Commit 37d1429ab1
introduced the DummyERB to avoid loading the environment when
running `rake -T`.
The DummyCompiler simply replaced all output from `<%=` with a fixed string and
removed everything else. This worked okay when it was used for YAML values.
When using `<%=` within a YAML key, it caused an error in the YAML parser,
making it impossible to use ERB as you would expect. For example a
`database.yml` file containing the following should be possible:
development:
<% 5.times do |i| %>
shard_<%= i %>:
database: db/development_shard_<%= i %>.sqlite3
adapter: sqlite3
<% end %>
Instead of using a broken ERB compiler we can temporarily use a
`Rails.application.config` that does not raise an error when configurations are
accessed which have not been set as described in #35468.
This change removes the `DummyCompiler` and uses the standard `ERB::Compiler`.
It introduces the `DummyConfig` which delegates all known configurations to the
real `Rails::Application::Configuration` instance and returns a dummy string for
everything else. This restores the full ERB capabilities without compromising on
speed when generating the rake tasks for multiple databases.
Deprecates `config.active_record.suppress_multiple_database_warning`.
31 KiB
-
Allow any ERB in the database.yml when creating rake tasks.
Any ERB can be used in
database.yml
even if it accesses environment configurations.Deprecates
config.active_record.suppress_multiple_database_warning
.Eike Send
-
Add table to error for duplicate column definitions.
If a migration defines duplicate columns for a table, the error message shows which table it concerns.
Petrik de Heus
-
Fix erroneous nil default precision on virtual datetime columns.
Prior to this change, virtual datetime columns did not have the same default precision as regular datetime columns, resulting in the following being erroneously equivalent:
t.virtual :name, type: datetime, as: "expression" t.virtual :name, type: datetime, precision: nil, as: "expression"
This change fixes the default precision lookup, so virtual and regular datetime column default precisions match.
Sam Bostock
-
Use connection from
#with_raw_connection
in#quote_string
.This ensures that the string quoting is wrapped in the reconnect and retry logic that
#with_raw_connection
offers.Adrianna Chang
-
Add
expires_in
option tosigned_id
.Shouichi Kamiya
-
Allow applications to set retry deadline for query retries.
Building on the work done in #44576 and #44591, we extend the logic that automatically reconnects database connections to take into account a timeout limit. We won't retry a query if a given amount of time has elapsed since the query was first attempted. This value defaults to nil, meaning that all retryable queries are retried regardless of time elapsed, but this can be changed via the
retry_deadline
option in the database config.Adrianna Chang
-
Fix a case where the query cache can return wrong values. See #46044
Aaron Patterson
-
Support MySQL's ssl-mode option for MySQLDatabaseTasks.
Verifying the identity of the database server requires setting the ssl-mode option to VERIFY_CA or VERIFY_IDENTITY. This option was previously ignored for MySQL database tasks like creating a database and dumping the structure.
Petrik de Heus
-
Move
ActiveRecord::InternalMetadata
to an independent object.ActiveRecord::InternalMetadata
no longer inherits fromActiveRecord::Base
and is now an independent object that should be instantiated with aconnection
. This class is private and should not be used by applications directly. If you want to interact with the schema migrations table, please access it on the connection directly, for example:ActiveRecord::Base.connection.schema_migration
.Eileen M. Uchitelle
-
Deprecate quoting
ActiveSupport::Duration
as an integerUsing ActiveSupport::Duration as an interpolated bind parameter in a SQL string template is deprecated. To avoid this warning, you should explicitly convert the duration to a more specific database type. For example, if you want to use a duration as an integer number of seconds:
Record.where("duration = ?", 1.hour.to_i)
If you want to use a duration as an ISO 8601 string:
Record.where("duration = ?", 1.hour.iso8601)
Aram Greenman
-
Allow
QueryMethods#in_order_of
to order by a string column name.Post.in_order_of("id", [4,2,3,1]).to_a Post.joins(:author).in_order_of("authors.name", ["Bob", "Anna", "John"]).to_a
Igor Kasyanchuk
-
Move
ActiveRecord::SchemaMigration
to an independent object.ActiveRecord::SchemaMigration
no longer inherits fromActiveRecord::Base
and is now an independent object that should be instantiated with aconnection
. This class is private and should not be used by applications directly. If you want to interact with the schema migrations table, please access it on the connection directly, for example:ActiveRecord::Base.connection.schema_migration
.Eileen M. Uchitelle
-
Deprecate
all_connection_pools
and makeconnection_pool_list
more explicit.Following on #45924
all_connection_pools
is now deprecated.connection_pool_list
will either take an explicit role or applications can opt into the new behavior by passing:all
.Eileen M. Uchitelle
-
Fix connection handler methods to operate on all pools.
active_connections?
