Fix ActionController::UnpermittedParameters: found unpermitted parameters: :admin, :role in Rails
This error means your controller received parameters that are not listed in your strong parameters permit list. Rails blocks unpermitted params to prevent mass assignment attacks. Add the missing parameters to your permit call if they are safe, or remove them from the form if they should not be submitted.
Reading the Stack Trace
Here's what each line means:
- actionpack (7.1.3) lib/action_controller/metal/strong_parameters.rb:292:in `unpermitted_parameters!': Rails raises this error because config.action_controller.action_on_unpermitted_parameters is set to :raise.
- app/controllers/users_controller.rb:42:in `user_params': Your user_params method calls permit without including :admin and :role.
- app/controllers/users_controller.rb:12:in `create': The create action calls user_params which triggers the unpermitted parameters check.
Common Causes
1. Missing parameters in permit list
The form sends admin and role fields but the controller permit list does not include them.
def user_params
params.require(:user).permit(:name, :email)
# :admin and :role are submitted but not permitted
end2. Form includes sensitive fields
A form inadvertently includes admin-level fields that should not be mass-assignable.
<%= form_with model: @user do |f| %>
<%= f.text_field :name %>
<%= f.email_field :email %>
<%= f.check_box :admin %>
<%= f.select :role, ['user', 'admin'] %>
<%= f.submit %>
<% end %>3. API client sending extra fields
An API consumer sends additional fields in the JSON payload that the controller does not expect.
# Client sends: POST /users { user: { name: 'Alice', email: 'a@b.com', admin: true, role: 'superadmin' } }
def user_params
params.require(:user).permit(:name, :email)
endThe Fix
Add :role to the permit list since it is a valid user-editable field. Keep :admin excluded because it is a privileged attribute that should only be set by administrators through a separate admin controller.
def user_params
params.require(:user).permit(:name, :email)
enddef user_params
params.require(:user).permit(:name, :email, :role)
# :admin is intentionally excluded for security
endTesting the Fix
require 'rails_helper'
RSpec.describe UsersController, type: :controller do
describe 'POST #create' do
it 'creates a user with permitted params' do
post :create, params: { user: { name: 'Alice', email: 'alice@example.com', role: 'editor' } }
expect(response).to have_http_status(:created)
expect(User.last.role).to eq('editor')
end
it 'ignores admin parameter' do
post :create, params: { user: { name: 'Alice', email: 'alice@example.com', admin: true } }
expect(User.last.admin).to be_falsey
end
end
endRun your tests:
bundle exec rspec spec/controllers/users_controller_spec.rbPushing Through CI/CD
git checkout -b fix/rails-strong-params,git add app/controllers/users_controller.rb spec/controllers/users_controller_spec.rb,git commit -m "fix: permit role param and keep admin excluded in strong params",git push origin fix/rails-strong-paramsYour CI config should look something like this:
name: CI
on:
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16
env:
POSTGRES_PASSWORD: postgres
ports: ['5432:5432']
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3'
bundler-cache: true
- run: bin/rails db:setup
- run: bundle exec rspecThe Full Manual Process: 18 Steps
Here's every step you just went through to fix this one bug:
- Notice the error alert or see it in your monitoring tool
- Open the error dashboard and read the stack trace
- Identify the file and line number from the stack trace
- Open your IDE and navigate to the file
- Read the surrounding code to understand context
- Reproduce the error locally
- Identify the root cause
- Write the fix
- Run the test suite locally
- Fix any failing tests
- Write new tests covering the edge case
- Run the full test suite again
- Create a new git branch
- Commit and push your changes
- Open a pull request
- Wait for code review
- Merge and deploy to production
- Monitor production to confirm the error is resolved
Total time: 30-60 minutes. For one bug.
Or Let bugstack Fix It in Under 2 minutes
Every step above? bugstack does it automatically.
Step 1: Install the SDK
gem install bugstackStep 2: Initialize
require 'bugstack'
Bugstack.init(api_key: ENV['BUGSTACK_API_KEY'])Step 3: There is no step 3.
bugstack handles everything from here:
- Captures the stack trace and request context
- Pulls the relevant source files from your GitHub repo
- Analyzes the error and understands the code context
- Generates a minimal, verified fix
- Runs your existing test suite
- Pushes through your CI/CD pipeline
- Deploys to production (or opens a PR for review)
Time from error to fix deployed: Under 2 minutes.
Human involvement: zero.
Try bugstack Free →No credit card. 5-minute setup. Cancel anytime.
Deploying the Fix (Manual Path)
- Review which parameters should be user-editable versus admin-only.
- Update the permit list and add controller tests.
- Run the full test suite locally.
- Open a pull request for review.
- Merge and verify in staging.
Frequently Asked Questions
BugStack runs the fix through your existing test suite, generates additional edge-case tests, and validates that no other components are affected before marking it safe to deploy.
BugStack never pushes directly to production. Every fix goes through a pull request with full CI checks, so your team can review it before merging.
Never use params.permit! in production. It disables mass assignment protection entirely. Always explicitly list permitted parameters.
Create separate strong parameter methods for each role, such as user_params and admin_user_params, and call the appropriate one based on the current user's role.