Rails - May 2008 - Can't mass-assign these protected attributes?

I''ve run hundreds of migrations in my happy days with Rails but find
an incredible anomoly here that I can''t build a simple record in
migrations. I''m getting the error:
Can''t mass-assign these protected attributes: field1, field2, etc.
I found a few Googles about people recently having this problem
running a FasterCSV import, but that''s it.
Any ideas are greatly appreciated.
Kathleen
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On May 30, 10:06 pm,
"KathysK...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"
<KathysK...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''ve run hundreds of migrations in my happy days with Rails but
find
> an incredible anomoly here that I can''t build a simple record in
> migrations. I''m getting the error:
Have you been using attr_protected or attr_accessible in your models?
They prevent update_attributes, new, create etc... from assigning to
the relevant fields.

Fred
> Can''t mass-assign these protected attributes: field1, field2, etc.
> I found a few Googles about people recently having this problem
> running a FasterCSV import, but that''s it.
> Any ideas are greatly appreciated.
> Kathleen
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Mr. Cheung,
Thank you so much for your reply and hopefully this will help others
using ''restful_authentication''. This line is automatically
inserted
into the USER model;

attr_accessible :login, :email, :password, :password_confirmation

If anyone is trying to embellish their user model with the ability for
the user to EDIT or run a migration to load records, they will receive
this message.

Can''t mass-assign these protected attributes: field1, field2, etc

Would you just remove this line altogether?
Thank you,
Kathleen

On May 30, 4:09 pm, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On May 30, 10:06 pm,
"KathysK...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"
<KathysK...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:> I''ve run hundreds of migrations in my happy days with
Rails but find
> > an incredible anomoly here that I can''t build a simple record
in
> > migrations. I''m getting the error:
>
> Have you been using attr_protected or attr_accessible in your models?
> They prevent update_attributes, new, create etc... from assigning to
> the relevant fields.
>
> Fred
>
>
>
> > Can''t mass-assign these protected attributes: field1, field2,
etc.
> > I found a few Googles about people recently having this problem
> > running a FasterCSV import, but that''s it.
> > Any ideas are greatly appreciated.
> > Kathleen- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sat, 31 May 2008 05:56:38 -0700 (PDT)
"KathysKode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"
<KathysKode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 
> Mr. Cheung,
> Thank you so much for your reply and hopefully this will help others
> using ''restful_authentication''. This line is
automatically inserted
> into the USER model;
> 
> attr_accessible :login, :email, :password, :password_confirmation
> 
> If anyone is trying to embellish their user model with the ability for
> the user to EDIT or run a migration to load records, they will receive
> this message.
> 
> Can''t mass-assign these protected attributes: field1, field2, etc
> 
> Would you just remove this line altogether?
> Thank you,
> Kathleen
> 
The attr_accessible is there for a reason, to protect the application from
malicious inputs.

You might want to watch: 
http://railscasts.com/episodes/26

Before you remove it all together.  To summarize: Without attr_accessible there,
a knowledgeable user can give themselves ownership of user resources or admin
privileges.

You might want to instead add the appropriate properties to the attr_accessible.

Regards,
Jon  

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Am also getting the same error. The application was working fine till 
yesterday night! All the models have become protected. I have been using 
authlogic for a long time now. It never caused me a problem. Can 
paperclip / oauth cause it?
-- 
Posted via http://www.ruby-forum.com/.

KathysKode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
> I''ve run hundreds of migrations in my happy days with Rails but
find
> an incredible anomoly here that I can''t build a simple record in
> migrations.
[...]

Generally, you should not be building records in your migrations.  What 
are you trying to do here?

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
-- 
Posted via http://www.ruby-forum.com/.

I have found a solution to this problem!!!! (solution is geared for the 
newest version of rails etc, as of mid May 2012)

If you are simply doing early stage development stuff, you do not need 
the extra feature which blocks mass assignment. The thing is, github was 
hacked by some dude (whitehat or black I''m not sure) but anyway, the 
hacker basically did it by changing the code a little bit in order to 
pass some values (boolean values indicating he was an admin or 
something) that weren''t meant to be passed.

ANYWAY, Here''s how I fixed mine (bear in mind this is a security hole 
but you can deal with it later, to be honest. Nobody wants to hack me 
that''s for damned sure, at least not yet)------ - Go to 
/config/application.rb - Scroll down towards the end where you''ll find 
{config.active_record.whitelist_attributes = true) - Set it to false 
(this is like turning off a firewall I guess)

That''s it! This is the simple solution for early coding.
You''ll have to
deal with this later as it is a pretty glaring security hole. But for 
now, just shut the damn thing off. Ruby is great and all, but coding is 
hard enough as it is. Good luck!

Oh yeah, in order to activate the changes (just to make sure 
essentially), I did a {rake db:migrate VERSION=0} to reset everything. 
Then a simple {rake db:migrate} to set make sure the new changes were in 
place. I''m not sure if this is entirely necessary but it won''t
do any
harm as long as your migration files are in good shape.

partial credit goes to railscasts.com for this one, but not entirely. I 
didn''t expect this to work.

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 17 May 2012 22:56, David D.
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
> I have found a solution to this problem!!!! (solution is geared for the
> newest version of rails etc, as of mid May 2012)
>
> If you are simply doing early stage development stuff, you do not need
> the extra feature which blocks mass assignment. The thing is, github was
> hacked by some dude (whitehat or black I''m not sure) but anyway,
the
> hacker basically did it by changing the code a little bit in order to
> pass some values (boolean values indicating he was an admin or
> something) that weren''t meant to be passed.
>
> ANYWAY, Here''s how I fixed mine (bear in mind this is a security
hole
> but you can deal with it later, to be honest. Nobody wants to hack me
> that''s for damned sure, at least not yet)------ - Go to
> /config/application.rb - Scroll down towards the end where you''ll
find
> {config.active_record.whitelist_attributes = true) - Set it to false
> (this is like turning off a firewall I guess)
>
> That''s it! This is the simple solution for early coding.
You''ll have to
> deal with this later as it is a pretty glaring security hole. But for
> now, just shut the damn thing off. Ruby is great and all, but coding is
> hard enough as it is. Good luck!
>
>
Another solution is just to use attr_accessable to specify the methods that
should be publicly accessible, and then you don''t end up with a
security
hole. Magic. I don''t think that''s a particularly hard thing to
do and it
shouldn''t slow you down.

> Oh yeah, in order to activate the changes (just to make sure
> essentially), I did a {rake db:migrate VERSION=0} to reset everything.
> Then a simple {rake db:migrate} to set make sure the new changes were in
> place. I''m not sure if this is entirely necessary but it
won''t do any
> harm as long as your migration files are in good shape.
>
> partial credit goes to railscasts.com for this one, but not entirely. I
> didn''t expect this to work.
>
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.