diff options
| -rw-r--r-- | actionpack/CHANGELOG.md | 60 | ||||
| -rw-r--r-- | activemodel/lib/active_model/validations/callbacks.rb | 8 | ||||
| -rw-r--r-- | activerecord/CHANGELOG.md | 4 | ||||
| -rw-r--r-- | activerecord/lib/active_record/railtie.rb | 2 | ||||
| -rw-r--r-- | activerecord/test/cases/callbacks_test.rb | 49 | ||||
| -rw-r--r-- | guides/source/active_record_validations_callbacks.md | 19 | ||||
| -rw-r--r-- | guides/source/debugging_rails_applications.md | 4 | ||||
| -rw-r--r-- | guides/source/documents.yaml | 4 | ||||
| -rw-r--r-- | guides/source/performance_testing.md | 3 | ||||
| -rw-r--r-- | guides/source/security.md | 137 | ||||
| -rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/application.rb | 1 | ||||
| -rw-r--r-- | railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb | 2 | ||||
| -rw-r--r-- | railties/lib/rails/rack/logger.rb | 2 | ||||
| -rw-r--r-- | railties/test/generators/scaffold_controller_generator_test.rb | 2 |
14 files changed, 199 insertions, 98 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index be33b5cd38..ceaff1a3f4 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -91,26 +91,26 @@ end end -* Add automatic template digests to all CacheHelper#cache calls (originally spiked in the cache_digests plugin) *DHH* +* Add automatic template digests to all `CacheHelper#cache` calls (originally spiked in the cache_digests plugin) *DHH* * When building a URL fails, add missing keys provided by Journey. Failed URL generation now returns a 500 status instead of a 404. *Richard Schneeman* -* Deprecate availbility of ActionView::RecordIdentifier in controllers by default. +* Deprecate availbility of `ActionView::RecordIdentifier` in controllers by default. It's view specific and can be easily included in controller manually if someone - really needs it. RecordIdentifier will be removed from ActionController::Base - in Rails 4.1 *Piotr Sarnacki* + really needs it. RecordIdentifier will be removed from `ActionController::Base` + in Rails 4.1. *Piotr Sarnacki* -* Fix ActionView::RecordIdentifier to work as a singleton *Piotr Sarnacki* +* Fix `ActionView::RecordIdentifier` to work as a singleton. *Piotr Sarnacki* -* Deprecate Template#mime_type, it will be removed in Rails 4.1 in favor of #type. +* Deprecate `Template#mime_type`, it will be removed in Rails 4.1 in favor of `#type`. *Piotr Sarnacki* -* Move vendored html-scanner from action_controller to action_view directory. If you +* Move vendored html-scanner from `action_controller` to `action_view` directory. If you require it directly, please use 'action_view/vendor/html-scanner', reference to - 'action_controller/vendor/html-scanner' will be removed in Rails 4.1 *Piot Sarnacki* + 'action_controller/vendor/html-scanner' will be removed in Rails 4.1. *Piot Sarnacki* * Fix handling of date selects when using both disabled and discard options. Fixes #7431. @@ -121,12 +121,12 @@ Setting `config.session_store` to `:active_record_store` will no longer work and will break if the `activerecord-session_store` gem isn't available. *Prem Sichanugrist* -* Fix select_tag when option_tags is nil. +* Fix `select_tag` when `option_tags` is nil. Fixes #7404. *Sandeep Ravichandran* -* Add Request#formats=(extensions) that lets you set multiple formats directly in a prioritized order *DHH* +* Add `Request#formats=(extensions)` that lets you set multiple formats directly in a prioritized order. Example of using this for custom iphone views with an HTML fallback: @@ -139,6 +139,7 @@ end end + *DHH* * Add Routing Concerns to declare common routes that can be reused inside others resources and routes. @@ -170,9 +171,9 @@ *DHH + Rafael Mendonça França* -* Add start_hour and end_hour options to the select_hour helper. *Evan Tann* +* Add `start_hour` and `end_hour` options to the `select_hour` helper. *Evan Tann* -* Raises an ArgumentError when the first argument in `form_for` contain `nil` +* Raises an `ArgumentError` when the first argument in `form_for` contain `nil` or is empty. *Richard Schneeman* @@ -214,9 +215,9 @@ *Armand du Plessis* -* Fixed issue with where Digest authentication would not work behind a proxy. *Arthur Smith* +* Fixed issue with where digest authentication would not work behind a proxy. *Arthur Smith* -* Added ActionController::Live. Mix it in to your controller and you can +* Added `ActionController::Live`. Mix it in to your controller and you can stream data to the client live. For example: class FooController < ActionController::Base @@ -232,7 +233,9 @@ end end -* Remove ActionDispatch::Head middleware in favor of Rack::Head. *Santiago Pastorino* + *Aaron Patterson* + +* Remove `ActionDispatch::Head` middleware in favor of `Rack::Head`. *Santiago Pastorino* * Deprecate `:confirm` in favor of `:data => { :confirm => "Text" }` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers. @@ -272,7 +275,7 @@ *Jeremy Friesen* -* Make possible to use a block in button_to helper if button text is hard +* Make possible to use a block in `button_to` if the button text is hard to fit into the name parameter, e.g.: <%= button_to [:make_happy, @user] do %> @@ -475,27 +478,28 @@ * Add `:format` option to number_to_percentage *Rodrigo Flores* -* Add `config.action_view.logger` to configure logger for ActionView. *Rafael Mendonça França* +* Add `config.action_view.logger` to configure logger for Action View. *Rafael Mendonça França* -* Deprecated ActionController::Integration in favour of ActionDispatch::Integration +* Deprecated `ActionController::Integration` in favour of `ActionDispatch::Integration`. -* Deprecated ActionController::IntegrationTest in favour of ActionDispatch::IntegrationTest +* Deprecated `ActionController::IntegrationTest` in favour of `ActionDispatch::IntegrationTest`. -* Deprecated ActionController::PerformanceTest in favour of ActionDispatch::PerformanceTest +* Deprecated `ActionController::PerformanceTest` in favour of `ActionDispatch::PerformanceTest`. -* Deprecated ActionController::AbstractRequest in favour of ActionDispatch::Request +* Deprecated `ActionController::AbstractRequest` in favour of `ActionDispatch::Request`. -* Deprecated ActionController::Request in favour of ActionDispatch::Request +* Deprecated `ActionController::Request` in favour of `ActionDispatch::Request`. -* Deprecated ActionController::AbstractResponse in favour of ActionDispatch::Response +* Deprecated `ActionController::AbstractResponse` in favour of `ActionDispatch::Response`. -* Deprecated ActionController::Response in favour of ActionDispatch::Response +* Deprecated `ActionController::Response` in favour of `ActionDispatch::Response`. -* Deprecated ActionController::Routing in favour of ActionDispatch::Routing +* Deprecated `ActionController::Routing` in favour of `ActionDispatch::Routing`. -* check_box helper with :disabled => true will generate a disabled hidden field to conform with the HTML convention where disabled fields are not submitted with the form. - This is a behavior change, previously the hidden tag had a value of the disabled checkbox. - *Tadas Tamosauskas* +* `check_box helper` with `:disabled => true` will generate a disabled + hidden field to conform with the HTML convention where disabled fields are + not submitted with the form. This is a behavior change, previously the hidden + tag had a value of the disabled checkbox. *Tadas Tamosauskas* * `favicon_link_tag` helper will now use the favicon in app/assets by default. *Lucas Caton* diff --git a/activemodel/lib/active_model/validations/callbacks.rb b/activemodel/lib/active_model/validations/callbacks.rb index bf3fe7ff04..c153ef4309 100644 --- a/activemodel/lib/active_model/validations/callbacks.rb +++ b/activemodel/lib/active_model/validations/callbacks.rb @@ -56,7 +56,8 @@ module ActiveModel options = args.last if options.is_a?(Hash) && options[:on] options[:if] = Array(options[:if]) - options[:if].unshift("self.validation_context == :#{options[:on]}") + options[:on] = Array(options[:on]) + options[:if].unshift("#{options[:on]}.include? self.validation_context") end set_callback(:validation, :before, *args, &block) end @@ -92,7 +93,10 @@ module ActiveModel options = args.extract_options! options[:prepend] = true options[:if] = Array(options[:if]) - options[:if].unshift("self.validation_context == :#{options[:on]}") if options[:on] + if options[:on] + options[:on] = Array(options[:on]) + options[:if].unshift("#{options[:on]}.include? self.validation_context") + end set_callback(:validation, :after, *(args << options), &block) end end diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 04b67cdf3a..344ee6416d 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,5 +1,9 @@ ## Rails 4.0.0 (unreleased) ## +* Allow before and after validations to take an array of lifecycle events + + *John Foley* + * Support for specifying transaction isolation level If your database supports setting the isolation level for a transaction, you can set diff --git a/activerecord/lib/active_record/railtie.rb b/activerecord/lib/active_record/railtie.rb index a9f80ccd5f..41b3386c00 100644 --- a/activerecord/lib/active_record/railtie.rb +++ b/activerecord/lib/active_record/railtie.rb @@ -82,7 +82,7 @@ module ActiveRecord if cache.version == ActiveRecord::Migrator.current_version ActiveRecord::Model.connection.schema_cache = cache else - warn "schema_cache.dump is expired. Current version is #{ActiveRecord::Migrator.current_version}, but cache version is #{cache.version}." + warn "Ignoring db/schema_cache.dump because it has expired. The current schema version is #{ActiveRecord::Migrator.current_version}, but the one in the cache is #{cache.version}." end end end diff --git a/activerecord/test/cases/callbacks_test.rb b/activerecord/test/cases/callbacks_test.rb index deeef3a3fd..7457bafd4e 100644 --- a/activerecord/test/cases/callbacks_test.rb +++ b/activerecord/test/cases/callbacks_test.rb @@ -137,6 +137,32 @@ class OnCallbacksDeveloper < ActiveRecord::Base end end +class ContextualCallbacksDeveloper < ActiveRecord::Base + self.table_name = 'developers' + + before_validation { history << :before_validation } + before_validation :before_validation_on_create_and_update, :on => [ :create, :update ] + + validate do + history << :validate + end + + after_validation { history << :after_validation } + after_validation :after_validation_on_create_and_update, :on => [ :create, :update ] + + def before_validation_on_create_and_update + history << "before_validation_on_#{self.validation_context}".to_sym + end + + def after_validation_on_create_and_update + history << "after_validation_on_#{self.validation_context}".to_sym + end + + def history + @history ||= [] + end +end + class CallbackCancellationDeveloper < ActiveRecord::Base self.table_name = 'developers' @@ -285,6 +311,17 @@ class CallbacksTest < ActiveRecord::TestCase ], david.history end + def test_validate_on_contextual_create + david = ContextualCallbacksDeveloper.create('name' => 'David', 'salary' => 1000000) + assert_equal [ + :before_validation, + :before_validation_on_create, + :validate, + :after_validation, + :after_validation_on_create + ], david.history + end + def test_update david = CallbackDeveloper.find(1) david.save @@ -344,6 +381,18 @@ class CallbacksTest < ActiveRecord::TestCase ], david.history end + def test_validate_on_contextual_update + david = ContextualCallbacksDeveloper.find(1) + david.save + assert_equal [ + :before_validation, + :before_validation_on_update, + :validate, + :after_validation, + :after_validation_on_update + ], david.history + end + def test_destroy david = CallbackDeveloper.find(1) david.destroy diff --git a/guides/source/active_record_validations_callbacks.md b/guides/source/active_record_validations_callbacks.md index e5957d8acb..f32c1050ce 100644 --- a/guides/source/active_record_validations_callbacks.md +++ b/guides/source/active_record_validations_callbacks.md @@ -995,6 +995,25 @@ class User < ActiveRecord::Base end ``` +Callbacks can also be registered to only fire on certain lifecycle events: +<ruby> +class User < ActiveRecord::Base + before_validation :normalize_name, :on => :create + + # :on takes an array as well + after_validation :set_location, :on => [ :create, :update ] + + protected + def normalize_name + self.name = self.name.downcase.titleize + end + + def set_location + self.location = LocationService.query(self) + end +end +</ruby> + It is considered good practice to declare callback methods as protected or private. If left public, they can be called from outside of the model and violate the principle of object encapsulation. Available Callbacks diff --git a/guides/source/debugging_rails_applications.md b/guides/source/debugging_rails_applications.md index 9f8a3d942c..3651ec5ad8 100644 --- a/guides/source/debugging_rails_applications.md +++ b/guides/source/debugging_rails_applications.md @@ -708,10 +708,8 @@ There are some Rails plugins to help you to find errors and debug your applicati * [Footnotes](https://github.com/josevalim/rails-footnotes:) Every Rails page has footnotes that give request information and link back to your source via TextMate. * [Query Trace](https://github.com/ntalbott/query_trace/tree/master:) Adds query origin tracing to your logs. -* [Query Stats](https://github.com/dan-manges/query_stats/tree/master:) A Rails plugin to track database queries. -* [Query Reviewer](http://code.google.com/p/query-reviewer/:) This rails plugin not only runs "EXPLAIN" before each of your select queries in development, but provides a small DIV in the rendered output of each page with the summary of warnings for each query that it analyzed. +* [Query Reviewer](https://github.com/nesquena/query_reviewer:) This rails plugin not only runs "EXPLAIN" before each of your select queries in development, but provides a small DIV in the rendered output of each page with the summary of warnings for each query that it analyzed. * [Exception Notifier](https://github.com/smartinez87/exception_notification/tree/master:) Provides a mailer object and a default set of templates for sending email notifications when errors occur in a Rails application. -* [Exception Logger](https://github.com/defunkt/exception_logger/tree/master:) Logs your Rails exceptions in the database and provides a funky web interface to manage them. References ---------- diff --git a/guides/source/documents.yaml b/guides/source/documents.yaml index 2acdcca39c..0b22423798 100644 --- a/guides/source/documents.yaml +++ b/guides/source/documents.yaml @@ -146,6 +146,10 @@ work_in_progress: true description: This guide helps in upgrading applications to latest Ruby on Rails versions. - + name: Ruby on Rails 4.0 Release Notes + url: 4_0_release_notes.html + description: Release notes for Rails 4.0. + - name: Ruby on Rails 3.2 Release Notes url: 3_2_release_notes.html description: Release notes for Rails 3.2. diff --git a/guides/source/performance_testing.md b/guides/source/performance_testing.md index 528b9c35b3..f111ce610f 100644 --- a/guides/source/performance_testing.md +++ b/guides/source/performance_testing.md @@ -658,9 +658,8 @@ Useful Links ### Rails Plugins and Gems * [Rails Analyzer](http://rails-analyzer.rubyforge.org) -* [Palmist](http://www.flyingmachinestudios.com/programming/announcing-palmist) * [Rails Footnotes](https://github.com/josevalim/rails-footnotes/tree/master) -* [Query Reviewer](https://github.com/dsboulder/query_reviewer/tree/master) +* [Query Reviewer](https://github.com/nesquena/query_reviewer) * [MiniProfiler](http://www.miniprofiler.com) ### Generic Tools diff --git a/guides/source/security.md b/guides/source/security.md index 3a6a894695..0186386059 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -375,18 +375,25 @@ The common admin interface works like this: it's located at www.example.com/admi Mass Assignment --------------- -WARNING: _Without any precautions `Model.new(params[:model]`) allows attackers to set any database column's value._ +WARNING: _Without any precautions `Model.new(params[:model]`) allows attackers to set +any database column's value._ -The mass-assignment feature may become a problem, as it allows an attacker to set any model's attributes by manipulating the hash passed to a model's `new()` method: +The mass-assignment feature may become a problem, as it allows an attacker to set +any model's attributes by manipulating the hash passed to a model's `new()` method: ```ruby def signup - params[:user] # => {:name => “ow3ned”, :admin => true} + params[:user] # => {:name=>"ow3ned", :admin=>true} @user = User.new(params[:user]) end ``` -Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the `new` method, or `assign_attributes=` a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this: +Mass-assignment saves you much work, because you don't have to set each value +individually. Simply pass a hash to the `new` method, or `assign_attributes=` +a hash value, to set the model's attributes to the values in the hash. The +problem is that it is often used in conjunction with the parameters (params) +hash available in the controller, which may be manipulated by an attacker. +He may do so by changing the URL like this: ``` http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1 @@ -395,12 +402,19 @@ http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1 This will set the following parameters in the controller: ```ruby -params[:user] # => {:name => “ow3ned”, :admin => true} +params[:user] # => {:name=>"ow3ned", :admin=>true} ``` -So if you create a new user using mass-assignment, it may be too easy to become an administrator. +So if you create a new user using mass-assignment, it may be too easy to become +an administrator. -Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the `attributes=` method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3. The `accepts_nested_attributes_for` declaration provides us the ability to extend mass assignment to model associations (`has_many`, `has_one`, `has_and_belongs_to_many`). For