I have read about 10 different posts here about this problem, and I have tried every single one and the error will not go away. So here goes: I am trying to have a nested form on my users/new page, where it accepts user-attributes and also company-attributes. When you submit the form: Here's what my error message reads: ActiveModel::MassAssignmentSecurity::Error in UsersController#create Can't mass-assign protected attributes: companies app/controllers/users_controller.rb:12:in `create' Here's the code for my form: <%= form_for @user do |f| %> <%= render 'shared/error_messages', object: f.object %> <%= f.fields_for :companies do |c| %> <%= c.label :name, "Company Name"%> <%= c.text_field :name %> <% end %> <%= f.label :name %> <%= f.text_field :name %> <%= f.label :email %> <%= f.text_field :email %> <%= f.label :password %> <%= f.password_field :password %> <%= f.label :password_confirmation %> <%= f.password_field :password_confirmation %> <br> <% if current_page?(signup_path) %> <%= f.submit "Sign Up", class: "btn btn-large btn-primary" %> Or, <%= link_to "Login", login_path %> <% else %> <%= f.submit "Update User", class: "btn btn-large btn-primary" %> <% end %> <% end %> Users Controller: class UsersController < ApplicationController def index @user = User.all end def new @user = User.new end def create @user = User.create(params[:user]) if @user.save session[:user_id] = @user.id #once user account has been created, a session is not automatically created. This fixes that by setting their session id. This could be put into Controller action to clean up duplication. flash[:success] = "Your account has been created!" redirect_to tasks_path else render 'new' end end def show @user = User.find(params[:id]) @tasks = @user.tasks end def edit @user = User.find(params[:id]) end def update @user = User.find(params[:id]) if @user.update_attributes(params[:user]) flash[:success] = @user.name.possessive + " profile has been updated" redirect_to @user else render 'edit' end #if @task.update_attributes params[:task] #redirect_to users_path #flash[:success] = "User was successfully updated." #end end def destroy @user = User.find(params[:id]) unless current_user == @user @user.destroy flash[:success] = "The User has been deleted." end redirect_to users_path flash[:error] = "Error. You can't delete yourself!" end end Company Controller class CompaniesController < ApplicationController def index @companies = Company.all end def new @company = Company.new end def edit @company = Company.find(params[:id]) end def create @company = Company.create(params[:company]) #if @company.save #session[:user_id] = @user.id #once user account has been created, a session is not automatically created. This fixes that by setting their session id. This could be put into Controller action to clean up duplication. #flash[:success] = "Your account has been created!" #redirect_to tasks_path #else #render 'new' #end end def show @comnpany = Company.find(params[:id]) end end User model class User < ActiveRecord::Base has_secure_password attr_accessible :name, :email, :password, :password_confirmation has_many :tasks, dependent: :destroy belongs_to :company accepts_nested_attributes_for :company validates :name, presence: true, length: { maximum: 50 } VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i validates :email, presence: true, format: { with: VALID_EMAIL_REGEX }, uniqueness: { case_sensitive: false } validates :password, length: { minimum: 6 } #below not needed anymore, due to has_secure_password #validates :password_confirmation, presence: true end Company Model class Company < ActiveRecord::Base attr_accessible :name has_and_belongs_to_many :users end Thanks for your help!!