Fix ActiveModel::ForbiddenAttributesError: ActiveModel::ForbiddenAttributesError in Rails
This error occurs when you pass raw params to a model create or update method without going through strong parameters. Rails requires you to call permit on parameters before mass assignment to prevent unauthorized attribute changes. Wrap your params in a method that calls require and permit.
Reading the Stack Trace
Here's what each line means:
- activemodel (7.1.3) lib/active_model/forbidden_attributes_protection.rb:33:in `sanitize_for_mass_assignment': ActiveModel checks whether the attributes hash has been permitted and raises this error if not.
- activerecord (7.1.3) lib/active_record/attribute_assignment.rb:25:in `assign_attributes': The model is trying to assign attributes from an unpermitted parameters hash.
- app/controllers/articles_controller.rb:10:in `create': The create action passes raw params directly to Article.new without calling permit.
Common Causes
1. Passing params directly to model
Using params[:article] directly instead of a strong parameters method.
def create
@article = Article.new(params[:article])
@article.save!
end2. Forgetting to call permit
Calling require but not permit on the parameters.
def create
@article = Article.new(params.require(:article))
# Missing .permit(:title, :body)
@article.save!
end3. Using update with raw params
Passing unpermitted params to the update method.
def update
@article = Article.find(params[:id])
@article.update(params[:article])
endThe Fix
Define a private article_params method that calls require(:article).permit(...) to whitelist only the attributes you want to allow. Use this method everywhere you pass params to model methods.
def create
@article = Article.new(params[:article])
@article.save!
enddef create
@article = Article.new(article_params)
@article.save!
end
private
def article_params
params.require(:article).permit(:title, :body, :category)
endTesting the Fix
require 'rails_helper'
RSpec.describe ArticlesController, type: :controller do
describe 'POST #create' do
it 'creates an article with permitted params' do
post :create, params: { article: { title: 'Test', body: 'Content', category: 'tech' } }
expect(response).to have_http_status(:created)
expect(Article.last.title).to eq('Test')
end
it 'does not raise ForbiddenAttributesError' do
expect {
post :create, params: { article: { title: 'Test', body: 'Content' } }
}.not_to raise_error
end
end
endRun your tests:
bundle exec rspec spec/controllers/articles_controller_spec.rbPushing Through CI/CD
git checkout -b fix/rails-mass-assignment,git add app/controllers/articles_controller.rb,git commit -m "fix: use strong parameters for article mass assignment",git push origin fix/rails-mass-assignmentYour CI config should look something like this:
name: CI
on:
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16
env:
POSTGRES_PASSWORD: postgres
ports: ['5432:5432']
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3'
bundler-cache: true
- run: bin/rails db:setup
- run: bundle exec rspecThe Full Manual Process: 18 Steps
Here's every step you just went through to fix this one bug:
- Notice the error alert or see it in your monitoring tool
- Open the error dashboard and read the stack trace
- Identify the file and line number from the stack trace
- Open your IDE and navigate to the file
- Read the surrounding code to understand context
- Reproduce the error locally
- Identify the root cause
- Write the fix
- Run the test suite locally
- Fix any failing tests
- Write new tests covering the edge case
- Run the full test suite again
- Create a new git branch
- Commit and push your changes
- Open a pull request
- Wait for code review
- Merge and deploy to production
- Monitor production to confirm the error is resolved
Total time: 30-60 minutes. For one bug.
Or Let bugstack Fix It in Under 2 minutes
Every step above? bugstack does it automatically.
Step 1: Install the SDK
gem install bugstackStep 2: Initialize
require 'bugstack'
Bugstack.init(api_key: ENV['BUGSTACK_API_KEY'])Step 3: There is no step 3.
bugstack handles everything from here:
- Captures the stack trace and request context
- Pulls the relevant source files from your GitHub repo
- Analyzes the error and understands the code context
- Generates a minimal, verified fix
- Runs your existing test suite
- Pushes through your CI/CD pipeline
- Deploys to production (or opens a PR for review)
Time from error to fix deployed: Under 2 minutes.
Human involvement: zero.
Try bugstack Free →No credit card. 5-minute setup. Cancel anytime.
Deploying the Fix (Manual Path)
- Define strong parameter methods for all controllers.
- Run the test suite to confirm models accept permitted params.
- Open a pull request.
- Wait for CI and code review.
- Merge to main and verify in staging.
Frequently Asked Questions
BugStack runs the fix through your existing test suite, generates additional edge-case tests, and validates that no other components are affected before marking it safe to deploy.
BugStack never pushes directly to production. Every fix goes through a pull request with full CI checks, so your team can review it before merging.
ForbiddenAttributesError occurs when you pass raw params without calling permit at all. UnpermittedParameters occurs when you call permit but some submitted keys are not in the allow list.
attr_accessible was removed in Rails 4. Strong parameters in the controller layer is the modern replacement and is more secure because it is context-aware.