Can't mass-assign protected attributes - 500 Internal error on request

Question

This is not the average mass-assign protected attributes question. In my application when my application loads I get a Internal 500 error in my network tab in Chrome. Now i have the following create action in my WidgetController:

  def create
    @widget = Widget.new(params[:widget])
    @user = current_user
    if @widget.save
      WidgetPermission.create( widget: @widget, user: @user)
      render json: @widget, status: :created, location: @widget
    else
      render json: @widget.errors, status: :unprocessable_entity
    end
  end

My models are set up as followed:

class WidgetPermission < ActiveRecord::Base
  attr_accessible :action, :description, :name, :subject_class, :subject_id, :user_id, :widget_id
  belongs_to :user
  belongs_to :widget
end


class Widget < ActiveRecord::Base
  attr_accessible :name, :snippets, :snippets_attributes
  has_many :snippets
  has_many :widget_permissions
end


require 'rolify'
class User < ActiveRecord::Base
  extend Rolify
  rolify
  # Include default devise modules. Others available are:
  # :token_authenticatable, :confirmable,
  # :lockable, :timeoutable and :omniauthable
  devise :invitable, :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable

  # Setup accessible (or protected) attributes for your model
  attr_accessible :role_ids, :as => :admin
  attr_accessible :name, :email, :password, :password_confirmation, :remember_me

  has_many :widgets, through: :widget_permissions
  has_many :widget_permissions
end

The backtrace I get from the response tab from inspecting the failing request is as followed:

ActiveModel::MassAssignmentSecurity::Error at /api/widgets
==========================================================

> Can't mass-assign protected attributes: widget, user

app/controllers/widgets_controller.rb, line 31
----------------------------------------------

``` ruby
   26     # POST /widgets.json
   27     def create
   28       @widget = Widget.new(params[:widget])
   29       @user = current_user
   30       if @widget.save
>  31         WidgetPermission.create( widget: @widget, user: @user)
   32         #can :manage, Widget, id: @widget.id
   33         #user.widget_permissions.create action: :manage, subject_class: 'Widget', subject_id: @widget.id
   34         render json: @widget, status: :created, location: @widget
   35       else
   36         render json: @widget.errors, status: :unprocessable_entity
```

App backtrace
-------------

 - app/controllers/widgets_controller.rb:31:in `create'

Full backtrace
--------------

 - activemodel (3.2.12) lib/active_model/mass_assignment_security/sanitizer.rb:48:in `process_removed_attributes'
 - activemodel (3.2.12) lib/active_model/mass_assignment_security/sanitizer.rb:20:in `debug_protected_attribute_removal'
 - activemodel (3.2.12) lib/active_model/mass_assignment_security/sanitizer.rb:12:in `sanitize'
 - activemodel (3.2.12) lib/active_model/mass_assignment_security.rb:230:in `sanitize_for_mass_assignment'
 - activerecord (3.2.12) lib/active_record/attribute_assignment.rb:75:in `assign_attributes'
 - activerecord (3.2.12) lib/active_record/base.rb:497:in `initialize'
 - activerecord (3.2.12) lib/active_record/persistence.rb:44:in `create'

Answer 1

In the attr_accessible you have marked user_id, widget_id but sending parameters as

WidgetPermission.create( widget: @widget, user: @user)

try out this:

WidgetPermission.create( widget_id: @widget.id, user_id: @user.id)

Answer 2

Please be carefull what you have added in Model for attr_accessible and what you are accessing

:subject_id, :user_id in WidgetPermission

class WidgetPermission < ActiveRecord::Base
attr_accessible :action, :description, :name, :subject_class, :subject_id, :user_id, :widget_id
belongs_to :user
belongs_to :widget
end

And while creating

WidgetPermission.create( widget: @widget, user: @user)