,clear_active_connections!
,clear_reloadable_connections!
,clear_all_connections!
, andflush_idle_connections!
now operate on all pools by default. Previously they would default to using thecurrent_role
or:writing
role unless specified.Eileen M. Uchitelle
-
Allow ActiveRecord::QueryMethods#select to receive hash values.
Currently,
select
might receive only raw sql and symbols to define columns and aliases to select.With this change we can provide
hash
as argument, for example:Post.joins(:comments).select(posts: [:id, :title, :created_at], comments: [:id, :body, :author_id]) #=> "SELECT \"posts\".\"id\", \"posts\".\"title\", \"posts\".\"created_at\", \"comments\".\"id\", \"comments\".\"body\", \"comments\".\"author_id\" # FROM \"posts\" INNER JOIN \"comments\" ON \"comments\".\"post_id\" = \"posts\".\"id\"" Post.joins(:comments).select(posts: { id: :post_id, title: :post_title }, comments: { id: :comment_id, body: :comment_body }) #=> "SELECT posts.id as post_id, posts.title as post_title, comments.id as comment_id, comments.body as comment_body # FROM \"posts\" INNER JOIN \"comments\" ON \"comments\".\"post_id\" = \"posts\".\"id\""
Oleksandr Holubenko, Josef Šimánek, Jean Boussier
-
Adapts virtual attributes on
ActiveRecord::Persistence#becomes
.When source and target classes have a different set of attributes adapts attributes such that the extra attributes from target are added.
class Person < ApplicationRecord end class WebUser < Person attribute :is_admin, :boolean after_initialize :set_admin def set_admin write_attribute(:is_admin, email =~ /@ourcompany\.com$/) end end person = Person.find_by(email: "email@ourcompany.com") person.respond_to? :is_admin # => false person.becomes(WebUser).is_admin? # => true
Jacopo Beschi, Sampson Crowley
-
Fix
ActiveRecord::QueryMethods#in_order_of
to includenil
s, to match the behavior ofEnumerable#in_order_of
.For example,
Post.in_order_of(:title, [nil, "foo"])
will now include posts withnil
titles, the same asPost.all.to_a.in_order_of(:title, [nil, "foo"])
.fatkodima
-
Optimize
add_timestamps
to use a single SQL statement.add_timestamps :my_table
Now results in the following SQL:
ALTER TABLE "my_table" ADD COLUMN "created_at" datetime(6) NOT NULL, ADD COLUMN "updated_at" datetime(6) NOT NULL
Iliana Hadzhiatanasova
-
Add
drop_enum
migration command for PostgreSQLThis does the inverse of
create_enum
. Before dropping an enum, ensure you have dropped columns that depend on it.Alex Ghiculescu
-
Adds support for
if_exists
option when removing a check constraint.The
remove_check_constraint
method now accepts anif_exists
option. If set to true an error won't be raised if the check constraint doesn't exist.Margaret Parsa and Aditya Bhutani
-
find_or_create_by
now try to find a second time if it hits a unicity constraint.find_or_create_by
always has been inherently racy, either creating multiple duplicate records or failing withActiveRecord::RecordNotUnique
depending on whether a proper unicity constraint was set.create_or_find_by
was introduced for this use case, however it's quite wasteful when the record is expected to exist most of the time, as INSERT require to send more data than SELECT and require more work from the database. Also on some databases it can actually consume a primary key increment which is undesirable.So for case where most of the time the record is expected to exist,
find_or_create_by
can be made race-condition free by re-trying thefind
if thecreate
failed withActiveRecord::RecordNotUnique
. This assumes that the table has the proper unicity constraints, if not,find_or_create_by
will still lead to duplicated records.Jean Boussier, Alex Kitchens
-
Introduce a simpler constructor API for ActiveRecord database adapters.
Previously the adapter had to know how to build a new raw connection to support reconnect, but also expected to be passed an initial already- established connection.
When manually creating an adapter instance, it will now accept a single config hash, and only establish the real connection on demand.
