This project is archived and is in readonly mode.

#4457 ✓committed
Marc-André Lafortune

find_or_create_by_foo when foo is protected attribute

Reported by Marc-André Lafortune | April 22nd, 2010 @ 05:19 PM | in 2.3.6

I understand that for security reasons it is a good idea that methods like find_or_create_by_foo(params) do not write on protected attributes.

I question the rationale for not writing on foo, though, even if it is protected.

1) find_or_create_by_foo is used to get a record that matches the given value for foo. If it won't write foo because it is protected, it doesn't fulfill its purpose.

2) foo is specified explicitely by the developper. I would take that as an 'ok' to write on that field.

3) With current behavior, one must specify foo twice to get the desired result:
find_or_create_by_foo(:foo => "bar", :baz => "baz") {|r| r.foo = "bar" } Not very DRY

Typical case is where foo is actually a foo_id... Typically you want to protect that (usually doesn't change after creation, especially not from a params web request).

Thanks

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages