We don't want people to jump from the last release in the previous
series (4.2) straing to the first release in the current series that is
support (5.1), so we should be supporting the entire series for severe
security issues.
This will not be a problem because usually we only have 3 releases in a
series and backporting patches inside the same series is not harder than
backporting to a previous series.
ActionView::Template instances compile their source to methods on the
ActionView::CompiledTemplates module. To prevent leaks in development
mode, where templates can frequently change, a finalizer is added that
undefines these methods[1] when the templates are garbage-collected.
This is undesirable in the test environment, however, as templates don't
change during the life of the test. Moreover, the cost of undefining a
method is proportional to the number of descendants a class or module
has, since the method cache must be cleared for all descendant classes.
As ActionView::CompiledTemplates is mixed into every
ActionView::TestCase (or in RSpec suites, every view spec example
group), it can end up with a very large number of descendants, and
undefining its methods can become very expensive.
In large test suites, this results in a long delay at the end of the
test suite as all template finalizers are run, only for the process to
then exit.
To avoid this unnecessary cost, this change adds a config option,
`action_view.finalize_compiled_template_methods`, defaulting to true,
and sets it to false in the test environment only.
[1] 09b2348f7f/actionview/lib/action_view/template.rb (L118-L126)
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
- Remove
```
* Namespace error pages' CSS selectors to stop the styles from bleeding
into other pages when using Turbolinks.
([Pull Request](https://github.com/rails/rails/pull/28814))
```
since it was backported to
`5-1-stable` by 50d5baf7ed
and
`5-0-stable` by d1c4a39ed7.
- Remove
```
* Allow irb options to be passed from `rails console` command.
([Pull Request](https://github.com/rails/rails/pull/29010))
```
since it was backported to
`5-1-stable` by e91b48348c.
- Remove
```
* Load environment file in `dbconsole` command.
([Pull Request](https://github.com/rails/rails/pull/29725))
```
since it was backported to
`5-1-stable` by 7f9342877a.
- Remove
```
* Gemfile for new apps: upgrade redis-rb from ~> 3.0 to 4.0.
([Pull Request](https://github.com/rails/rails/pull/30748))
```
since it was backported to
`5-1-stable` by 3789531151.
- Remove
```
* Fix minitest rails plugin.
The custom reporters are added only if needed.
This will fix conflicts with others plugins.
([Commit](ac99916fcf))
```
since it was backported to
`5-1-stable` by caa76956d3.
- Remove
```
* Add support for compatibility with redis-rb gem for 4.0 version.
([Pull Request](https://github.com/rails/rails/pull/30748))
```
since it was backported to
`5-1-stable` by 3789531151.
- Remove
```
* Add `action_controller_api` and `action_controller_base` load hooks to be
called in `ActiveSupport.on_load`.
([Pull Request](https://github.com/rails/rails/pull/28402))
```
since it was backported to
`5-1-stable` by b9a5fd706a.
- Remove
```
* `driven_by` now registers poltergeist and capybara-webkit.
([Pull Request](https://github.com/rails/rails/pull/29315))
```
since it was backported to
`5-1-stable` by c5dd45119a.
- Remove
```
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
([Pull Request](https://github.com/rails/rails/pull/29630))
```
since it was backported to
`5-1-stable` by c1014e435d
and
`5-0-stable` by 0e71fc3040.
- Remove
```
* Make `take_failed_screenshot` work within engine.
([Pull Request](https://github.com/rails/rails/pull/30421))
```
since it was backported to
`5-1-stable` by 595a231029.
- Remove
```
* Fix optimized url helpers when using relative url root.
([Pull Request](https://github.com/rails/rails/pull/31261))
```
since it was backported to
`5-1-stable` by e9b77953a2.
- Remove
```
* Update `distance_of_time_in_words` helper to display better error messages
for bad input.
([Pull Request](https://github.com/rails/rails/pull/20701))
```
since it was backported to
`5-1-stable` by 2c97fbf650.
- Remove
```
* Generate field ids in `collection_check_boxes` and
`collection_radio_buttons`.
([Pull Request](https://github.com/rails/rails/pull/29412))
```
since it was backported to
`5-1-stable` by 2d8c10a7b1.
- Remove
```
* Fix issues with scopes and engine on `current_page?` method.
([Pull Request](https://github.com/rails/rails/pull/29503))
```
since it was backported to
`5-1-stable` by 2135daf0d5.