Matthew Draper
-
Avoid redundant
SELECT 1
connection-validation query during DB pool checkout when possible.If the first query run during a request is known to be idempotent, it can be used directly to validate the connection, saving a network round-trip.
Matthew Draper
-
Automatically reconnect broken database connections when safe, even mid-request.
When an error occurs while attempting to run a known-idempotent query, and not inside a transaction, it is safe to immediately reconnect to the database server and try again, so this is now the default behavior.
This new default should always be safe -- to support that, it's consciously conservative about which queries are considered idempotent -- but if necessary it can be disabled by setting the
connection_retries
connection option to0
.Matthew Draper
-
Avoid removing a PostgreSQL extension when there are dependent objects.
Previously, removing an extension also implicitly removed dependent objects. Now, this will raise an error.
You can force removing the extension:
disable_extension :citext, force: :cascade
Fixes #29091.
fatkodima
-
Allow nested functions as safe SQL string
Michael Siegfried
-
Allow
destroy_association_async_job=
to be configured with a class string instead of a constant.Defers an autoloading dependency between
ActiveRecord::Base
andActiveJob::Base
and moves the configuration ofActiveRecord::DestroyAssociationAsyncJob
from ActiveJob to ActiveRecord.Deprecates
ActiveRecord::ActiveJobRequiredError
and now raises aNameError
if the job class is unloadable or anActiveRecord::ConfigurationError
ifdependent: :destroy_async
is declared on an association but there is no job class configured.Ben Sheldon
-
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.Jean Boussier
-
Add
timestamptz
as a time zone aware type for PostgreSQLThis is required for correctly parsing
timestamp with time zone
values in your database.If you don't want this, you can opt out by adding this initializer:
ActiveRecord::Base.time_zone_aware_types -= [:timestamptz]
Alex Ghiculescu
-
Add new
ActiveRecord::Base::generates_token_for
API.Currently,
signed_id
fulfills the role of generating tokens for e.g. resetting a password. However, signed IDs cannot reflect record state, so if a token is intended to be single-use, it must be tracked in a database at least until it expires.With
generates_token_for
, a token can embed data from a record. When using the token to fetch the record, the data from the token and the data from the record will be compared. If the two do not match, the token will be treated as invalid, the same as if it had expired. For example:class User < ActiveRecord::Base has_secure_password generates_token_for :password_reset, expires_in: 15.minutes do # A password's BCrypt salt changes when the password is updated. # By embedding (part of) the salt in a token, the token will # expire when the password is updated. BCrypt::Password.new(password_digest).salt[-10..] end end user = User.first token = user.generate_token_for(:password_reset) User.find_by_token_for(:password_reset, token) # => user user.update!(password: "new password") User.find_by_token_for(:password_reset, token) # => nil
Jonathan Hefner
-
Optimize Active Record batching for whole table iterations.
Previously,
in_batches
got all the ids and constructed anIN
-based query for each batch. When iterating over the whole tables, this approach is not optimal as it loads unneeded ids andIN
queries with lots of items are slow.Now, whole table iterations use range iteration (
id >= x AND id <= y
) by default which can make iteration several times faster. E.g., tested on a PostgreSQL table with 10 million records: querying (253s
vs30s
), updating (288s
vs124s
), deleting (268s
vs83s
).Only whole table iterations use this style of iteration by default. You can disable this behavior by passing
use_ranges: false
. If you iterate over the table and the only condition is, e.g.,archived_at: nil
(and only a tiny fraction of the records are archived), it makes sense to opt in to this approach:Project.where(archived_at: nil).in_batches(use_ranges: true) do |relation| # do something end
See #45414 for more details.
fatkodima
-
.with
query method added. Construct common table expressions with ease and getActiveRecord::Relation
back.Post.with(posts_with_comments: Post.where("comments_count > ?", 0)) # => ActiveRecord::Relation # WITH posts_with_comments AS (SELECT * FROM posts WHERE (comments_count > 0)) SELECT * FROM posts
Vlado Cingel
-
Don't establish a new connection if an identical pool exists already.
