This Week in Edge Rails

March 21, 2009 – March 27, 2009

It’s been a quiet week for Rails on the surface: just half a dozen commits over the course of the week. Behind the scenes, though, the work is going on to merge initial Rails 3.0 work into the master branch of the git repository. We’ll have more news on that as it happens.


Meanwhile, a few small issues in the 2.3 release have been cleared up in edge:

  • Tests with multiple POST requests in the same test block now properly handle parameters. commit
  • render :file with absolute paths now works on Windows systems. commit
  • Template extension parsing is now more robust (if you’ve been having problems with files like show.erb.orig, this one is for you). commit

Just a reminder, if you’re having any issues with Rails 2.3, we’d love to know about them – and we’d love it even more if you’d supply a failing test or a patch. Check out the details in the Contributing to Rails guide.

This Week in Edge Rails

March 14, 2009 – March 20, 2009

The big news in Rails this week, of course, was the release of Rails 2.3. But that certainly doesn’t mean the Rails edge story is over! To the contrary, we’re embarking on one of the more ambitious and exciting Rails projects of all: the creation of Rails 3.0. Read on to see where things stand.

Final 2.3 Changes

A few things went in to Rails 2.3 in the days leading up to release. These include:

  • DDL transactions for SQLite databases commit
  • Compatibility between render :file and Pathname commit
  • ActionController class naming conventions for Metal commit


Shortly after the release of Rails 2.3, which was version 2.3.2, it became necessary to make a Rails tag. This is because the tagged 2.3.2 version in the Rails repository is actually missing an important fix (the installable gem version of Rails has the fix). The net result is that rake rails:freeze:edge RELEASE=2.3.2 would freeze a bad version of Rails into your application.

To fix this, the Rails team has re-tagged the master tree at a safer spot, after the critical fix. This new tag is for release So if you’re freezing Rails 2.3 into your applications (as opposed to running it from gems) be sure to use rake rails:freeze:edge RELEASE= That .1 makes all the difference.

The Road to Rails 3.0

Now that 2.3 is out, what’s next? Rails 3.0, which has been a distant speck on the horizon for a while, is rapidly getting closer. The Rails core team is discussing exactly how to proceed, but the bottom line is that you are shortly going to see a lot of changes on edge Rails, as work that’s been going on in various forks gets merged back into the master branch. You’ll want to be cautious about using edge on existing applications. In particular, changes to the Rails internals may result in many plugins needing to be rewritten. Rails edge will continue to be the cutting-edge solution, but you’ll need to keep up with the changes and be prepared to work with them if you choose to run on edge.

But this doesn’t mean that Rails 2 is frozen in time either. There’s a new 2-3-stable branch in the Rails repository which will host any maintenance releases to the current release version. There will continue to be some work on making sure the 2.x releases of Rails work well, though the center of gravity of Rails framework development will shift quickly to Rails 3.0.

So stay tuned. We’ll continue to keep you posted with Rails 3.0 developments as they happen: the process will continue, as always, to be transparent and to welcome ideas and feedback.

Get Paid to Work on Rails

Last year, as you may recall, Rails got thread safety and a new core committer thanks to our participation in the Google Summer of Code program under the auspices of Ruby Central. This year, we’re pleased to announce, Ruby on Rails has been accepted into Google Summer of Code as a sponsoring organization in its own right.

What does this mean to you? Potentially, if you’re the right person, you can get paid to work on the Rails core code this summer!

The “right person” in this case is one who is at least 18 years old (sorry, Google’s rule, not ours!), a full- or part-time college student, and passionate about improving Rails. We’re building a potential list of project ideas on the Rails wiki, but we welcome other interesting proposals. We’re especially interested in work that meshes well with the plans for Rails 3.0, which will be in full swing by the time GSoC launches. If your proposal gets accepted, Google will pay you $4500 over the course of three months to work on the code.

If you’re interested, head over to the GSoC site and start reading about the process. Student applications can be submitted starting March 23.

What if you’re not a student? You can still help out by brainstorming ideas on the Rails wiki. Or if you’re a Rails guru and ready to make a strong commitment to help out the next generation of developers, you can apply to be a mentor.

We’re looking forward to working with this year’s students, and expecting some outstanding contributions to Rails as a result!

Rails 2.3: Templates, Engines, Rack, Metal, much more!

