Can't mass-assign protected attributes when using accepts_nested_attributes_for and polymorphic

Question

I've read through lots of posts here and still cant figure this one out.

I have a forum_post model and a links model. I want to nest the links form with the forum_post form but keep getting a Can't mass-assign protected attributes: links.

ForumPost Model

class ForumPost < ActiveRecord::Base
  attr_accessible :content, :links_attributes

  has_many :links, :as => :linkable, :dependent => :destroy

  accepts_nested_attributes_for :links, :allow_destroy => true
end

Links Model

class Link < ActiveRecord::Base
  attr_accessible :description, :image_url, :link_url, :linkable_id, :linkable_type, :title

  belongs_to  :linkable, :polymorphic => true
end

Forum_post View

<%= form_for(@forum_post) do |f| %>
  <% if @forum_post.errors.any? %>
    <div id="error_explanation">
      <h2><%= pluralize(@forum_post.errors.count, "error") %> prohibited this forum_post from being saved:</h2>

      <ul>
      <% @forum_post.errors.full_messages.each do |msg| %>
        <li><%= msg %></li>
      <% end %>
      </ul>
    </div>
  <% end %>

  <div class="field">
    <%= f.label :content %><br />
    <%= f.text_area :content, :rows => 5 %>
  </div>

  <%= f.fields_for :link do |link| %>
   <%= render :partial => 'links/link', :locals => { :f => link} %>
  <% end%>

  <div class="actions">
    <%= f.submit %>
  </div>
<% end %>

Link View Partial

<div class="field">
  <%= f.label :link_url %><br />
  <%= f.text_field :link_url, :id => "url_field" %>
</div>

<div id="link_preview">
</div>

ForumPosts Controller

class ForumPostsController < ApplicationController

    def new
    @forum_post = ForumPost.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @forum_post }
    end

   def create
     @forum_post = ForumPost.new(params[:forum_post])

     respond_to do |format|
     if @forum_post.save
       format.html { redirect_to @forum_post, notice: 'Forum post was successfully created.' }
       format.json { render json: @forum_post, status: :created, location: @forum_post }
    else
      format.html { render action: "new" }
      format.json { render json: @forum_post.errors, status: :unprocessable_entity }
    end
  end
end

Links Controller

class LinksController < ApplicationController

    def find_linkable
    params.each do |name, value|
      if name =~ /(.+)_id$/
        return $1.classify.constantize.find(value)
      end
    end
    nil
  end

  def index
    @linkable = find_linkable
    @links = @linkable.links
  end

  def create
    @linkable = find_linkable
    @link = @linkable.links.build(params[:link])
    if @link.save
      flash[:notice] = "Successfully saved link."
      redirect_to :id => nil
    else
      render :action => 'new'
    end
  end

end

Answer 1

Well, according to your question the protected attributes that you can't mass-assign is :links. Not sure how that happened, but have you tried attr_accessible :links?

As for the security implications, it is the reason github got hacked once https://gist.github.com/1978249, and I would highly discourage setting whitelist_attributes to false.