example: +Note that this vulnerability is not restricted to database columns. Any setter +method, unless explicitly protected, is accessible via the `attributes=` method. +In fact, this vulnerability is extended even further with the introduction of +nested mass assignment (and nested object forms) in Rails 2.3. The +`accepts_nested_attributes_for` declaration provides us the ability to extend +mass assignment to model associations (`has_many`, `has_one`, +`has_and_belongs_to_many`). For example: ```ruby class Person < ActiveRecord::Base @@ -414,77 +428,84 @@ Note that this vulnerability is not restricted to database columns. Any setter m end ``` -As a result, the vulnerability is extended beyond simply exposing column assignment, allowing attackers the ability to create entirely new records in referenced tables (children in this case). +As a result, the vulnerability is extended beyond simply exposing column +assignment, allowing attackers the ability to create entirely new records +in referenced tables (children in this case). ### Countermeasures -To avoid this, Rails provides two class methods in your Active Record class to control access to your attributes. The `attr_protected` method takes a list of attributes that will not be accessible for mass-assignment. For example: +To avoid this, Rails provides an interface for protecting attributes from +end-user assignment called Strong Parameters. This makes Action Controller +parameters forbidden until they have been whitelisted, so you will have to +make a conscious choice about which attributes to allow for mass assignment +and thus prevent accidentally exposing that which shouldn’t be exposed. -```ruby -attr_protected :admin -``` - -`attr_protected` also optionally takes a role option using :as which allows you to define multiple mass-assignment groupings. If no role is defined then attributes will be added to the :default role. +NOTE. Before Strong Parameters arrived, mass-assignment protection was a +model's task provided by Active Model. This has been extracted to the +[ProtectedAttributes](https://github.com/rails/protected_attributes) +gem. In order to use `attr_accessible` and `attr_protected` helpers in +your models, you should add `protected_attributes` to your Gemfile. -```ruby -attr_protected :last_login, :as => :admin -``` +Why we moved mass-assignment protection out of the model and into +the controller? The whole point of the controller is to control the +flow between user and application, including authentication, authorization, +and, as part of that, access control. -A much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because _it takes a list of attributes that will be accessible_. All other attributes will be protected. This way you won't forget to protect attributes when adding new ones in the course of development. Here is an example: +Strong Parameters provides two methods to the `params` hash to control +access to your attributes: `require` and `permit`. The former is used +to mark parameters as required and the latter limits which attributes +should be allowed for mass updating using the slice pattern. For example: ```ruby -attr_accessible :name -attr_accessible :name, :is_admin, :as => :admin -``` - -If you want to set a protected attribute, you will to have to assign it individually: +def signup + params[:user] + # => {:name=>"ow3ned", :admin=>true} + permitted_params = params.require(:user).permit(:name) + # => {:name=>"ow3ned"} -```ruby -params[:user] # => {:name => "ow3ned", :admin => true} -@user = User.new(params[:user]) -@user.admin # => false # not mass-assigned -@user.admin = true -@user.admin # => true + @user = User.new(permitted_params) +end ``` -When assigning attributes in Active Record using `attributes=` the :default role will be used. To assign attributes using different roles you should use `assign_attributes` which accepts an optional :as options parameter. If no :as option is provided then the :default role will be used. You can also bypass mass-assignment security by using the `:without_protection` option. Here is an example: +In the example above, `require` is checking whether a `user` key is present or not +in the parameters, if it's not present, it'll raise an `ActionController::MissingParameter` +exception, which will be caught by `ActionController::Base` and turned into a +400 Bad Request reply. Then `permit` whitelists the attributes that should be +allowed for mass assignment. -```ruby -@user = User.new +A good pattern to encapsulate the permissible parameters is to use a private method +since you'll be able to reuse the same permit list between different actions. -@user.assign_attributes({ :name => 'Josh', :is_admin => true }) -@user.name # => Josh -@user.is_admin # => false +```ruby +def signup + @user = User.new(user_params) + # ... +end -@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :as => :admin) -@user.name # => Josh -@user.is_admin # => true +def update + @user = User.find(params[:id] + @user.update_attributes!