- Remove
```
* Bring back proc with arity of 1 in `ActionMailer::Base.default` proc
since it was supported in Rails 5.0 but not deprecated.
([Pull Request](https://github.com/rails/rails/pull/30391))
```
since it was backported to
`5-1-stable` by b2bedb1492.
- Remove
```
* Add type caster to `RuntimeReflection#alias_name`.
([Pull Request](https://github.com/rails/rails/pull/28961))
```
since it was backported to
`5-1-stable` by f644e7a6fd.
- Remove
```
* Loading model schema from database is now thread-safe.
([Pull Request](https://github.com/rails/rails/pull/29216))
```
since it was backported to
`5-1-stable` by 02926cfff6.
and
`5-0-stable` by 84bcfe5a6a
- Remove
```
* Fix destroying existing object does not work well when optimistic locking
enabled and `locking_column` is null in the database.
([Pull Request](https://github.com/rails/rails/pull/28926))
```
since it was backported to
`5-1-stable` by e498052c52.
- Remove
```
* `ActiveRecord::Persistence#touch` does not work well
when optimistic locking enabled and `locking_column`,
without default value, is null in the database.
([Pull Request](https://github.com/rails/rails/pull/28914))
```
since it was backported to
`5-1-stable` by 1e2f63db78.
- Remove
```
* Previously, when building records using a `has_many :through` association,
if the child records were deleted before the parent was saved,
they would still be persisted. Now, if child records are deleted
before the parent is saved on a `has_many :through` association,
the child records will not be persisted.
([Pull Request](https://github.com/rails/rails/pull/29593))
```
since it was backported to
`5-1-stable` by a22c39e9cc.
- Remove
```
* Query cache was unavailable when entering the `ActiveRecord::Base.cache`
block without being connected.
([Pull Request](https://github.com/rails/rails/pull/29609))
```
since it was backported to
`5-1-stable` by fd6c8cdfe6
and
`5-0-stable` by 9f2532bb16.
- Remove
```
* `Relation#joins` is no longer affected by the target model's
`current_scope`, with the exception of `unscoped`.
([Commit](5c71000d08))
```
since it was backported to
`5-1-stable` by 3630d6354c.
- Remove
```
* Fix `unscoped(where: [columns])` removing the wrong bind values.
([Pull Request](https://github.com/rails/rails/pull/29780))
```
since it was backported to
`5-1-stable` by d378fcb254.
- Remove
```
* When a `has_one` association is destroyed by `dependent: destroy`,
`destroyed_by_association` will now be set to the reflection, matching the
behaviour of `has_many` associations.
([Pull Request](https://github.com/rails/rails/pull/29855))
```
since it was backported to
`5-1-stable` by 8254a8be81.
- Remove
```
* Fix `COUNT(DISTINCT ...)` with `ORDER BY` and `LIMIT`
to keep the existing select list.
([Pull Request](https://github.com/rails/rails/pull/29848))
```
since it was backported to
`5-1-stable` by 0e8d4edd56.
- Remove
```
* Ensure `sum` honors `distinct` on `has_many :through` associations.
([Commit](566f1fd068))
```
since it was backported to
`5-1-stable` by c0a1dc2561.
- Remove
```
* Fix `COUNT(DISTINCT ...)` for `GROUP BY` with `ORDER BY` and `LIMIT`.
([Commit](5668dc6b18))
```
since it was backported to
`5-1-stable` by 87ca68e76e.
- Remove
```
* MySQL: Don't lose `auto_increment: true` in the `db/schema.rb`.
([Commit](9493d45535))
```
since it was backported to
`5-1-stable` by 8b6e694e5f.
- Remove
```
* Fix longer sequence name detection for serial columns.
([Pull Request](https://github.com/rails/rails/pull/28339))
```
since it was backported to
`5-1-stable` by af9c1707ad
and
`5-0-stable` by 7025b1d8eb.
- Remove
```
* Fix `bin/rails db:setup` and `bin/rails db:test:prepare` create wrong
ar_internal_metadata's data for a test database.
([Pull Request](https://github.com/rails/rails/pull/30579))
```
since it was backported to
`5-1-stable` by bb67b5f278
and
`5-0-stable` by 60437e6d3c.
- Remove
```
* Fix conflicts `counter_cache` with `touch: true` by optimistic locking.
([Pull Request](https://github.com/rails/rails/pull/31405))
```
since it was backported to
`5-1-stable` by 5236ddaf35.