Previously, if
establish_connection
was called on a class that already had an established connection, the existing connection would be removed regardless of whether it was the same config. Now if a pool is found with the same values as the new connection, the existing connection will be returned instead of creating a new one.This has a slight change in behavior if application code is depending on a new connection being established regardless of whether it's identical to an existing connection. If the old behavior is desirable, applications should call
ActiveRecord::Base#remove_connection
before establishing a new one. Callingestablish_connection
with a different config works the same way as it did previously.Eileen M. Uchitelle
-
Update
db:prepare
task to load schema when an uninitialized database exists, and dump schema after migrations.Ben Sheldon
-
Fix supporting timezone awareness for
tsrange
andtstzrange
array columns.# In database migrations add_column :shops, :open_hours, :tsrange, array: true # In app config ActiveRecord::Base.time_zone_aware_types += [:tsrange] # In the code times are properly converted to app time zone Shop.create!(open_hours: [Time.current..8.hour.from_now])
Wojciech Wnętrzak
-
Introduce strategy pattern for executing migrations.
By default, migrations will use a strategy object that delegates the method to the connection adapter. Consumers can implement custom strategy objects to change how their migrations run.
Adrianna Chang
-
Add adapter option disallowing foreign keys
This adds a new option to be added to
database.yml
which enables skipping foreign key constraints usage even if the underlying database supports them.Usage:
development: <<: *default database: db/development.sqlite3 foreign_keys: false
Paulo Barros
-
Add configurable deprecation warning for singular associations
This adds a deprecation warning when using the plural name of a singular associations in
where
. It is possible to opt into the new more performant behavior withconfig.active_record.allow_deprecated_singular_associations_name = false
Adam Hess
-
Run transactional callbacks on the freshest instance to save a given record within a transaction.
When multiple Active Record instances change the same record within a transaction, Rails runs
after_commit
orafter_rollback
callbacks for only one of them.config.active_record.run_commit_callbacks_on_first_saved_instances_in_transaction
was added to specify how Rails chooses which instance receives the callbacks. The framework defaults were changed to use the new logic.When
config.active_record.run_commit_callbacks_on_first_saved_instances_in_transaction
istrue
, transactional callbacks are run on the first instance to save, even though its instance state may be stale.When it is
false
, which is the new framework default starting with version 7.1, transactional callbacks are run on the instances with the freshest instance state. Those instances are chosen as follows:- In general, run transactional callbacks on the last instance to save a given record within the transaction.
- There are two exceptions:
- If the record is created within the transaction, then updated by
another instance,
after_create_commit
callbacks will be run on the second instance. This is instead of theafter_update_commit
callbacks that would naively be run based on that instance’s state. - If the record is destroyed within the transaction, then
after_destroy_commit
callbacks will be fired on the last destroyed instance, even if a stale instance subsequently performed an update (which will have affected 0 rows).
- If the record is created within the transaction, then updated by
another instance,
Cameron Bothner and Mitch Vollebregt
-
Enable strict strings mode for
SQLite3Adapter
.Configures SQLite with a strict strings mode, which disables double-quoted string literals.
SQLite has some quirks around double-quoted string literals. It first tries to consider double-quoted strings as identifier names, but if they don't exist it then considers them as string literals. Because of this, typos can silently go unnoticed. For example, it is possible to create an index for a non existing column. See SQLite documentation for more details.
If you don't want this behavior, you can disable it via:
# config/application.rb config.active_record.sqlite3_adapter_strict_strings_by_default = false
Fixes #27782.
fatkodima, Jean Boussier
-
Resolve issue where a relation cache_version could be left stale.
Previously, when
reset
was called on a relation object it did not reset the cache_versions ivar. This led to a confusing situation where despite having the correct data the relation still reported a stale cache_version.Usage:
developers = Developer.all developers.cache_version Developer.update_all(updated_at: Time.now.utc + 1.second) developers.cache_version # Stale cache_version developers.reset developers.cache_version # Returns the current correct cache_version
Fixes #45341.
Austen Madden
-
Add support for exclusion constraints (PostgreSQL-only).
add_exclusion_constraint :invoices, "daterange(start_date, end_date) WITH &&", using: :gist, name: "invoices_date_overlap" remove_exclusion_constraint :invoices, name: "invoices_date_overlap"
See PostgreSQL's
CREATE TABLE ... EXCLUDE ...
documentation for more on exclusion constraints.Alex Robbin
-
change_column_null
raises if a non-boolean argument is providedPreviously if you provided a non-boolean argument,
change_column_null
would treat it as truthy and make your column nullable. This could be surprising, so now the input must be eithertrue
orfalse
.change_column_null :table, :column, true # good change_column_null :table, :column, false # good change_column_null :table, :column, from: true, to: false # raises (previously this made the column nullable)
Alex Ghiculescu
-
Enforce limit on table names length.
Fixes #45130.
fatkodima
-
Adjust the minimum MariaDB version for check constraints support.
Eddie Lebow
-
Fix Hstore deserialize regression.
edsharp
-
Add validity for PostgreSQL indexes.
connection.index_exists?(:users, :email, valid: true) connection.indexes(:users).select(&:valid?)
fatkodima
-
Fix eager loading for models without primary keys.
Anmol Chopra, Matt Lawrence, and Jonathan Hefner
-
Avoid validating a unique field if it has not changed and is backed by a unique index.
Previously, when saving a record, Active Record will perform an extra query to check for the uniqueness of each attribute having a
uniqueness
validation, even if that attribute hasn't changed. If the database has the corresponding unique index, then this validation can never fail for persisted records, and we could safely skip it.fatkodima
-
Stop setting
sql_auto_is_null
Since version 5.5 the default has been off, we no longer have to manually turn it off.
Adam Hess
-
Fix
touch
to raise an error for readonly columns.fatkodima
-
Add ability to ignore tables by regexp for SQL schema dumps.
ActiveRecord::SchemaDumper.ignore_tables = [/^_/]
fatkodima
-
Avoid queries when performing calculations on contradictory relations.
Previously calculations would make a query even when passed a contradiction, such as
User.where(id: []).count
. We no longer perform a query in that scenario.This applies to the following calculations:
count
,sum
,average
,minimum
andmaximum
Luan Vieira, John Hawthorn and Daniel Colson
-
Allow using aliased attributes with
insert_all
/upsert_all
.class Book < ApplicationRecord alias_attribute :title, :name end Book.insert_all [{ title: "Remote", author_id: 1 }], returning: :title
fatkodima
-
Support encrypted attributes on columns with default db values.
This adds support for encrypted attributes defined on columns with default values. It will encrypt those values at creation time. Before, it would raise an error unless
config.active_record.encryption.support_unencrypted_data
was true.Jorge Manrubia and Dima Fatko
-
Allow overriding
reading_request?
inDatabaseSelector::Resolver
The default implementation checks if a request is a
get?
orhead?
, but you can now change it to anything you like. If the method returns true,Resolver#read
gets called meaning the request could be served by the replica database.Alex Ghiculescu
-
Remove
ActiveRecord.legacy_connection_handling
.Eileen M. Uchitelle
-
rails db:schema:{dump,load}
now checksENV["SCHEMA_FORMAT"]
before configSince
rails db:structure:{dump,load}
was deprecated there wasn't a simple way to dump a schema to both SQL and Ruby formats. You can now do this with an environment variable. For example:SCHEMA_FORMAT=sql rake db:schema:dump
Alex Ghiculescu
-
Fixed MariaDB default function support.
Defaults would be written wrong in "db/schema.rb" and not work correctly if using
db:schema:load
. Further more the function name would be added as string content when saving new records.kaspernj
-
Add
active_record.destroy_association_async_batch_size
configurationThis allows applications to specify the maximum number of records that will be destroyed in a single background job by the
dependent: :destroy_async
association option. By default, the current behavior will remain the same: when a parent record is destroyed, all dependent records will be destroyed in a single background job. If the number of dependent records is greater than this configuration, the records will be destroyed in multiple background jobs.Nick Holden
-
Fix
remove_foreign_key
with:if_exists
option when foreign key actually exists.fatkodima
-
Remove
--no-comments
flag in structure dumps for PostgreSQLThis broke some apps that used custom schema comments. If you don't want comments in your structure dump, you can use:
ActiveRecord::Tasks::DatabaseTasks.structure_dump_flags = ['--no-comments']
Alex Ghiculescu
-
Reduce the memory footprint of fixtures accessors.
Until now fixtures accessors were eagerly defined using
define_method
. So the memory usage was directly dependent of the number of fixtures and test suites.Instead fixtures accessors are now implemented with
method_missing
, so they incur much less memory and CPU overhead.Jean Boussier
-
Fix
config.active_record.destroy_association_async_job
configurationconfig.active_record.destroy_association_async_job
should allow applications to specify the job that will be used to destroy associated records in the background forhas_many
associations with thedependent: :destroy_async
option. Previously, that was ignored, which meant the defaultActiveRecord::DestroyAssociationAsyncJob
always destroyed records in the background.Nick Holden
-
Fix
change_column_comment
to preserve column's AUTO_INCREMENT in the MySQL adapterfatkodima
-
Fix quoting of
ActiveSupport::Duration
andRational
numbers in the MySQL adapter.Kevin McPhillips
-
Allow column name with COLLATE (e.g., title COLLATE "C") as safe SQL string
Shugo Maeda
-
Permit underscores in the VERSION argument to database rake tasks.
Eddie Lebow
-
Reversed the order of
INSERT
statements instructure.sql
dumpsThis should decrease the likelihood of merge conflicts. New migrations will now be added at the top of the list.
For existing apps, there will be a large diff the next time
structure.sql
is generated.Alex Ghiculescu, Matt Larraz
-
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
-
Fix dropping DB connections after serialization failures and deadlocks.
Prior to 6.1.4, serialization failures and deadlocks caused rollbacks to be issued for both real transactions and savepoints. This breaks MySQL which disallows rollbacks of savepoints following a deadlock.
6.1.4 removed these rollbacks, for both transactions and savepoints, causing the DB connection to be left in an unknown state and thus discarded.
These rollbacks are now restored, except for savepoints on MySQL.
Thomas Morgan
-
Make
ActiveRecord::ConnectionPool
Fiber-safeWhen
ActiveSupport::IsolatedExecutionState.isolation_level
is set to:fiber
, the connection pool now supports multiple Fibers from the same Thread checking out connections from the pool.Alex Matchneer
-
Add
update_attribute!
toActiveRecord::Persistence
Similar to
update_attribute
, but raisesActiveRecord::RecordNotSaved
when abefore_*
callback throws:abort
.class Topic < ActiveRecord::Base before_save :check_title def check_title throw(:abort) if title == "abort" end end topic = Topic.create(title: "Test Title") # #=> #<Topic title: "Test Title"> topic.update_attribute!(:title, "Another Title") # #=> #<Topic title: "Another Title"> topic.update_attribute!(:title, "abort") # raises ActiveRecord::RecordNotSaved
Drew Tempelmeyer
-
Avoid loading every record in
ActiveRecord::Relation#pretty_print
# Before pp Foo.all # Loads the whole table. # After pp Foo.all # Shows 10 items and an ellipsis.
Ulysse Buonomo
-
Change
QueryMethods#in_order_of
to drop records not listed in values.in_order_of
now filters down to the values provided, to match the behavior of theEnumerable
version.Kevin Newton
-
Allow named expression indexes to be revertible.
Previously, the following code would raise an error in a reversible migration executed while rolling back, due to the index name not being used in the index removal.
add_index(:settings, "(data->'property')", using: :gin, name: :index_settings_data_property)
Fixes #43331.
Oliver Günther
-
Fix incorrect argument in PostgreSQL structure dump tasks.
Updating the
--no-comment
argument added in Rails 7 to the correct--no-comments
argument.Alex Dent
-
Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0.
Reference/belongs_to in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
-
Add a deprecation warning when
prepared_statements
configuration is not set for the mysql2 adapter.Thiago Araujo and Stefanni Brasil
-
Fix
QueryMethods#in_order_of
to handle empty order list.Post.in_order_of(:id, []).to_a
Also more explicitly set the column as secondary order, so that any other value is still ordered.
Jean Boussier
-
Fix quoting of column aliases generated by calculation methods.
Since the alias is derived from the table name, we can't assume the result is a valid identifier.
class Test < ActiveRecord::Base self.table_name = '1abc' end Test.group(:id).count # syntax error at or near "1" (ActiveRecord::StatementInvalid) # LINE 1: SELECT COUNT(*) AS count_all, "1abc"."id" AS 1abc_id FROM "1...
Jean Boussier
-
Add
authenticate_by
when usinghas_secure_password
.authenticate_by
is intended to replace code like the following, which returns early when a user with a matching email is not found:User.find_by(email: "...")&.authenticate("...")
Such code is vulnerable to timing-based enumeration attacks, wherein an attacker can determine if a user account with a given email exists. After confirming that an account exists, the attacker can try passwords associated with that email address from other leaked databases, in case the user re-used a password across multiple sites (a common practice). Additionally, knowing an account email address allows the attacker to attempt a targeted phishing ("spear phishing") attack.
authenticate_by
addresses the vulnerability by taking the same amount of time regardless of whether a user with a matching email is found:User.authenticate_by(email: "...", password: "...")
Jonathan Hefner
Please check 7-0-stable for previous changes.