(user_params) + # ... +end -@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :without_protection => true) -@user.name # => Josh -@user.is_admin # => true +private + def user_params + params.require(:user).permit(:name) + end ``` -In a similar way, `new`, `create`, `create!`, `update_attributes`, and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example: +Also, you can specialize this method with per-user checking of permissible +attributes. ```ruby -@user = User.new({ :name => 'Sebastian', :is_admin => true }, :as => :admin) -@user.name # => Sebastian -@user.is_admin # => true +def user_params + filters = [:name] + filters << :admin if current_user.try(:admin?) -@user = User.create({ :name => 'Sebastian', :is_admin => true }, :without_protection => true) -@user.name # => Sebastian -@user.is_admin # => true -``` - -A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes. This can be easily achieved with a very simple application config option of: - -```ruby -config.active_record.whitelist_attributes = true + params.require(:user).permit(*filters) +end ``` -This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`) as dictated by your failing tests. - User Management --------------- @@ -669,7 +690,7 @@ A blacklist can be a list of bad e-mail addresses, non-public actions or bad HTM * Allow <strong> instead of removing <script> against Cross-Site Scripting (XSS). See below for details. * Don't try to correct user input by blacklists: * This will make the attack work: "<sc<script>ript>".gsub("<script>", "") - * But reject malformed input + * But reject malformed input Whitelists are also a good approach against the human factor of forgetting something in the blacklist. @@ -1059,7 +1080,7 @@ config.action_dispatch.default_headers.clear Here is the list of common headers: * X-Frame-Options -_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. +_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. * X-XSS-Protection _'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) * X-Content-Type-Options diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb index f7d8f718de..39275e4285 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/application.rb +++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb @@ -47,7 +47,6 @@ module <%= app_const_base %> # config.active_record.schema_format = :sql <% unless options.skip_sprockets? -%> - # Enable the asset pipeline. config.assets.enabled = true diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb index 5d038d20e7..d6bce40b0c 100644 --- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb +++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb @@ -94,7 +94,7 @@ class <%= controller_class_name %>Controller < ApplicationController <%- if attributes.empty? -%> params[<%= ":#{singular_table_name}" %>] <%- else -%> - params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>) + params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.join(', ') %>) <%- end -%> end end diff --git a/railties/lib/rails/rack/logger.rb b/railties/lib/rails/rack/logger.rb index 89de10c83d..9ff94e74b3 100644 --- a/railties/lib/rails/rack/logger.rb +++ b/railties/lib/rails/rack/logger.rb @@ -10,7 +10,7 @@ module Rails end def call(env) - if @tags + if @tags && Rails.logger.respond_to?(:tagged) Rails.logger.tagged(compute_tags(env)) { call_app(env) } else call_app(env) diff --git a/railties/test/generators/scaffold_controller_generator_test.rb b/railties/test/generators/scaffold_controller_generator_test.rb index 1e16f04d85..aa09343346 100644 --- a/railties/test/generators/scaffold_controller_generator_test.rb +++ b/railties/test/generators/scaffold_controller_generator_test.rb @@ -50,7 +50,7 @@ class ScaffoldControllerGeneratorTest < Rails::Generators::TestCase end assert_match(/def user_params/, content) - assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content) + assert_match(/params\.require\(:user\)\.permit\(:name, :age\)/, content) end end |