Rails core - Mar 2012 - Rails 3.2.3.rc1 was released!

Rails 3.2.3.rc1 has been released.

### IMPORTANT

This release changes the default value of
*config.active_record.whitelist_attributes* to true.  This change only
affects newly generated applications so it should not cause any
backwards compatibility issues for users who are upgrading but it may
affect some tutorials and introductory material.  For more information
see  the mass assignment section of the [ruby on rails security
guide][1]

We''ve also adjusted the dependencies on rack-cache and mail to address
the recent security vulnerabilities with those libraries. If you are
running a vulnerable version of mail or rack-cache you should update
both gems to a safe version. We also fixed a couple of regressions in
the render method.

If there are no release blockers, then I will be releasing the final
version on March 29th.
If you find something please open an issue on github and let me know
through email (santiago _at_ wyeworks.com), tweet
([spastorino](http://twitter.com/spastorino)) or cc me on the github
issue.

[1]: http://guides.rubyonrails.org/security.html#mass-assignment

### CHANGES since 3.2.2

*ActionMailer*

*   Upgrade mail version to 2.4.3 *ML*


*ActionPack*

*   Do not include the authenticity token in forms where remote: true
as ajax forms use the meta-tag value *DHH*

*   Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
    check that info. Closes #5245. *Santiago Pastorino*

*   Fix #5238, rendered_format is not set when template is not
rendered. *Piotr Sarnacki*

*   Upgrade rack-cache to 1.2. *José Valim*

*   ActionController::SessionManagement is deprecated. *Santiago Pastorino*

*   Since the router holds references to many parts of the system like
engines, controllers and the application itself, inspecting the route
set can actually be really slow, therefore we default alias inspect to
to_s. *José Valim*

*   Add a new line after the textarea opening tag. Closes #393 *rafaelfranca*

*   Always pass a respond block from to responder. We should let the
responder to decide what to do with the given overridden response
block, and not short circuit it. *sikachu*

*   Fixes layout rendering regression from 3.2.2. *José Valim*


*ActiveModel*

* No changes


*ActiveRecord*

*   Added find_or_create_by_{attribute}! dynamic method. *Andrew White*

*   Whitelist all attribute assignment by default. Change the default
for newly generated applications to whitelist all attribute
assignment.  Also update the generated model classes so users are
reminded of the importance of attr_accessible. *NZKoz*

*   Update ActiveRecord::AttributeMethods#attribute_present? to return
false for empty strings. *Jacobkg*

*   Fix associations when using per class databases. *larskanis*

*   Revert setting NOT NULL constraints in add_timestamps *fxn*

*   Fix mysql to use proper text types. Fixes #3931. *kennyj*

*   Fix #5069 - Protect foreign key from mass assignment through
association builder. *byroot*


*ActiveResource*

* No changes


*ActiveSupport*

* No changes


*Railties*

* No changes


### SHA-1

* SHA-1 (actionmailer-3.2.3.rc1.gem) = 6e945a152d2159918f05dcf4ef72e87d4b75c2bb
* SHA-1 (actionpack-3.2.3.rc1.gem) = 1c5153c4b4865207193d7e8af9a09b493683bc55
* SHA-1 (activemodel-3.2.3.rc1.gem) = eae6bb4cc275e167eb28b35cd8b0a46466dd3c88
* SHA-1 (activerecord-3.2.3.rc1.gem) = 8a2709c7517d9d91911ad3fbfe82af19422b5e24
* SHA-1 (activeresource-3.2.3.rc1.gem) 770a7120f8148f6391a717c03f08cdb76dcd64ac
* SHA-1 (activesupport-3.2.3.rc1.gem) = 1e89864fc28c7b8cca67eb93696f1b2ecf556b81
* SHA-1 (rails-3.2.3.rc1.gem) = b1dec2b8c59c78111479e3dc36c106e54fe11f1a
* SHA-1 (railties-3.2.3.rc1.gem) = 9fbbb616cd868d1070bf04adeda50c373550c349

You can find an exhaustive list of changes on
[github](https://github.com/rails/rails/compare/v3.2.2...v3.2.3.rc1).

