ruby on rails - Can't mass assign protected attributes

Question

My features file looks at this:

Given there are the following users:
    | email              | password | admin |
    | [email protected] | password | true  |

And my user model doesn't declare the admin attribute as attr_accessible to prevent mass assignment. Accordingly, I've made changes to the user_steps.rb file to tackle this.

Given /^there are the following users:$/ do |table|
  table.hashes.each do |attributes|
   unconfirmed = attributes.delete("unconfirmed") == "true"
   @user = User.create!(attributes)
   @user.update_attribute("admin", attributes["admin"] == "true")
   @user.confirm! unless unconfirmed
 end
end

Now this is supposed to work according to the book - Rails3 in action. I checked the code on their online repo as well. Running this with cucumber gives the following error:

Can't mass-assign protected attributes: admin (ActiveModel::MassAssignmentSecurity::Error)
  ./features/step_definitions/user_steps.rb:4:in `block (2 levels) in <top (required)>'
  ./features/step_definitions/user_steps.rb:2:in `each'
  ./features/step_definitions/user_steps.rb:2:in `/^there are the following users:$/'
  features/creating_projects.feature:7:in `Given there are the following users:'

Any help would be greatly appreciated. I really cant figure what's wrong here.

Thanks a lot!

Answer 1

In the user model add:

attr_accessible :admin

Update:

The admin attribute can be mass assigned and any hacker can set it easily by sending it with the parameters.