This Week in Rails

July 15, 2022

Rails security releases, Improved generator option handling and more...

Hi! Emmanuel here with updates from Rails over the last week.

Rails Versions,,, and have been released!
A few days ago Rails released versions,,, and These are security updates that impact applications that use serialised attributes on Active Record models. These updates, identified by CVE-2022-32224 cover a possible escalation to RCE when using YAML serialised columns in Active Record.

Allow opting out of the SameSite cookie
You can now opt out of using SameSite on your cookies by passing same_site: nil.

Improve generator implied option handling
AppGenerator and PluginGenerator implied options have gotten some improvements: Implied options will now be reported in your shell. Conflicting options will raise an error. Meta options and --no-* options are reported with more precision.

Add Formatting Full Messages with I18n section in ActiveRecordValidations guides
Rails Guides received some love. There's now a section on the Active Record Validations guides to demonstrate how full validation messages can be formatted with the help of I18n.

Add --parent option to job generator to specify parent class of job
There's now a superclass option in the job generator. It's possible to do bin/rails g job process_payment --parent=payment_job to get class ProcessPaymentJob < PaymentJob; end.

Add include_seconds option to datetime_local_field
According to input elements of type time browsers render time differently if you format time without the seconds bit. This PR adds an option to omit the seconds part of formatted time with include_seconds: false.

Add timestamptz as a time zone aware type for PostgreSQL
Previously, support for the timestamptz type on the Postgres adapter was added, this caused issues in some cases where the newly-added timestamptz was not considered timezone-aware attribute. This PR fixes the issue for Postgres users.

Common Table Expression support added "out-of-the-box
You can now build sophisticated queries with Common Table Expressions using the .with query method on models. The .with allows the usage of Active Record relations without the need to manually build Arel::Nodes::As nodes.

Add ActiveRecord::Base::generates_token_for
With this PR, signed_id is relieved of token generation. Token generation is now directly associated with a record allowing record state to be tracked easily.

Add quarter to date/time
DateAndTime::Calculations gets a new method, quarter, that returns the quarter of the receiver's calendar year. Here are some examples:, 12, 25).quarter # => 4 and, 4, 12).quarter  # => 2.

32 people contributed to Rails since the last time. Until next time!

About This Week in Rails

Your weekly inside scoop of interesting commits, pull requests and more from Rails.