity"

Question

I get this error

ActiveModel::MassAssignmentSecurity::Error in SessionsController#create

Can't mass-assign protected attributes: created_at, updated_at

I think I can add some codes to solve this problem.

class User < ActiveRecord::Base
  attr_accessible :email, :nickname, :authentications_attributes, :created_at, :updated_at

Why Omniauth changes the created_at and updated_at? In addition to add "attr_accessible :created_at, :updated_at", there are other ways?

This is my models/user.rb

class User < ActiveRecord::Base
  attr_accessible :email, :nickname, :authentications_attributes, :created_at, :updated_at
  validates :nickname, :presence => true
  validates :email, :presence => true, :uniqueness => true
  has_many :authentications

  accepts_nested_attributes_for :authentications

  class << self
    def from_auth(auth)
      Authentication.find_by_provider_and_uid(auth[:provider],
                                              auth[:uid]).try(:user) ||
        create!(
          :nickname => auth[:info][:nickname],
          :email => auth[:info][:email],
          :authentications_attributes => [
            Authentication.new(:provider => auth[:provider],
                               :uid => auth[:uid]
                              ).attributes
      ])
    end
  end


end

This is my models/identity.rb

class Identity < OmniAuth::Identity::Models::ActiveRecord
  attr_accessible :nickname, :email, :password, :password_confirmation, :authentications_attributes
  validates_presence_of :nickname, :email
  validates_uniqueness_of :nickname, :email
  validates_format_of :email, :with => /^[-a-z0-9_+\.]+\@([-a-z0-9]+\.)+[a-z0-9]{2,4}$/i
end

This is my models/authentication.rb

class Authentication < ActiveRecord::Base
  attr_accessible :user_id, :provider, :uid, :authentications_attributes, :created_at, :updated_at
  validates :provider, :presence => true, :uniqueness => {:scope => :user_id}
  validates :uid, :presence => true, :uniqueness => {:scope => :provider}
  belongs_to :user
end

This is my controllers/sessions_controller.rb

class SessionsController < ApplicationController
  def create
    user = User.from_auth(request.env['omniauth.auth'])
    session[:user_id] = user.id
    flash[:notice] = "Welcome #{user.nickname}"
    redirect_to root_path
  end
end

Thanks for your thoughts and pointers.

Answer 1

The problem is this bit of code:

Authentication.new(:provider => auth[:provider],
                   :uid => auth[:uid]
                  ).attributes

This will return the full set of attributes, including the created_at and updated_at dates, which you're then passing to create, so mass assigning.

You could create the user, then build the attributes like so:

authentication = Authentication.find_by_provider_and_uid(auth[:provider], 
                                                       auth[:uid]).try(:user)

unless authentication
  user = create!(
      :nickname => auth[:info][:nickname],
      :email => auth[:info][:email])
  user.authentications.build(:provider => auth[:provider])
end