- Remove
```
* Fix `count(:all)` to correctly work `distinct` with custom SELECT list.
([Commit](c6cd9a59f2))
```
since it was backported to
`5-1-stable` by 6beb4de7dd.
- Remove
```
* Fix to invoke callbacks when using `update_attribute`.
([Commit](732aa34b6e))
```
since it was backported to
`5-1-stable` by 6346683bc5.
- Remove
```
* Use `count(:all)` in `HasManyAssociation#count_records` to prevent invalid
SQL queries for association counting.
([Pull Request](https://github.com/rails/rails/pull/27561))
```
since it was backported to
`5-1-stable` by eef3c89e3b.
- Remove
```
* Fix `count(:all)` with eager loading and having an order other than
the driving table.
([Commit](ebc09ed9ad))
```
since it was backported to
`5-1-stable` by 6df9b69b23.
- Remove
```
* PostgreSQL: Allow pg-1.0 gem to be used with Active Record.
([Pull Request](https://github.com/rails/rails/pull/31671))
```
since it was backported to
`5-1-stable` by a9c06f61d5.
- Remove
```
* Fix that after commit callbacks on update does not triggered
when optimistic locking is enabled.
([Commit](7f9bd034c4))
```
since it was backported to
`5-1-stable` by aaee10e6e4.
- Remove
```
* Fix regression in numericality validator when comparing Decimal and Float
input values with more scale than the schema.
([Pull Request](https://github.com/rails/rails/pull/28584))
```
since it was backported to
`5-1-stable` by 5b1c3e5a8b.
Note that there was incorrect link to PR,
original PR is https://github.com/rails/rails/pull/29249.
- Remove
```
* Fix to working before/after validation callbacks on multiple contexts.
([Pull Request](https://github.com/rails/rails/pull/31483))
```
since it was backported to
`5-1-stable` by 0f7046a7f8.
- Remove
```
* Fix implicit coercion calculations with scalars and durations.
([Pull Request](https://github.com/rails/rails/pull/29163),
[Pull Request](https://github.com/rails/rails/pull/29971))
```
since it was backported to
`5-1-stable` by 51ea27c04c,
4d82e2aad9.
- Remove
```
* Fix modulo operations involving durations.
([Commit](a54e13bd2e))
```
since it was backported to
`5-1-stable` by 233fa7eab3.
- Remove
```
* Return all mappings for a timezone identifier in `country_zones`.
([Commit](cdce6a709e))
```
since it was backported to
`5-1-stable` by 0222ebbe06.
- Remove
```
* Add support for compatibility with redis-rb gem for 4.0 version.
([Pull Request](https://github.com/rails/rails/pull/30748))
```
since it was backported to
`5-1-stable` by 3789531151.
Related to #32252.
Related to #32222, https://github.com/rails/rails/pull/32222#discussion_r174256536.
Follow up a489cc81b6.
Add section "Expiry in signed or encrypted cookie is now embedded in the cookies values"
to `master` since it should always be in the guides, not only for version 5.2.
Add info about `config.action_dispatch.use_authenticated_cookie_encryption`
to the "Configuring Rails Applications" guide.
It was committed straight to `5-2-stable` since we don't need this
functionality in 6.0. Related to b25fcbc074.
- Add a description of major features in Rails 5.2.
- Add a reference to Pull Request/Commit to every entry in CHANGELOGs,
note that some of them combined.
- Add section "Ruby on Rails Guides" with notable changes.
- Note that
- Skipped this since encrypted secrets are already on the way out.
```
* Add `rails secrets:show` command.
([Pull Request](https://github.com/rails/rails/pull/29695))
```
- Skipped this since it was backported all the way to 5-0-stable.
```
* Make Rails' test runner work better with minitest plugins.
([Pull Request](https://github.com/rails/rails/pull/29572))
```
Thanks to everyone who has been working on Rails 5.2! <3
The Active Storage service for Azure Storage has an option called `path`
that is ambiguous in meaning. It needs to be set to the primary blob
storage endpoint but that can be determined from the blobs client anyway.
To simplify the configuration this commit removes the `path` option and
gets the endpoint from the blobs client instead.
Closes#32225.
* Remove reference to Globalize::Backend::Static as this class no longer exists.
* Remove reference to google group
* Remove confusing reference to Globalize3
* Add section on translating stored content
Rafael Mendonça França