Rails 2.3 is finally done and out the door. This is one of the most substantial upgrades to Rails in a very long time. A brief rundown of the top hitters:

  • Templates: Allows your new skeleton Rails application to be built your way with your default stack of gems, configs, and more.
  • Engines: Share reusable application pieces complete with routes that Just Work, models, view paths, and the works.
  • Rack: Rails now runs on Rack which gives you access to all the middleware goodness.
  • Metal: Write super fast pieces of optimized logic that routes around Action Controller.
  • Nested forms: Deal with complex forms so much easier.

And that’s just the tip of the iceberg. We’ve put together a complete guide for the Rails 2.3 release notes with much more information. Be sure to checkout the section on what was deprecated when you’re ready to upgrade your application.

You install 2.3 with (the final version is marked 2.3.2):

gem install rails

If you’re running on Passenger, be sure to upgrade to 2.1.2 as well. Rails 2.3 doesn’t run on older versions of Passenger!

We hope you’ll love it.

This Week in Edge Rails

March 6, 2009 – March 13, 2009

Things have been pretty busy on the development side since the release of Rails 2.3 RC2. The core team has been making a serious effort to review all of the open bugs and patches with an eye towards getting us a solid release. At this point, the bar for new features is set fairly high, but even so, there have been an incredible 94 commits in the week since RC2 – mostly fixes to ensure expected behavior and stability. Here are some of the highlights.

Swappable Parsers for XMLmini

The support for XML parsing in ActiveSupport has been made more flexible by allowing you to swap in different parsers. By default, it uses the standard REXML implementation, but you can easily specify the faster LibXML or Nokogiri implementations for your own applications, provided you have the appropriate gems installed:

XmlMini.backend = 'LibXML'
XmlMini.backend = 'Nokogiri'

commit commit

rake gem Task Rewrite

The internals of the various rake gem tasks have been substantially revised, to make the system work better for a variety of cases. The gem system now knows the difference between development and runtime dependencies, has a more robust unpacking system, gives better information when querying for the status of gems, and is less prone to “chicken and egg” dependency issues when you’re bringing things up from scratch. There are also fixes for using gem commands under JRuby and for dependencies that try to bring in external copies of gems that are already vendored.

commit commit commit

Routing Fixes

A couple of small fixes to the routing engine. First, member routes with requirements now work (previously the requirements were ignored):

map.resources :orders, 
  :requirements => { :id => %r([^/;,?]+) }, 
  :member => { :accept => :get }


Also, shallow routes now work properly with namespaces (commit) and you can now use the OPTIONS verb in route conditions (commit).

Client-side Caching Improvements

The expires_in, stale, and fresh_when methods now accept a :public option to make them work well with proxy caching.

expires_in 10.minutes, :public => true
fresh_when :last_modified => @user.updated_at.utc, 
  :public => true
fresh_when :etag => @user, :public => true


Odds and Ends

The String#parameterize method now accepts an optional separator character.

"My big duck".parameterize =>      "my-big-duck"
"My big duck".parameterize('_') => "my_big_duck"


The ActiveRecord::Base#invalid? method now works as the opposite of ActiveRecord::Base#valid?. (commit)

The ActiveSupport::Json.decode method now handles \u0000 style escape sequences. (commit)

You can now set content types such as multipart/mixed in Action Mailer. (commit)

Rails 2.3 will ship with a bundled version of Rack, but if you have Rack 1.0 installed as a gem it will use the gem version instead. (commit)

Update on Rails Guides and Documentation

We have been working on the Rails guides for some months now. With substantial contributions from a variety of authors, things are looking even better in the next version of the guides. That makes this the right time to take the overall documentation efforts to the next level.

Announcing the Documentation Team
We’re very happy to announce a formal documentation team – consisting of Xavier Noria, Mike Gunderloy and myself. However, eventually Mike and I will be just acting as advisors to the documentation team. So we’re definitely looking to empower some new faces here. If you’ve been working on improving the documentation and guides, keep up the good work and you’ll be on the team soon enough!

The documentation team will be to responsible for keeping the guides and API documentation up-to-date, working to improve the Rails documentation, and also helping more people contribute to the documentation efforts.

Documentation Mailing List and IRC
As part of the renewed documentation effort, we’re launching a mailing list. So go ahead and subscribe to rubyonrails-docs. The mailing list will be the main point of communication with the documentation team. If you have any suggestions or need any help, please post it to the mailing list. For quick questions, you can also find some of the team in the #docrails room on IRC most hours of the day.

