assignment.rb

class Assignment < ActiveRecord::Base
      belongs_to :user
      belongs_to :role
    end

form.rb

    <%= semantic_form_for @user do |f| %>
  <%= f.inputs do %>
    <%= f.input :email, :as => :string %>
    <%= f.input :active %>
    <%= f.fields_for :assignments do |field| %>
        <%= field.input :id, :collection => Role.all, :as => :select, :input_html => {:multiple => true} %>
    <% end %>
  <% end %>
  <%= f.actions do %>
    <%= f.action :submit, :as => :button %>
  <% end %>
<% end %>

role.rb

class Role < ActiveRecord::Base
      has_many :assignments
      has_many :users, :through => :assignments
      accepts_nested_attributes_for :assignments, :users
    end

user.rb

class User < ActiveRecord::Base
      # Include default devise modules. Others available are:
      # :confirmable, :lockable, :timeoutable and :omniauthable
      devise :database_authenticatable, :registerable,
             :recoverable, :rememberable, :trackable, :validatable
     
      has_many :assignments
      has_many :roles, :through => :assignments
      accepts_nested_attributes_for :assignments, :roles
     
      def has_role?(role_name)
        roles.any? { |r| r.name == role_name }
      end
     
    end

user_controller.rb

  
    class UsersController < ApplicationController
      before_action :set_user, only: [:show, :edit, :update, :destroy]
     
      # GET /users
      # GET /users.json
      def index
        if params[:search]
          @users = User.find_all_by_email(params[:search])
        else
          @users = User.all
        end
     
        print @users.inspect
      end
     
      # GET /users/1
      # GET /users/1.json
      def show
      end
     
      # GET /users/new
      # def new
      #   @user = User.new
      # end
     
      # GET /users/1/edit
      def edit
      end
     
      # POST /users
      # POST /users.json
      # def create
      #   @user = User.new(user_params)
      #
      #   respond_to do |format|
      #     if @user.save
      #       format.html { redirect_to @user, notice: 'User was successfully created.' }
      #       format.json { render :show, status: :created, location: @user }
      #     else
      #       format.html { render :new }
      #       format.json { render json: @user.errors, status: :unprocessable_entity }
      #     end
      #   end
      # end
     
      # PATCH/PUT /users/1
      # PATCH/PUT /users/1.json
      def update
        @user = User.find(params[:id])
        respond_to do |format|
          up = user_params
          if @user.update(up)
            format.html { redirect_to users_url, notice: 'User was successfully updated.' }
            format.json { render :show, status: :ok, location: @user }
          else
            format.html { render :edit }
            format.json { render json: @user.errors, status: :unprocessable_entity }
          end
        end
      end
     
      # DELETE /users/1
      # DELETE /users/1.json
      def destroy
        @user.active = false
        @user.save
        respond_to do |format|
          format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
          format.json { head :no_content }
        end
      end
     
      private
        # Use callbacks to share common setup or constraints between actions.
        def set_user
          @user = User.find(params[:id])
        end
     
        # Never trust parameters from the scary internet, only allow the white list through.
        def user_params
          params.require(:user).permit(:email, :active,
                                       :roles_attributes => [:id,
                                       :assignments_attributes => [:id, :role_id, :user_id]])
        end
    end