ActiveModel::ForbiddenAttributesError - Rails4

Question

Environment:

Windows 8.1
Rails4
Ruby 2

I am using Devise and I have two separate controllers: users_controller.rb and registrations_controller.rb.

Following is my registrations_controller.rb:

class RegistrationsController < Devise::RegistrationsController

  before_filter :update_sanitized_params, if: :devise_controller?

  def update_sanitized_params
    devise_parameter_sanitizer.for(:sign_up) {|u| u.permit(:first, :last,
                                                           :email, :password,
                                                           :password_conf, :password_changed_at)}
    devise_parameter_sanitizer.for(:account_update) {|u| u.permit(:first, :last, :salutation,
                                                           :email, :password,
                                                           :password_conf, :password_changed_at, :current_passwor)}
  end

  # GET /registrations/new
  def new
    super
  end

  # POST /registrations
  # POST /registrations.json
  def create
    @user = User.new(registration_params)
    @user.email = @user.email.downcase
    #@user.slug = "#{@user.first.downcase}_#{@user.last.downcase}_#{@user.email}"
    respond_to do |format|
      if @user.save
        format.html { redirect_to @user, notice: t('registration_successfully_created') }
        format.json { render :show, status: :created, location: @user }
      else
        format.html { render :new }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /registrations/1
  # DELETE /registrations/1.json
  def destroy
    @user.destroy
    respond_to do |format|
      format.html { redirect_to registrations_url }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_registration
      @user = User.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def registration_params
      params[:user]
    end
end

and following is my User model: user.rb

class User < ActiveRecord::Base
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable,
         :password_expirable, :confirmable, :lockable, :timeoutable

  validates :first, presence: true
  validates :last, presence: true
  validates :email, :email => true, presence: true, uniqueness: {case_sensitive: false}
  before_save { |user| user.email = email.downcase }
end    

When I try to create a new user, I get an error message:

ActiveModel::ForbiddenAttributesError

The following line is highlighted in the registrations controller:

 @user = User.new(registration_params)

Witht the additional debug information:

{"utf8"=>"✓", "authenticity_token"=>"CRwY4emBZJXhH7kMNGQZR5H1D3D0IJrHCnBzs5PTE8U=", "user"=>{"email"=>"xxxx@jkjjjkj.com", "password"=>"xxxxxxx", "password_confirmation"=>"xxxxxxx", "first"=>"John", "last"=>"Doe"}, "commit"=>"Create User", "action"=>"create", "controller"=>"registrations"}

Any ideas?

Answer 1

You have defined a method for strong parameters but you cannot just return the params hash - instead you have to specifically whitelist the attributes you wish to pass on to the model.

def registration_params
  params.require(:user).permit(:email, :password, :password_confirmation, ...)   # etc for the rest of your attributes
end