Forum: Ruby on Rails cancan breaks scoped mass assignment

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
51cdfc97866048aeb30af8c6abe70168?d=identicon&s=25 Serafino P. (serpico)
on 2012-03-30 20:19
Hi all,

I just installed cancan on a new project and found out that it creates
some problems with the new scoped mass assignment features of rails 3.2

Basically, in my User model I create some attr_accessible attributes in
order to avoid users to edit their roles or other sensitive information.
From the administration I allow admins to edit those protected
attributes by passing :without_protection => true on creation and update
of new users.

This works just fine, but adding cancan load_and_authorize_resource to
my controller triggers a "Can't mass-assign protected attributes:
...stuff..." . This happens also when using something like[:user], :role => :admin)

I really can't figure out how to solve this, so any help would be very

Thanks in advance.
B9c8cf2658a75506f045ea64174e0ee3?d=identicon&s=25 Joshua M. (josmar52789)
on 2013-01-29 18:00
(Received via mailing list)
I'm having that issue as well; I just told it to authorize_resource and
left off the load_resource.. But somehow I don't think that's actually a
fix, or even a secure way of handling things..

Almost a year since you posted this.. Did you figure it out? I wonder if
this is a bug in CanCan
This topic is locked and can not be replied to.