Rails For All is doing a Rails conference under the banner of acts_as_conference in Florida from February 8th through 9th. They’re currently open for proposals and you can sign up already too. It’s $100 for the two days.
This release contains additional deprecation notices, security fixes and some minor performance improvements. All users of 1.2.3 are advised to upgrade.
If you intend to upgrade to 2.0 you should run your tests to and fix any errors that are displayed. The warnings will become errors with the release of 2.0.
If you’re using RESTful routing, pay special attention to the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators and some browsers and http libraries misbehaved.
Your old ;-based URLs will be continued to be recognized, though. They’re just no longer generated.
1.2.4 fixes several potential security issues:
- Session fixation attacks are mitigated by removing support for URL-based sessions
- Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
- Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default.
Upgrade with the standard gem install rails command. Rails 1.2.4 serves as a drop-in replacement for 1.2.3.
Update: please see the latest 1.2.5 stable release
Best Tech Videos is hosting a hand-held video of the keynote I gave at RailsConf EU. The majority of the talk was a live coding session, though, which is kinda hard to follow from the angle of this shot. But in case you don’t want to wait for the official O’Reilly copy, here’s something in the meanwhile.
Sitepoint is currently giving away free PDF copies of Patrick Lenz’s “Build Your Own Ruby on Rails Web Applications” book. Want a copy? Just head on over to http://rails.sitepoint.com and download it. This offer is only good for the next 60 days, so get while the gettin’ is good!
The extracted adapter gems are now available for install from the gems.rubyonrails.org server. Say you want the Oracle adapter installed, you just do gem install activerecord-oracle-adapter. All the extracted gems are:
The mysql, postgresql, and sqlite adapters are still included in Rails core.
These will be released to the standard Ruby repository alongside Rails 2.0 when that reaches final.
Now seems like a good time to thank the community which helped make our new release a reality. Rails 2.0 includes the work of more than 160 individuals who have contributed features through trac and our mailing list. Our user mailing list has 11002 subscribers all helping each other out. The development list has 1847 people helping improve the framework for all the users.
In particular we’d like to single out the following people who top the list of accepted patches
- Pratik Naik
- Josh Peek
- Norbert Crombach
- Chris Kampmeier
- Tarmo Tänav
- Jeremy McAnally
- Josh Susser
- Jamie van Dyke
- Ben Sandofsky
- Manfred Stienstra
- Jack Danger Canty
Our community is our greatest asset, and thanks to every single one of you who’s helped out throughout our history.
Behold, behold, Rails 2.0 is almost here. But before we can slap on the final stamp, we’re going to pass through a couple of trial release phases. The first is this preview release, which allows you to sample the goodies in their almost finished state.
We might change a few things or add something else, but by and large, this is how Rails 2.0 is going to look and feel. After this release have had a chance to be tried out, we’re going to move to a release candidate or two (or three, depending on how many we need). Then, the final release.
Before the release of 2.0, we’re also going to be putting out 1.2.4, which will include a variety of bug fixes and the last deprecation warnings to get you ready for upgrading an existing application to 2.0 standards.
Enough about process. Let me tell you a little bit about what’s new in Rails 2.0:
Action Pack: Resources
This is where the bulk of the action for 2.0 has gone. We’ve got a slew of improvements to the RESTful lifestyle. First, we’ve dropped the semicolon for custom methods instead of the regular slash. So
/people/1;edit is now
/people/1/edit. We’ve also added the namespace feature to routing resources that makes it really easy to confine things like admin interfaces:
Which will give you named routes like inventory_admin_products_url and admin_product_tags_url. To keep track of this named routes proliferation, we’ve added the “rake routes” task, which will list all the named routes created by routes.rb.
We’ve also instigated a new convention that all resource-based controllers will be plural by default. This allows a single resource to be mapped in multiple contexts and still refer to the same controller. Example:
# /avatars/45 => AvatarsController#show map.resources :avatars # /people/5/avatar => AvatarsController#show map.resources :people, :has_one => :avatar
Action Pack: Multiview
Alongside the improvements for resources come improvements for multiview. We already have #respond_to, but we’ve taken it a step further and made it dig into the templates. We’ve separated the format of the template from its rendering engine. So show.rhtml now becomes show.html.erb, which is the template that’ll be rendered by default for a show action that has declared format.html in its respond_to. And you can now have something like show.csv.erb, which targets text/csv, but also uses the default ERB renderer.
