In rails 3.2.1, I have a model:

class Player < ActiveRecord::Base
  attr_accessor :password
  attr_accessible :email, :password
  attr_accessible :email, :password, :confirmed, :as => :admin
end

I keep getting a ActiveModel::MassAssignmentSecurity::Error for the following:

params[:player]
#=> {:email => "[email protected]", :password => "12345", :confirmed => true)
player = Player.new(params[:player])

Why is this happening when all I want it to do is ignore the :confirmed attribute and move on with it's business. The documentation makes it seem like I should be able to do that, but I keep getting this exception and it's really getting to me because either I am doing it wrong or the docs are wrong.

I'd love any help with this.

Comment out this line in development.rb:

config.active_record.mass_assignment_sanitizer = :strict

The strict setting will raise an error and the default setting will just log a warning.

You can configure what you want to happen when a mass assignment happens by setting Player.mass_assignment_sanitizer (or set it on ActiveRecord::Base for it to apply to all AR models)

You can also set it in your configuration files via config.active_record.mass_assignment_sanitizer

Our of the box you can set it to either :logger, which just logs when these things happen or :strict which raises exceptions. You can also provide your own custom sanitizer. The current application template sets it to strict, although that used not to be the case

Comment out this line in development.rb:

config.active_record.mass_assignment_sanitizer = :strict

The strict setting will raise an error and the default setting will just log a warning.