Forum: Ruby on Rails cancan breaks scoped mass assignment

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
969047aea93d01a9cc636e9867f4ec0f?d=identicon&s=25 Serafino Picozzi (serpico)
on 2012-03-30 20:19
Hi all,

I just installed cancan on a new project and found out that it creates
some problems with the new scoped mass assignment features of rails 3.2
.

Basically, in my User model I create some attr_accessible attributes in
order to avoid users to edit their roles or other sensitive information.
From the administration I allow admins to edit those protected
attributes by passing :without_protection => true on creation and update
of new users.

This works just fine, but adding cancan load_and_authorize_resource to
my controller triggers a "Can't mass-assign protected attributes:
...stuff..." . This happens also when using something like
User.new(params[:user], :role => :admin)

I really can't figure out how to solve this, so any help would be very
appreciated!

Thanks in advance.
Fcb2341a28711bda6c389fa6096900ab?d=identicon&s=25 Joshua Martin (josmar52789)
on 2013-01-29 18:00
(Received via mailing list)
I'm having that issue as well; I just told it to authorize_resource and
left off the load_resource.. But somehow I don't think that's actually a
fix, or even a secure way of handling things..

Almost a year since you posted this.. Did you figure it out? I wonder if
this is a bug in CanCan
This topic is locked and can not be replied to.