Test case demonstrating bug #5744. I think this is a major bug and should be prioritized as such.
I was unable to find the "right" way to fix this, so I am only submitting the test case.
Add failing test for association id assignment
You may be shocked to know that the first test fails. By all accounts, this works in 3.2.x.
If it works in 3.2.x you should be able to backport the fix to this branch. WDYT?
@rafaelfranca I did look and the it appears heavily refactored. I was unclear on the best way to override the setter.
Ok. The 3-0-stable branch is for security fix only. We can accepts patch that fixes bugs too, but we don't give any guarantees that the Rails core will work to fix they.
This could lead to serious security holes since active record validations and callbacks to do not reference the correct association.
For example a web form updates super_admin_id on NuclearPlant model
In Nuclear Plan:
after_save do |u|
Whoops! The old admin still has self destruct access and the new one doesn't. Old admin was fired for connections to terrorist organization, discovers he can still access self destruct. New admin doesn't have admin privileges. It's 3am. Everyone is sleeping. Boom.
If you are saying that using in a bugged feature of old Rails version is a security issue, so every issue in this tracker is a security issue.
You can upgrade to Rails 3.2 and have this issue fixed, or you can try to backport it for this branch. I think that Core team will apply, but we don't have guarantees that they are work to fix this issue, since it is fixed in the supported versions.
This PR is against a version of rails that is no longer maintained.