So the new format for templates is action.format.renderer. A few examples:
- show.erb: same show template for all formats
- index.atom.builder: uses the Builder format, previously known as rxml, to render an index action for the application/atom+xml mime type
- edit.iphone.haml: uses the custom HAML template engine (not included by default) to render an edit action for the custom Mime::IPHONE format
Speaking of the iPhone, we’ve made it easier to declare “fake” types that are only used for internal routing. Like when you want a special HTML interface just for an iPhone. All it takes is something like this:
# should go in config/initializers/mime_types.rb Mime.register_alias "text/html", :iphone class ApplicationController < ActionController::Base before_filter :adjust_format_for_iphone private def adjust_format_for_iphone if request.env["HTTP_USER_AGENT"] && request.env["HTTP_USER_AGENT"][/(iPhone|iPod)/] request.format = :iphone end end end class PostsController < ApplicationController def index respond_to do |format| format.html # renders index.html.erb format.iphone # renders index.iphone.erb end end end
You’re encouraged to declare your own mime-type aliases in the config/initializers/mime_types.rb file. This file is included by default in all new applications.
Action Pack: Record identification
Piggy-backing off the new drive for resources are a number of simplifications for controller and view methods that deal with URLs. We’ve added a number of conventions for turning model classes into resource routes on the fly. Examples:
# person is a Person object, which by convention will # be mapped to person_url for lookup redirect_to(person) link_to(person.name, person) form_for(person)
Action Pack: HTTP Loving
As you might have gathered, Action Pack in Rails 2.0 is all about getting closer with HTTP and all its glory. Resources, multiple representations, but there’s more. We’ve added a new module to work with HTTP Basic Authentication, which turns out to be a great way to do API authentication over SSL. It’s terribly simple to use. Here’s an example (there are more in ActionController::HttpAuthentication):
class PostsController < ApplicationController USER_NAME, PASSWORD = "dhh", "secret" before_filter :authenticate, :except => [ :index ] def index render :text => "Everyone can see me!" end def edit render :text => "I'm only accessible if you know the password" end private def authenticate authenticate_or_request_with_http_basic do |user_name, password| user_name == USER_NAME && password == PASSWORD end end end
Along the same lines, we’ve added the option to cheat browsers who don’t feel like pipelining requests on their own. If you set ActionController::Base.asset_host = “assets%d.example.com”, we’ll automatically distribute your asset calls (like image_tag) to asset1 through asset4. That allows the browser to open many more connections at a time and increases the perceived speed of your application.
Action Pack: Security
Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax requests, you can guard from having requests made from outside of your application. All this is turned on by default in new Rails 2.0 applications and you can very easily turn it on in your existing applications using ActionController::Base.protect_from_forgery (see ActionController::RequestForgeryProtection for more).
We’ve also made it easier to deal with XSS attacks while still allowing users to embed HTML in your pages. The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach. If you’re already using sanitize, you’ll automatically be granted better protection. You can tweak the tags that are allowed by default with sanitize as well. See TextHelper#sanitize for details.
Finally, we’ve added support for HTTP only cookies. They are not yet supported by all browsers, but you can use them where they are.
Action Pack: Exception handling
Lots of common exceptions would do better to be rescued at a shared level rather than per action. This has always been possible by overwriting rescue_action_in_public, but then you had to roll out your own case statement and call super. Bah. So now we have a class level macro called rescue_from, which you can use to declaratively point certain exceptions to a given action. Example:
class PostsController < ApplicationController rescue_from User::NotAuthorized, :with => :deny_access protected def deny_access ... end end
Action Pack: Miscellaneous
Also of note is AtomFeedHelper, which makes it even simpler to create Atom feeds using an enhanced Builder syntax. Simple example:
# index.atom.builder: atom_feed do |feed| feed.title("My great blog!") feed.updated((@posts.first.created_at)) for post in @posts feed.entry(post) do |entry| entry.title(post.title) entry.content(post.body, :type => 'html') entry.author do |author| author.name("DHH") end end end end
We’ve made a number of performance improvements, so asset tag calls are now much cheaper and we’re caching simple named routes, making them much faster too.
Finally, we’ve kicked out in_place_editor and autocomplete_for into plugins that live on the official Rails SVN.
Active Record: Performance
Active Record has seen a gazillion fixes and small tweaks, but it’s somewhat light on big new features. Something new that we have added, though, is a very simple Query Cache, which will recognize similar SQL calls from within the same request and return the cached result. This is especially nice for N+1 situations that might be hard to handle with :include or other mechanisms. We’ve also drastically improved the performance of fixtures, which makes most test suites based on normal fixture use be 50-100% faster.
Active Record: Sexy migrations
There’s a new alternative format for declaring migrations in a slightly more efficient format. Before you’d write:create_table :people do |t| t.column, “account_id”, :integer t.column, “first_name”, :string, :null => false t.column, “last_name”, :string, :null => false t.column, “description”, :text t.column, “created_at”, :datetime t.column, “updated_at”, :datetime end
Now you can write:create_table :people do |t| t.integer :account_id t.string :first_name, :last_name, :null => false t.text :description t.timestamps end
Active Record: XML in, JSON out
Active Record has supported serialization to XML for a while. In 2.0 we’ve added deserialization too, so you can say Person.new.from_xml(“
Active Record: Shedding some weight
To make Active Record a little leaner and meaner, we’ve removed the acts_as_XYZ features and put them into individual plugins on the Rails SVN repository. So say you’re using acts_as_list, you just need to do ./script/plugin install acts_as_list and everything will move along like nothing ever happened.
