Fix #5847 and #4045. Force load AR::Base before loading an application model. #5994

Closed
wants to merge 631 commits into
from

Conversation

Projects
None yet
Contributor

kennyj commented Apr 26, 2012

I'm sumitting to master.
The original PR was #5879.
We should load active_record/base before loading some application models.

/cc @jonleighton

tenderlove and others added some commits Feb 20, 2012

Merge pull request #5096 from lawso017/master
Restoring ability to derive id/sequence from tables with nonstandard sequences for primary keys
Merge pull request #5084 from johndouthat/patch-1
Remove reference to rails_legacy_mapper, which isn't compatible with 3.2...
Merge pull request #5084 from johndouthat/patch-1
Remove reference to rails_legacy_mapper, which isn't compatible with 3.2...
Merge pull request #5087 from pwnall/no_view_logger
Remove reference to config.action_view.logger from Rails configuration guide
Merge pull request #4834 from sskirby/fix_usage_of_psql_in_db_test_pr…
…epare

Fix usage of psql in db:test:prepare
Merge pull request #4834 from sskirby/fix_usage_of_psql_in_db_test_pr…
…epare

Fix usage of psql in db:test:prepare
Fixing Windows asset tag helper test failure
In asset_tag_helper_test.rb there is an assert on the number of bytes in a
concatenated file.  This test failed because Windows converts \n to \r\n as
the default for "w".  This is different than in *nix systems where there is
no conversion done.

THe test that failed was test_caching_stylesheet_link_tag_when_caching_on

Using bin mode fixes this behavior on windows and makes no change on the
*nix systems.
Revert "No need to pass options which is never used"
Options is needed for some Rails extensions to determine when
referential integrity should be disabled

This reverts commit bcb466c.

Fixes #5052
Merge pull request #5190 from rafaelfranca/fix-393-3-2-stable
[3-2-stable] Add a new line after the textarea opening tag.
Merge pull request #5206 from kennyj/fix_5173-32
[3-2-stable] Fix type_to_sql with text and limit on mysql/mysql2. Fix GH #3931
Merge branch '3-2-stable-security' into 3-2-2
* 3-2-stable-security:
  Ensure [] respects the status of the buffer.
  delete vulnerable AS::SafeBuffer#[]
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
Merge branch '3-2-2' into 3-2-stable
* 3-2-2:
  bumping to 3.2.2
  Ensure [] respects the status of the buffer.
  Merge pull request #4834 from sskirby/fix_usage_of_psql_in_db_test_prepare
  Merge pull request #5084 from johndouthat/patch-1
  updating RAILS_VERSION
  delete vulnerable AS::SafeBuffer#[]
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
revert setting NOT NULL constraints in add_timestamps
Commit 3dbedd2 added NOT NULL constraints both to table
creation and modification. For creation the new default
makes sense, but the generic situation for changing a
table is that there exist records. Those records have
no creation or modification timestamps, and in the
general case you don't even know them, so when updating
a table these constraints are not going to work. See
a bug report for this use case in #3334.
Stop SafeBuffer#clone_empty from issuing warnings
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
139963c

This was issuing a "not initialized variable" warning - related to:
#5237

The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
only log an error if there is a logger. fixes #5226
Conflicts:

	activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
CSS fix for guides. Closing #5028 [ci skip]
In Ubuntu Chrome, in the last lines of code blocks, the underscore isn't
visible. Increasing the line height slightly seems to fix this. This
problem doesn't exist in Firefox even on Ubuntu. Too lazy to test in
any other OS-browser combo :)
fix associations when using per class databases
would get ConnectionNotEstablished error because it always tried to use
ActiveRecord::Base's connection, even though it should be using the connection
of the model whose context we're operating in
Whitelist all attribute assignment by default.
Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.
Contributor

yaroslav commented on 06a3a8a Mar 4, 2012

Thanks! Guess the change in config/application.rb would be enough, but people tend to create a shitstorm instead.

Contributor

parndt replied Mar 4, 2012

Was this really intended for 3-2-stable?

Contributor

larzconwell replied Mar 4, 2012

Looks great! I like it!

Contributor

fnando replied Mar 4, 2012

\m/

Awesome.

@stevenh512 thanks for the info! Looks like :without_protection is what I'm looking for.