Thanks to everyone, this is your last chance to hold the release if
something goes wrong. So please, give this release a try :).

--

Santiago Pastorino
WyeWorks Co-founder
http://www.wyeworks.com

Twitter: http://twitter.com/spastorino
Github: http://github.com/spastorino

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Just a minor fix, I will release the final version on March 30th

On Tue, Mar 27, 2012 at 2:17 PM, Santiago Pastorino
<santiago@wyeworks.com> wrote:
> Rails 3.2.3.rc1 has been released.
>
> ### IMPORTANT
>
> This release changes the default value of
> *config.active_record.whitelist_attributes* to true.  This change only
> affects newly generated applications so it should not cause any
> backwards compatibility issues for users who are upgrading but it may
> affect some tutorials and introductory material.  For more information
> see  the mass assignment section of the [ruby on rails security
> guide][1]
>
> We''ve also adjusted the dependencies on rack-cache and mail to
address
> the recent security vulnerabilities with those libraries. If you are
> running a vulnerable version of mail or rack-cache you should update
> both gems to a safe version. We also fixed a couple of regressions in
> the render method.
>
> If there are no release blockers, then I will be releasing the final
> version on March 29th.
> If you find something please open an issue on github and let me know
> through email (santiago _at_ wyeworks.com), tweet
> ([spastorino](http://twitter.com/spastorino)) or cc me on the github
> issue.
>
> [1]: http://guides.rubyonrails.org/security.html#mass-assignment
>
> ### CHANGES since 3.2.2
>
> *ActionMailer*
>
> *   Upgrade mail version to 2.4.3 *ML*
>
>
> *ActionPack*
>
> *   Do not include the authenticity token in forms where remote: true
> as ajax forms use the meta-tag value *DHH*
>
> *   Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
>    check that info. Closes #5245. *Santiago Pastorino*
>
> *   Fix #5238, rendered_format is not set when template is not
> rendered. *Piotr Sarnacki*
>
> *   Upgrade rack-cache to 1.2. *José Valim*
>
> *   ActionController::SessionManagement is deprecated. *Santiago Pastorino*
>
> *   Since the router holds references to many parts of the system like
> engines, controllers and the application itself, inspecting the route
> set can actually be really slow, therefore we default alias inspect to
> to_s. *José Valim*
>
> *   Add a new line after the textarea opening tag. Closes #393
*rafaelfranca*
>
> *   Always pass a respond block from to responder. We should let the
> responder to decide what to do with the given overridden response
> block, and not short circuit it. *sikachu*
>
> *   Fixes layout rendering regression from 3.2.2. *José Valim*
>
>
> *ActiveModel*
>
> * No changes
>
>
> *ActiveRecord*
>
> *   Added find_or_create_by_{attribute}! dynamic method. *Andrew White*
>
> *   Whitelist all attribute assignment by default. Change the default
> for newly generated applications to whitelist all attribute
> assignment.  Also update the generated model classes so users are
> reminded of the importance of attr_accessible. *NZKoz*
>
> *   Update ActiveRecord::AttributeMethods#attribute_present? to return
> false for empty strings. *Jacobkg*
>
> *   Fix associations when using per class databases. *larskanis*
>
> *   Revert setting NOT NULL constraints in add_timestamps *fxn*
>
> *   Fix mysql to use proper text types. Fixes #3931. *kennyj*
>
> *   Fix #5069 - Protect foreign key from mass assignment through
> association builder. *byroot*
>
>
> *ActiveResource*
>
> * No changes
>
>
> *ActiveSupport*
>
> * No changes
>
>
> *Railties*
>
> * No changes
>
>
> ### SHA-1
>
> * SHA-1 (actionmailer-3.2.3.rc1.gem) =
6e945a152d2159918f05dcf4ef72e87d4b75c2bb
> * SHA-1 (actionpack-3.2.3.rc1.gem) =
1c5153c4b4865207193d7e8af9a09b493683bc55
> * SHA-1 (activemodel-3.2.3.rc1.gem) =
eae6bb4cc275e167eb28b35cd8b0a46466dd3c88
> * SHA-1 (activerecord-3.2.3.rc1.gem) =
8a2709c7517d9d91911ad3fbfe82af19422b5e24
> * SHA-1 (activeresource-3.2.3.rc1.gem) >
770a7120f8148f6391a717c03f08cdb76dcd64ac
> * SHA-1 (activesupport-3.2.3.rc1.gem) =
1e89864fc28c7b8cca67eb93696f1b2ecf556b81
> * SHA-1 (rails-3.2.3.rc1.gem) = b1dec2b8c59c78111479e3dc36c106e54fe11f1a
> * SHA-1 (railties-3.2.3.rc1.gem) = 9fbbb616cd868d1070bf04adeda50c373550c349
>
> You can find an exhaustive list of changes on
> [github](https://github.com/rails/rails/compare/v3.2.2...v3.2.3.rc1).
>
> Thanks to everyone, this is your last chance to hold the release if
> something goes wrong. So please, give this release a try :).
>
> --
>
> Santiago Pastorino
> WyeWorks Co-founder
> http://www.wyeworks.com
>
> Twitter: http://twitter.com/spastorino
> Github: http://github.com/spastorino
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Great work, Santiago, thanks.

