How is attr_accessible used in Rails 4?

Rails 4 now uses strong parameters.

Protecting attributes is now done in the controller. This is an example:

class PeopleController < ApplicationController  def create    Person.create(person_params)  end  private  def person_params    params.require(:person).permit(:name, :age)  endend

No need to set attr_accessible in the model anymore.

Dealing with accepts_nested_attributes_for

In order to use accepts_nested_attribute_for with strong parameters, you will need to specify which nested attributes should be whitelisted.

class Person  has_many :pets  accepts_nested_attributes_for :petsendclass PeopleController < ApplicationController  def create    Person.create(person_params)  end  # ...  private  def person_params    params.require(:person).permit(:name, :age, pets_attributes: [:name, :category])  endend

Keywords are self-explanatory, but just in case, you can find more information about strong parameters in the Rails Action Controller guide.

Note: If you still want to use attr_accessible, you need to add protected_attributes to your Gemfile. Otherwise, you will be faced with a RuntimeError.

If you prefer attr_accessible, you could use it in Rails 4 too.You should install it like gem:

gem 'protected_attributes'

after that you could use attr_accessible in you models like in Rails 3

Also, and i think that is the best way- using form objects for dealing with mass assignment, and saving nested objects, and you can also use protected_attributes gem that way

class NestedForm   include  ActiveModel::MassAssignmentSecurity   attr_accessible :name,                   :telephone, as: :create_params   def create_objects(params)      SomeModel.new(sanitized_params(params, :create_params))   endend

We can use

params.require(:person).permit(:name, :age)

where person is Model, you can pass this code on a method person_params & use in place of params[:person] in create method or else method