How to Contribute
If you’re new to the Rails documentation process (or want to get involved for the first time!), you might want to have a look at the Contributing to the Rails Documentation section of the Contributing to Rails guide.

Rails Magazine #1 is Out

One of the measures of the health of a development platform is its ability to support a vibrant ecosystem of users, contributors, speakers, and authors. By this measure, Rails remains in excellent shape. The latest evidence: the release of the first issue of Rails Magazine – 36 pages of full-color glossy print.

The first issue includes 9 articles covering everything from delegation in Ruby to using Saasy for subscription-based applications to performance analysis and getting started with JRuby. The full content will be available on the web shortly, but if you’d like to support this effort (and help ensure that it doesn’t go away) you can order a paper copy for $8 in the US, UK, or Canada.

Rails 2.3 RC2: Final stop before release

The past month has seen a flurry of activity getting Rails 2.3 solid. We think we’ve ironed out all the major kinks now, but just to be sure, we’re running one last release candidate before it heads off to the presses. So please take some time to test out this release candidate. If we don’t get any reports of major blockers, we’re going to call this final within a week or two.

We’ve put together a complete guide for the Rails 2.3 release notes with all the information on what’s new, what’s changed, and what’s deprecated.

You can install the release candidate with:

gem install rails --source

XSS and CSRF Vulnerabilities in the in_place_editing plugin

We have been advised of several vulnerabilities in the in_place_editing plugin which was created prior to the 2.0.0 release of Ruby on Rails.

  • The actions generated by in_place_edit_for perform no verification of the request method, allowing a hostile website to bypass built in CSRF protection.
  • The the input controls generated by in_place_editor_field perform no output sanitization, leaving the application vulnerable to XSS attacks.

Users of all versions of the plugin are advised to update to the latest version contained in our git repository at:


For users who are unable to use git, we have provided a zip file containing the patched code. The patch containing the fix is available also.

Users of all versions of Rails prior to 2.0 are advised to stop using the in_place_editing functionality, or manually apply those changes to their version of Rails. If these changes are backported, this post will be updated to include a patch for the relevant versions of rails.

Thanks to Pawel Stradomski of Code Sprinters for reporting this bug to us and working so patiently with us to get it resolved.

This Week in Edge Rails

February 14, 2009 – February 27, 2009

The sharp-eyed will notice that This Week covers two weeks this week. As Rails 2.3 approaches release, the core team is getting pickier about what goes into the source code, and is concentrating on fixing bugs. You can expect to see Rails 2.3 RC2 very soon, and that may be the last release candidate. So if you haven’t tested your own applications on Rails 2.3 yet, it’s time to do so. The edge code is generally stable right now, so it’s a great time to take a look.

Batch Processing

You can now process large numbers of records from an ActiveRecord model with less pressure on memory by using find_in_batches:

Customer.find_in_batches(:conditions => {:active => true}) do |customer_group|
  customer_group.each { |customer| customer.update_account_balance! }

You can pass most of the find options into find_in_batches. However, you cannot specify the order that records will be returned in (they will always be returned in ascending order of primary key, which must be an integer), or use the :limit option. Instead, use the :batch_size option, which defaults to 1000, to set the number of records that will be returned in each batch.

The new each method provides a wrapper around find_in_batches that returns individual records, with the find itself being done in batches (of 1000 by default):

Customer.each do |customer|

Note that you should only use this method when you have enough records to justify batch processing: for small numbers of records (less than 1000), you should just use the regular find methods with your own loop.


A Note About Template Loading

After some extensive work by several authors (here’s the Lighthouse ticket), Rails 2.3 includes the ability to enable or disable cached templates for any particular environment. Cached templates give you a speed boost because they don’t check for a new template file when they’re rendered – but they also mean that you can’t replace a template “on the fly” without restarting the server.

In most cases, you’ll want template caching to be turned on in production, which you can do by making a setting in your production.rb file:

config.action_view.cache_template_loading = true

This line will be generated for you by default in a new Rails 2.3 application. But please note: if you’ve upgraded from an older version of Rails, you won’t have this setting in your production.rb and template caching will be off by default. Unless you really need the ability to update templates in production without restarting the server, you should be sure to add this setting when you upgrade.