ActiveModel::ForbiddenAttributesError while using devise for registration

Question

I am using devise to register my users. I am customizing the create action of the registration controller, however whenever I try to create any new user it is refused and I get the mentioned error. I know I have to permit the params needed and I do so I don't understand why I keep getting the error. Below are my trials thus far.

#user model
class User < ActiveRecord::Base
    devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable, :confirmable
    belongs_to :country
    #rest of the code
end

## Custom registeration controller
class RegistrationsController < Devise::RegistrationsController
    def create
        @user = User.new(params[:user])
        if @user.save
            sign_in(@user, bypass: true)
            redirect_to user_employee_steps_path(@user),
    notice: 'A confirmation email was sent to your email, please complete your profile
            and confirm your account to start looking for potential employees'
        else
            render 'new'
        end
    end
end

#new.html.erb the view for the registration sign up
<h2>Sign up</h2>

<%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
    <%= devise_error_messages! %>

    <div><%= f.label :email %><br />
    <%= f.email_field :email, autofocus: true %></div>

    <div><%= f.label :first_name %><br />
    <%= f.text_field :first_name %></div>

    <div><%= f.label :last_name %><br />
    <%= f.text_field :last_name %></div>

    <div><%= f.label :dob, "Birthday" %><br />
    <%= f.date_select :dob, start_year: 1900, end_year: Time.now.year - 18 %></div>

    <div><%= f.label :country_id, "Country" %><br />
    <%= f.select :country_id, Country.order(name: :asc).collect { |country| [country.name, country.id] }, prompt: 'Select your country' %></div>

    <div><%= f.label :city %><br />
    <%= f.text_field :city %></div>

    <div><%= f.label :password %><br />
    <%= f.password_field :password, autocomplete: "off" %></div>

    <div><%= f.label :password_confirmation %><br />
    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>

    <div><%= f.submit "Sign up" %></div>
<% end %>

<%= render "users/shared/links" %>

#application controller where I permit params for sign up
class ApplicationController < ActionController::Base
    before_action :configure_permitted_parameters, if: :devise_controller?

    protected

    def configure_permitted_parameters
        puts '%' * 30
        devise_parameter_sanitizer.for(:sign_up) << [:first_name, :last_name, :country_id, :city, :dob]
        puts devise_parameter_sanitizer.for(:sign_up)
        puts '%' * 30
    end
end

Now whenever I create a new user I get the mentioned error in the title, and the result of the puts statement that's being published is as follows:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
email
password
password_confirmation
first_name
last_name
country_id
city
dob
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

which means that the method configure_permitted_parameters was called correctly, and the required params should be already there, so I do not understand where the problem might be?! I am really stuck on this and any help would be appreciated.

Answer 1

The problem is in this line :

@user = User.new(params[:user])

Instead, maybe you should try

@user = User.new sign_up_params

If you wish to understand better why, read more about strong parameters and Rails 4. http://weblog.rubyonrails.org/2012/3/21/strong-parameters/

Or to stick with the devise handling you can also write

build_resource sign_up_params

And then the resource variable will give you access to your user that you can save, etc...