"WARNING: Can't mass-assign protected attributes"
Don't confuse attr_accessor
with attr_accessible
. Accessor is built into Ruby and defines a getter method - model_instance.foo # returns something
- and a setter method - model_instance.foo = 'bar'
.
Accessible is defined by Rails and makes the attribute mass-assignable (does the opposite of attr_protected
).
If first_name
is a field in your model's database table, then Rails has already defined getters and setters for that attribute. All you need to do is add attr_accessible :first_name
.
To hack your app together in an insecure way totally unfit for production mode:
Go to /config/application.rb Scroll down towards the end where you'll find
{config.active_record.whitelist_attributes = true}
Set it to false.
EDIT/btw (after 4 months of ruby-intensive work including an 11 week workshop): DHH believes that, for noobies (his words), "up and running" is more important than "very secure".
BE ADVISED: A a lot of experienced rails developers feel very passionate about not wanting you to do this.
UPDATE: 3 years later, another way to do this -- again, not secure, but better than the above solution probably because you have to do it for each model
class ModelName < ActiveRecord::Base
column_names.each do |col|
attr_accessible col.to_sym
end
...
end
Don't use attr_accessor here. ActiveRecord creates those automatically on the model. Also, ActiveRecord will not create a record if a validation or mass-assignment error is thrown.
EDIT: You don't need a doctors table, you need a users table with a type column to handle Rails Single Table Inheritance. The invitations will be on the users table. Ah, I see in your added code sample you do have type on users. Get rid of the doctors table, move invitations over to users, and I think you should be ok. Also get rid of the attr_accessor. Not needed.
Keep in mind that rails STI uses the same table for all classes and subclasses of a particular model. All of your Doctor records will be rows in the users table with a type of 'doctor'
EDIT: Also, are you sure you only want to validate presence of invitations on creation and not updates?