Along with this release, you're also going to see several bug fixes and enhancements to the Rails framework, coming from many contributors, that have been discussed here over the previous weeks and even a few that are mentioned just below.
Security updates
Michael Koziarski posted fixes (here and here) for cleaning and verifying multibyte (unicode) strings. The problem was reported by Brian Mastenbrook and Manfred Stienstra provided input for the fix. These changes should disallow malformed unicode strings from getting past the HTML escaping logic provided by the form helpers.Coda Hale reported and also added a patch to Rails, fixing a timing attack vulnerability in
ActiveSupport::MessageVerifier. Although not likely to be exploited in the wild, the vulnerability may allow an attacker to forge the signatures which encode your application's cookie store. If successfully broken, an attacker could modify their session objects without altering your application to the change.There have been some issues reported around the Rails 2.3.4 release, specifically with regard to Ruby 1.9 support. While they have not all yet been fully substantiated, this certainly underscores the importance of having proper test coverage and both a staging and production environment for your applications.
Down to the metal
Yehuda Katz and Carl Lerche put in quite a bit of work aroundActionController::Metal and Rack's Middleware, recently. ActionController::Metal now acts as a Rack middleware and at the same time, there is a new ActionController::Middleware class that operates as normal Rack middleware.And, if that wasn't enough, Yehuda went on to add
ActiveModel::Lint. ActiveModel::Lint allows you to determine whether or not an object is compliant with the ActiveModel API, via: ActiveModel::Compliance.test(object)
If Metal is your thing, you may want to take a look at Yehuda Katz's recent blog post, How to Build Sinatra on Rails 3.
Pour some sugar on me
Quite a few changes, small and large, occurred around ActiveRecord and friends. Most of these cleaned up some existing functionality, either making it easier to use, perform more closely to what would be expected, or even adding some new features that will soon feel like old friends.Taryn East added a little ActiveRecord-like love to ActiveResource. In this patch, ActiveResource received the familiar
first, last, and all shortcut methods for wrapping the basic find method.Proc and symbol support was added to the
validates_numericality_of ActiveRecord validation, by Kane.For those of you who use the
:anchor option when generating URLs, you may notice that after this patch by Jeffrey Hardy, Rails will now execute the to_param method on the object provided as an :anchor. @post = Post.first
@comment = Comment.first
post_url(@post, :anchor => @comment) # => http://www.example.com/posts/1#comment-1
:anchor options to follow a similar functionality as the other options provided when generating URLs.José Valim cleaned up some bits in the Rails scaffold. The generated
new and edit views will now reference a new _form partial. This is a much DRYer way to go about it, and more closely follows what would likely happen if you were to code it yourself. Also, while he was there, he removed a bit of inline CSS (specifically, a green flash message), in favor of a CSS class and updating the default scaffold stylesheet.And, probably the most interesting change in this group is the addition of a new
ActivRecord#previous_changes method, by Scott Barr. previous_changes allows you to see what changed before the last save in your local ActiveRecord object instance. This is particularly useful when calling after_save methods which might need to know what exactly had changed. I'll let him give you a code sample: person = Person.find_by_name('bob')
person.name = 'robert'
person.changes # => {'name' => ['bob, 'robert']}
person.save
person.changes # => {}
person.previous_changes # => {'name' => ['bob, 'robert']}
person.reload
person.previous_changes # => {}
Okay, let's do it your way
While a lot of us prefer US English, we (begrudgingly) recognize that we aren't always the center of the universe. As such, there are some more localization updates to report in Edge Rails:Sven Fuchs added localization support to the ActiveRecord::RecordInvalid exception's error message. Then, Akira Matsuda followed Sven with support for localizing the SELECT tag helper's prompt text (the default being, "Please select").
Finally, this is certainly a welcome addition and potentially a major player in localization support within Rails: Antonio Tapiador del Dujo added a patch which allows Rails plugins to define and maintain their own locale files. All that is necessary for the plugin developer to do is to provide a
config/locales/ directory within their plugin and then create their own .rb or .yml files (i.e. en.yml). That means that plugins can now be much more responsible for their own localization support and do not have to modify the application's locale files after installation.Food for thought
Finally, just a small note that the default, preferred table collation for MySQL has been changed. Previously, Rails defaulted toutf8_general_ci when either the database or the table creation script did not dictate otherwise. Now, that has been changed to utf8_unicode_ci. Certainly worth a note with so many Rails applications using MySQL in their back-end.Update: Set the attribution of
previous_changes to Scott Barr. Sorry, Scott!