Rodrigo.

Em 27-03-2012 14:16, Santiago Pastorino escreveu:
> Rails 3.2.3.rc1 has been released.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Hi Santiago,

On Tue, Mar 27, 2012 at 12:16 PM, Santiago Pastorino
<santiago-FXH7CxiqZf9Wk0Htik3J/w@public.gmane.org>
wrote:
> Rails 3.2.3.rc1 has been released.
<snip>
> *ActionPack*
>
> *   Do not include the authenticity token in forms where remote: true
> as ajax forms use the meta-tag value *DHH*
Could you please point me to more on this?

Thanks,
Bill

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

That seems like it breaks any kind of progressive AJAX enhancement, since a 
remote submit form, submitted normally, will now fail CSRF protection.

On Wednesday, 28 March 2012 04:25:14 UTC+1, bill walton
wrote:
>
> Hi Santiago,
>
> On Tue, Mar 27, 2012 at 12:16 PM, Santiago Pastorino
> <REMOVED> wrote:
> > Rails 3.2.3.rc1 has been released.
> <snip>
> > *ActionPack*
> >
> > *   Do not include the authenticity token in forms where remote: true
> > as ajax forms use the meta-tag value *DHH*
>
> Could you please point me to more on this?
>
> Thanks,
> Bill
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/L7iE5xkW0dMJ.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

This
https://github.com/rails/rails/commit/84ca8c8cd07d700598e87b418370268f146b122c
was merged an rc2 is coming soon.

On Wed, Mar 28, 2012 at 12:13 PM, JGW Maxwell
<jgwmaxwell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> That seems like it breaks any kind of progressive AJAX enhancement, since a
> remote submit form, submitted normally, will now fail CSRF protection.
>
>
> On Wednesday, 28 March 2012 04:25:14 UTC+1, bill walton wrote:
>>
>> Hi Santiago,
>>
>> On Tue, Mar 27, 2012 at 12:16 PM, Santiago Pastorino
>> <REMOVED> wrote:
>> > Rails 3.2.3.rc1 has been released.
>> <snip>
>> > *ActionPack*
>> >
>> > *   Do not include the authenticity token in forms where remote:
true
>> > as ajax forms use the meta-tag value *DHH*
>>
>> Could you please point me to more on this?
>>
>> Thanks,
>> Bill
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/rubyonrails-talk/-/L7iE5xkW0dMJ.
>
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.