Can't mass-assign protected attributes: email, password

Question

I know that you should use "attr_accessible" to allow mass-assign protection, and that's actually what I do in my user model. How come it still complains?

Can't mass-assign protected attributes: email, password

user controller:

class UsersController < ApplicationController

  def index
    @users = User.new
  end

  def show
    @user = User.find(2)
  end

  def login
    @user = Project.new(params[:user])
    ...
  end

end

user model:

class User < ActiveRecord::Base
  has_and_belongs_to_many :projects
  belongs_to :project
  belongs_to :ticket

  # Setup accessible (or protected) attributes for your model
  attr_accessible :email, :password
end

the view, _navigation.html.erb:

<%= form_for("user", :url => login_users_path, :html => { :method => :post }) do |f| %>
    <%= f.label :email%>
    <%= f.text_field(:email, :size => 30, :class => 'login_field', :placeholder => 'Användarnamn')%>
    <%= f.label :password%>
    <%= f.text_field(:password, :size => 30, :class => 'login_field', :placeholder => 'Lösenord')%>

    <%= f.submit "Logga in", :class => 'login_submit btn btn-primary' %>
<% end %>

from config/routes.rb:

resources :users do
  post :login, on: :collection, as: :login
end

Because I'm using the collection above it should (as far as I understand) be the correct control / model (user) that I'm using?

Answer 1

I think it should be User not Project

   def login
     @user = User.new(params[:user])
     ...
   end

Answer 2

You should also change your index action to:

def index
  @users = Users.all
end

And show action to:

def show
  @user = User.find(params[:id])
end