I have a nested form containing virtual attributes :card_number and :card_verification. When I try to build with these in the controller update action, I get ActiveRecord::UnknownAttributeError.
The models have a simple has_one relationship, where an appointment has_one order
#/models/appointment.rb
class Appointment < ActiveRecord::Base
has_one :order
accepts_nested_attributes_for :order
attr_accessible (...)
end
#/models/order.rb
class Order < ActiveRecord::Base
belongs_to :appointment
attr_accessible :email, (...)
attr_accessor :card_number, :card_verification
end
I'm generating the form like this:
# /views/appointments/edit.html.erb
<%= form_for @appointment do |f| %>
...
<%= f.fields_for @appointment.order do |builder| %>
<%= builder.label :email %>
<%= builder.text_field :email %> # works fine on its own
...
<%= f.label :card_number %>
<%= f.text_field :card_number %>
<%= f.label :card_verification %>
<%= f.text_field :card_verification %>
<% end %>
...
<% end %>
And building in the controller:
# /controllers/appointments_controller.rb
def update
@appointment = Appointment.find(params[:id])
@order = @appointment.build_order(params[:appointment]['order']) # This line is failing
if @appointment.update_attributes(params[:appointment].except('order'))
# ... Success
else
# ... Failure
end
end
With this, I'm getting the error Can't mass-assign protected attributes: card_number, card_verification when I try to submit for update, with params:
{"utf8"=>"✓",
"_method"=>"put",
"authenticity_token"=>"KowchWLNmD9YtPhWhYfrNAOsDfhb7XHW5u4kdZ4MJ4=",
"appointment"=>{"business_name"=>"Name",
"contact_method"=>"Phone",
"contact_id"=>"555-123-4567",
"order"=>{"email"=>"[email protected]",
"first_name"=>"John",
"last_name"=>"Doe",
"card_number"=>"4111111111111111", # normally [FILTERED]
"card_verification"=>"123", # normally [FILTERED]
"card_type"=>"visa",
"card_expires_on(1i)"=>"2015",
"card_expires_on(2i)"=>"11",
"card_expires_on(3i)"=>"1",
"address_line_1"=>"123 Main St",
"address_line_2"=>"",
"city"=>"Anywhere",
"state"=>"CA",
"country"=>"USA",
"postal_code"=>"90210"}},
"commit"=>"Submit",
"id"=>"2"}
Everything works fine without the :card_number and :card_verification values included in the form.
Does anyone know what is going wrong here?
Edit:
I can get this working with:
@order = @appointment.build_order(params[:appointment]['order'].except('card_number', 'card_verification'))
but this seems a bit clunky. Are there any other ways to get around this?
The error message "Can't mass-assign protected attributes" is all about Mass Assignment Security. You can pass without_protection to ignore the mass assignment check.
This link explains what is mass assignment security. Rails Internals: Mass Assignment Security
If you want to specify mass assignable attrs, use attr_accessible :one, :another for your model attributes. If you need other non-model attributes, use attr_accessor :card_number, and then attr_accessible :card_number to declare and expose it.
I see you define card_number and card_verfication in Order model, but you use form_builder => f to define these two fields in html. Try using fields_for builder instead.