Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Ruby Build a Simple Ruby on Rails Application Creating an Authentication System Generating the Devise Views

Michael Rossiter
Michael Rossiter
2,715 Points
Posted by Michael Rossiter
Michael Rossiter
2,715 Points

Rails 4.0.4

The protected params / "attr_accessible" isn't relevant for rails 4.0.4 - did not get an error (but didn't see f.labels either). When tried to add attr_accessible params in the user.rb file - got an error when loading the site.

Any thoughts on the relevance of this to newer version of Rails?

3 Answers

Naomi Freeman
STAFF
Naomi Freeman
Treehouse Guest Teacher
Naomi Freeman
Naomi Freeman
Treehouse Guest Teacher

attr_accessible doesn't exist in the new version of Rails. It has changed to strong params.

Typically, you would replace this attr_accessible line in the model with something like

    # Never trust parameters from the scary internet, only allow the white list through.
    def picture_params
      params.require(:picture).permit(:album_id, :asset, :user_id, :caption, :description, :album, :current_user, :profile_name, :user, :album_thumbnail, :title)
    end

at the bottom of the relevant controller.

However, with Devise, it's a whole other ball game. Go into your applications_controller.rb and do something like this:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_in) do |u| 
      u.permit(:profile_name, :email, :password, :first_name, :last_name, :avatar)
    end

    devise_parameter_sanitizer.for(:sign_up) do |u| 
      u.permit(:email, :password, :password_confirmation, 
               :remember_me, :first_name, :last_name, :profile_name, :full_name, :avatar)
    end

    devise_parameter_sanitizer.for(:account_update) do |u| 
      u.permit(:email, :password, :password_confirmation, :current_password,
               :remember_me, :first_name, :last_name, :profile_name, :full_name, :avatar)
    end
  end
end

You can get more specifics on the Devise github page, under Strong Parameters:

https://github.com/plataformatec/devise

Adam Kelm
Adam Kelm
29,082 Points
Adam Kelm
Adam Kelm
29,082 Points

Hi Michael, I highly suggest using the Ruby and Rails package mentioned in the lessons. With Rails 4, a number of changes made it more secure, but those differences will cause problems with the videos later.

Trust me, I learned this the hard way. If you're new to Ruby and/or Rails, you'll have a much better and less frustrating learning experience by using Rails 3.26. It's very easy to get bogged down with strange errors that Jason isn't getting, then spend hours trying to figure them out. AVOID THE PAIN! You'll thank me later.

Naomi Freeman
STAFF
Naomi Freeman
Treehouse Guest Teacher
Naomi Freeman
Naomi Freeman
Treehouse Guest Teacher

Yay :) Glad it's working! Feel free to @ me if you run into other Rails 3/4 issues (which you will). They're usually pretty small though.

Have a good one.