In Rails 3.2, find_or_initialize_by(foo: :bar) and find_or_create_by(foo: :bar) bypassed mass-assignment protection. With Rails 4.1 and protected_attributes, those still raise mass assignment errors, but where(foo: :bar).first_or_initialize and where(foo: :bar).first_or_create work as expected.

Is this intentional, or was it just accidentally not supported?

It seems more accidentally not supported.

Does this help? https://github.com/rails/activerecord-deprecated_finders

@stevenkolstad Nope, that's just to bring back the dynamic finders, which find_or_*_by doesn't fall under.

In fact I think it make sense to there method do not bypass the mass-assignment protection or it will lead security problems in the application.

@rafaelfranca shouldn't they at least be consistent? I'm not sure that keeping one protected and leaving the other unprotected would be a worse security risk than leaving both unprotected.

You mean where. first_or_initialize and find_or_initialize_by behaving in the same way?

You mean where. first_or_initialize and find_or_initialize_by behaving in the same way?

Yeah, exactly.

In fact I'm fine with they behaving differently since they are not the same thing, but it should be documented.