mass_assignment_sanitizer and Factories w/ rspec

I'm running into a bit of an issue when it comes to using
factory_girl_rails (1.6.0) with 3.2's mass_assignment_sanitizer
= :strict and I'm hoping some one can offer me some guidance to
improve my tests.

The problem:
Say you have a test that looks like this:

it "allows you to create an object" do
  obj = # #<Object id: nil, name: "Foo
Bar", created_at: nil, updated_at: nil>
  post :create, :object => obj.attributes
  response.should be_redirect
  # yadda yadda yadda

The problem I'm running up against is that because returns a built out object that includes
protected attributes such as id, created_at and updated_at in the hash
(this is a simplified example, I have other things in the model not
listed here that are also whitelisted via attr_accessible), when I
post that hash, I receive the following error:

       Can't mass-assign protected attributes: id, created_at,

The above is a simplified example. The model looks a bit more like

class Foo < ActiveRecord::Base
  belongs_to :bar
  # a bunch of other belongs_to's here
  attr_accessible :name, :bar_id, #other belongs_to ids

Factory.define :foo do
  association :bar, :factory => :bar
  # all the other associations

I took a look through factory_girl's docs and found the following
methods for building out models:

attributes_for: doesn't go far enough because I have relations defined
on my factory that need to be built and saved so their IDs can be
assigned to the object upon its instantiation (or in the hash)

build_stubbed: gives me random values for various fields that aren't
valid. Instead of building out the associations and saving them then
assigning valid IDs, it just makes random shit up. That doesn't quite

create: obviously not the right choice when you're testing a post
action on a RESTful cotroller

build: what I'm using now, and then just passing the attributes hash
of the object. Does everything I need, except it includes attributes
that are protected, thus causing the controller to flip out.

Now, I can think of two (three actually) ways around this problem:

1) Go through my really big test base and manually remove any
attribute that's not accessible from the hash before doing a post. Not
at all maintainable and not really a realistic option, but would allow
the tests to pass.

2) Add a before_filter that sanitizes the parameters hash on create
and update actions to strip out any protected attributes by looking at
the model and seeing what its accessible attributes are. This seems
like unnecessary code bloat, though, and kind of a clunky solution to
the problem.

3) [What I really want] I need a way to get FactoryGirl to build out a
hash of attributes when it's first called to NOT include attributes
that are protected or aren't accessible, but WOULD include real object
IDs for all the defined associations. That would allow me to just call
post :create, :object => FactoryGirl.some_method(:object) and be done
with it.

Could anyone offer any insight here as to how I might go about making
this work better? Obviously I could delete the setting from test.rb
but that kind of defeats the purposes, and I like having extra strict
security measures (especially in this particular application).


In the controllers tests that are auto-generated by rspec-rails, there

is e.g. this kind of code:

describe PeopleController do

This should return the minimal set of attributes required to create a valid

Contact. As you add validations to Contact, be sure to

update the return value of this method accordingly.

def valid_attributes



describe “POST create” do

describe “with valid params” do

it “creates a new Person” do

expect {

post :create, :person => valid_attributes

}.to change(Person, :count).by(1)


In that code, I replace it by default with something like this:

def valid_attributes{|k,v| v.nil?}


Stripping the non nil attributes from the hash solves the issue.

As you show above, :id, :created_at, :update_at are (correctly) nil

after a build, so this delete_if removes them from the attributes hash.

  • I get no warnings on the :id

  • I get no violations of nil created_at /updated upon update

So, to centralize this pattern, this hack with a “build_attributes”

seems to work:

…/config/initializers$ cat generators.rb

ContactApp::Application.config.generators do |g|

g.helper false

g.test_framework :rspec, :fixture => true, :views => false

g.fixture_replacement :factory_girl, :dir => “spec/factories”


module FactoryGirl

this is a hack

def self.build_attributes(*args)*args).attributes.delete_if{|k,v| v.nil?}



And now I can do:

def valid_attributes