Merge pull request #7707 from guilleiguaran/changelogs-update

Update changelogs to add entries about strong_parameters integration

4 files changed, 50 insertions, 0 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 7212e3a289..9f0f214137 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,19 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Add `ActionController::StrongParameters`, this module converts `params` hash into
+    an instance of ActionController::Parameters that allows whitelisting of permitted 
+    parameters. Non-permitted parameters are forbidden to be used in Active Model by default
+    For more details check the documentation of the module or the 
+    [strong_parameters gem](https://github.com/rails/strong_parameters)
+
+    *DHH + Guillermo Iguaran*
+
+*   Remove Integration between `attr_accessible`/`attr_protected` and
+    `ActionController::ParamsWrapper`. ParamWrapper now wraps all the parameters returned 
+    by the class method attribute_names
+
+    *Guillermo Iguaran*
+
 *   Fix #7646, the log now displays the correct status code when an exception is raised.
 
     *Yves Senn*
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index d7041055a4..2c966943ee 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,5 +1,16 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Add `ActiveModel::ForbiddenAttributesProtection`, a simple module to
+    protect attributes from mass assignment when non-permitted attributes are passed.
+
+    *DHH + Guillermo Iguaran*
+
+*   `ActiveModel::MassAssignmentSecurity` has been extracted from Active Model and the
+    `protected_attributes` gem should be added to Gemfile in order to use
+    `attr_accessible` and `attr_protected` macros in your models.
+
+    *Guillermo Iguaran*
+
 *   Due to a change in builder, nil values and empty strings now generates
     closed tags, so instead of this:
 
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index b064d6f511..756a0d7196 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,5 +1,19 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   `ActiveModel::ForbiddenAttributesProtection` is included by default
+    in Active Record models. Check the docs of `ActiveModel::ForbiddenAttributesProtection`
+    for more details.
+
+    *Guillermo Iguaran*
+
+*   Remove integration between Active Record and
+    `ActiveModel::MassAssignmentSecurity`, `protected_attributes` gem
+    should be added to use `attr_accessible`/`attr_protected`. Mass
+    assignment options has been removed from all the AR methods that
+    used it (ex. AR::Base.new, AR::Base.create, AR::Base#update_attributes, etc)
+
+    *Guillermo Iguaran*
+
 *   Fix the return of querying with an empty hash.
     Fix #6971.
 
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 1c28ac7476..acd2077c2d 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,5 +1,16 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Add `config.action_controller.permit_all_parameters` to disable
+    StrongParameters protection, it's false by default.
+
+    *Guillermo Iguaran*
+
+*   Remove `config.active_record.whitelist_attributes` and 
+    `config.active_record.mass_assignment_sanitizer` from new applications since
+    MassAssignmentSecurity has been extracted from Rails.
+
+    *Guillermo Iguaran*
+
 *   Change `rails new` and `rails plugin new` generators to name the `.gitkeep` files
     as `.keep` in a more SCM-agnostic way.