find_or_ methods not being overridden
aripollak opened this issue · comments
In Rails 3.2, find_or_initialize_by(foo: :bar)
and find_or_create_by(foo: :bar)
bypassed mass-assignment protection. With Rails 4.1 and protected_attributes
, those still raise mass assignment errors, but where(foo: :bar).first_or_initialize
and where(foo: :bar).first_or_create
work as expected.
Is this intentional, or was it just accidentally not supported?
It seems more accidentally not supported.
Does this help? https://github.com/rails/activerecord-deprecated_finders
@stevenkolstad Nope, that's just to bring back the dynamic finders, which find_or_*_by
doesn't fall under.
In fact I think it make sense to there method do not bypass the mass-assignment protection or it will lead security problems in the application.
@rafaelfranca shouldn't they at least be consistent? I'm not sure that keeping one protected and leaving the other unprotected would be a worse security risk than leaving both unprotected.
You mean where. first_or_initialize
and find_or_initialize_by
behaving in the same way?
You mean where. first_or_initialize and find_or_initialize_by behaving in the same way?
Yeah, exactly.
In fact I'm fine with they behaving differently since they are not the same thing, but it should be documented.