I am new to Ruby and to Rails (using Ruby 1.9.3 and Rails 3.2.3) so I
picked up the Agile Web D. book and have been working through
it (apologies if this isn’t the correct place for this question but the
pragprog forums don’t seem to work for me). I am currently working
through the book and have reached the point where I am adding
functionality to an “Add to Cart” button. Here is the code that was
provided for the ‘create’ method in the line_item_controller:

def create

@cart = current_cart
product = Product.find(params[:product_id])
@line_item = @cart.line_items.build(product: product)

…

end

This results in the following error when I click “Add to Cart”

Can’t mass-assign protected attributes: product

Can anyone shed some light on what is going on here (my search-fu has
failed me)? The only way that I have been able to get this to work is
by changing the code (starting at @line_item) to:

@line_item = @cart.line_items.build
@line_item.product = product

Is this correct or is it just a band-aid fix that may cause issues going
forward?

Thanks,

Quoting Lucas J. [email protected]:

@cart = current_cart

Can anyone shed some light on what is going on here (my search-fu has
failed me)? The only way that I have been able to get this to work is
by changing the code (starting at @line_item) to:

@line_item = @cart.line_items.build
@line_item.product = product

Is this correct or is it just a band-aid fix that may cause issues going
forward?

This is a correct way to do it now. And probably the best way to move
forward
with the tutorial right now. The newest releases of Rails have made
mass-assign protection the default. Without it you have a security
risk. You
can learn more by Googling “Rails mass assign”. Save it for after you
complete the book.

HTH,
Jeffrey

On Apr 8, 2012, at 1:14 , Lucas J. wrote:

@cart = current_cart

Thanks,
what about use google a bit? there’s about 2.460.000 resuls for “Can’t
mass-assign protected attributes:” query

set attr_accessible in your model(s)

tom

–

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

Thanks, Jeffrey. I just wanted to ensure that I was on the right track
and that I wasn’t setting myself up for more problems later.

Tom - I tried google first (I always do). My attributes are already set
to attr_accessible in my models (there are only three at this point),
which is why I was so confused. I’m sure there’s something I’m
overlooking but I’m not going to spend too much more time on it since I
have a working solution at this point.

On Apr 8, 3:11am, “Lucas J.” [email protected] wrote:

Thanks, Jeffrey. I just wanted to ensure that I was on the right track
and that I wasn’t setting myself up for more problems later.

Tom - I tried google first (I always do). My attributes are already set
to attr_accessible in my models (there are only three at this point),
which is why I was so confused. I’m sure there’s something I’m
overlooking but I’m not going to spend too much more time on it since I
have a working solution at this point.

If you want to be able to do line_items.build(product: p) you need to
mark product as attr_accessible too. The mass assignment stuff doesn’t
know what things are database attributes, virtual attributes,
associations etc.

Fred

maybe you miss the code in the book:

file: line_item.rb
belong_to :product
belong_to :cart

then, the line_item has the attr product.