Contributor

stevenh512 replied Mar 7, 2012

@andyvb I was thinking more of the scoped attr_accessible that Rails 3.1 gives us (attr_accessible :attr1, :attr2, :as => :admin), but yeah, :without_protection would also work and would probably be more backwards compatible. For 3.0 and earlier there's also a Railscast that teaches how to do something similar to 3.1's scoped attr_accessible.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

This SHOULD be protected by default in next release.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

Пойдет

spastorino and others added some commits Apr 4, 2012

Merge pull request #5188 from jlxw/patch-1
logger.silence is deprecated
Merge pull request #5737 from rafaelfranca/3-2-stable
Fix tests of benchmark with silence equals to true
Merge pull request #5765 from anildigital/3-2-stable
Update getting started guide to change Rails version to Rails 3.2
Merge pull request #5784 from rafaelfranca/default_url-3-2
[3-2-stable] Document that default_url_options must return a hash with symbolized keys
bigdecimal can be duped on Ruby 2.0
Conflicts:

	activesupport/test/core_ext/duplicable_test.rb
Merge pull request #5800 from arunagw/bigdecimal_dup
Backport BigDecimal#duplicable? feature check from master
Merge pull request #5820 from arunagw/more_ruby-2-0-fixes
Update test for Ruby 2 compatibility
Add missing require in Active Support time zones (fixes #5854)
I also removed the other require as it's already present in
`activesupport/core_ext/time/calculations`
multi_json is restricted to < 1.3
Some API changes are there above 1.3. 
3-2-stable
Merge pull request #5861 from arunagw/multi_json_fix_3-2-stable
Restrict multi_json to >= 1.0, < 1.3 to avoid API changes in 1.3
converting some tests to assert_raises, and DRY'ing retrieve_variable…
… changes

Conflicts:

	actionpack/test/template/render_test.rb
Merge pull request #5874 from asanghi/3-2-stable
replace ruby-debug19 with debugger on Rails 3-2 stable
Revert "Fix #5667. Preloading should ignore scoping."
Causes a subtle regression where record.reload includes the default
scope. Hard to reproduce in isolation. Seems like the relation is
getting infected by some previous usage.

This reverts commit dffbb52.
Removes caching from ActiveRecord::Core::ClassMethods#relation
The #relation method gets called in four places and the return value was instantly cloned in three of them. The only place that did not clone was ActiveRecord::Scoping::Default::ClassMethods#unscoped. This introduced a bug described in #5667 and should really clone the relation, too. This means all four places would clone the relation, so it doesn't make a lot of sense caching it in the first place.

The four places with calls to relations are:

activerecord/lib/active_record/scoping/default.rb:110:in `block in build_default_scope'"
activerecord/lib/active_record/scoping/default.rb:42:in `unscoped'"
activerecord/lib/active_record/scoping/named.rb:38:in `scoped'"
activerecord/lib/active_record/scoping/named.rb:52:in `scope_attributes'"

Conflicts:

	activerecord/lib/active_record/core.rb
Adds test to check that circular preloading does not modify Model.uns…
…coped (as described in #5667)

Conflicts:

	activerecord/test/cases/associations/eager_test.rb
Revert "Revert "Fix #5667. Preloading should ignore scoping.""
This reverts commit 1166d49.

Conflicts:

	activerecord/test/cases/associations/eager_test.rb
Merge pull request #5898 from benedikt/3-2-stable
Readds the fix for #5667 and back ports the regression fix from #5718
Be sure to correctly fetch PK name from MySQL even if the PK has some…
… custom option

Backports #5900

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
Only include Rake::DSL if it's defined.
rake < 0.9 doesn't define Rake::DSL.
Merge pull request #5896 from sferik/revert_5861
Revert #5861. Feature-detect which MultiJson API to use.
Merge pull request #5935 from arunagw/readme_fixes_3-2-stable
As ARes is removed from master then 3-2-stable URL should be in README.
Merge pull request #5936 from arunagw/other_readme_fixes
Updated other README to point 3-2-stable
Merge pull request #5919 from joevandyk/rake-dsl-fix
Only include Rake::DSL if it's defined (Rake >= 0.9)
Merge pull request #5866 from tiegz/minor_fixes_3-2-stable
Catch nil.to_sym errors in partial_renderer, and raise ArgumentError instead
Fix broken test from the earlier merge conflict
Seriously people, please run the test before submitting pull request.
Merge pull request #5946 from sikachu/3-2-stable-fix-merge-conflict
Fix broken test from the earlier merge conflict
Merge pull request #5968 from sikachu/3-2-stable-backport
Backport workarounds for Mocha behavior changes.
Merge pull request #5971 from carlosantoniodasilva/fix-build-3-2
Add extra order clause to fix failing test on Ruby 1.8.7
Contributor

kennyj commented Apr 26, 2012

sorry. I have mistake ;-(

@kennyj kennyj closed this Apr 26, 2012

@tenderlove this is prob a dumb question, but just wanted to make sure that shift is intended for binds and not *binds? I noticed just now that this to_sql method will alter the binds param for anything that uses binds after this is called.

Owner

tenderlove replied May 2, 2012

yes, the shift is indented for binds. Binds is a list of tuples, so the * is for expanding the tuple for the quote method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment