This Week in Rails

March 27, 2022

Security improvements, reducing bytes and more!

Hi, this is Petrik, bringing you the latest news from the Rails world.

Reduce the output of Rails::Railtie#inspect to the classname
Anytime inspect was called on Rails::Application, it would output the very large application object. By reducing it to the classname, we also prevent leaking credentials.

Remove body content from redirect responses
Modern browsers don't render the body content for redirects. The delivered bytes are therefore a small waste.

Saving attachments to a record with the attach method returns the blob or array of blobs that were attached to the record.

This allows a password challenge to be implemented with the same ease as a password confirmation, re-using the same error handling logic in the view, as well as the controller.

Generate Content Security Policy headers for non-HTML responses
The content security policy DSL would not generate headers for non-HTML responses, even if a configuration is explicitly provided. However, for example, Mozilla Observatory recommends adding it for API responses as well.
Now it's possible to write video_tag(user.video_file) instead of video_tag(polymorphic_path(user.video_file)).
This allows applications to specify the maximum number of records that will be destroyed in a single background job by the dependent: :destroy_async association option. If the number of dependent records is greater than this configuration, the records will be destroyed in multiple background jobs.

Auto-create user and grant privileges when creating mysql databases
Creating the database user and granting privileges every time you need to set up Rails locally on a new computer can be tedious. This change adds it to the MySQL build rake task, using the root user with no password.

Since last time, 36 people contributed to Rails. As usual, there's too much changes to cover them but you can check out all of these here. Until next time!