A little more drastic, we’ve also pushed all the commercial database adapters into their own gems. So Rails now only ships with adapters for MySQL, SQLite, and PostgreSQL. These are the databases that we have easy and willing access to test on. But that doesn’t mean the commercial databases are left out in the cold. Rather, they’ve now been set free to have an independent release schedule from the main Rails distribution. And that’s probably a good thing as the commercial databases tend to require a lot more exceptions and hoop jumping on a regular basis to work well.
The commercial database adapters now live in gems that all follow the same naming convention: activerecord-XYZ-adapter. So if you gem install activerecord-oracle-adapter, you’ll instantly have Oracle available as an adapter choice in all the Rails applications on that machine. You won’t have to change a single line in your applications to take use of it.
That also means it’ll be easier for new database adapters to gain traction in the Rails world. As long as you package your adapter according to the published conventions, users just have to install the gem and they’re ready to roll.
Active Record: with_scope with a dash of syntactic vinegar
ActiveRecord::Base.with_scope has gone protected to discourage people from misusing it in controllers (especially in filters). Instead, it’s now encouraged that you only use it within the model itself. That’s what it was designed for and where it logically remains a good fit. But of course, this is all about encouraging and discouraging. If you’ve weighed the pros and the cons and still want to use with_scope outside of the model, you can always call it through .send(:with_scope).
ActionWebService out, ActiveResource in
It’ll probably come as no surprise that Rails has picked a side in the SOAP vs REST debate. Unless you absolutely have to use SOAP for integration purposes, we strongly discourage you from doing so. As a naturally extension of that, we’ve pulled ActionWebService from the default bundle. It’s only a gem install actionwebservice away, but it sends an important message none the less.
At the same time, we’ve pulled the new ActiveResource framework out of beta and into the default bundle. ActiveResource is like ActiveRecord, but for resources. It follows a similar API and is configured to Just Work with Rails applications using the resource-driven approach. For example, a vanilla scaffold will be accessible by ActiveResource.
There’s not all that much new in ActiveSupport. We’ve a host of new methods like Array#rand for getting a random element from an array, Hash#except to filter down a hash from undesired keys and lots of extensions for Date. We also made testing a little nicer with assert_difference. Short of that, it’s pretty much just fixes and tweaks.
This is a very modest update for Action Mailer. Besides a handful of bug fixes, we’ve added the option to register alternative template engines and assert_emails to the testing suite, which works like this:
- Assert number of emails delivered within a block:
assert_emails 1 do
post :signup, :name => ‘Jonathan’
Rails: The debugger is back
To tie it all together, we have a stream of improvements for Rails in general. My favorite amongst these is the return of the breakpoint in form of the debugger. It’s a real debugger too, not just an IRB dump. You can step back and forth, list your current position, and much more. It’s all coming from the gracious note of the ruby-debug gem. So you’ll have to install that for the new debugger to work.
To use the debugger, you just install the gem, put “debugger” somewhere in your application, and then start the server with —debugger or -u. When the code executes the debugger command, you’ll have it available straight in the terminal running the server. No need for script/breakpointer or anything else. You can use the debugger in your tests too.
Rails: Clean up your environment
Before Rails 2.0, config/environment.rb files every where would be clogged with all sorts of one-off configuration details. Now you can gather those elements in self-contained files and put them under config/initializers and they’ll automatically be loaded. New Rails 2.0 applications ship with two examples in form of inflections.rb (for your own pluralization rules) and mime_types.rb (for your own mime types). This should ensure that you need to keep nothing but the default in config/environment.rb.
Rails: Easier plugin order
Now that we’ve yanked out a fair amount of stuff from Rails and into plugins, you might well have other plugins that depend on this functionality. This can require that you load, say, acts_as_list before your own acts_as_extra_cool_list plugin in order for the latter to extend the former.
Before, this required that you named all your plugins in config.plugins. Major hassle when all you wanted to say was “I only care about acts_as_list being loaded before everything else”. Now you can do exactly that with config.plugins = [ :acts_as_list, :all ].
And hundreds upon hundreds of other improvements
What I’ve talked about above is but a tiny sliver of the full 2.0 package. We’ve got literally hundreds of bug fixes, tweaks, and feature enhancements crammed into Rails 2.0. All this coming off the work of tons of eager contributors working tirelessly to improve the framework in small, but important ways.
I encourage you to scourger the CHANGELOGs and learn more about all that changed.
So how do I upgrade?
If you want to move your application to Rails 2.0, you should first move it to Rails 1.2.3. That’ll include deprecation warnings for most everything we yanked out in 2.0. So if your application runs fine on 1.2.3 with no deprecation warnings, there’s a good chance that it’ll run straight up on 2.0. Of course, if you’re using, say, pagination, you’ll need to install the classic_pagination plugin. If you’re using Oracle, you’ll need to install the activerecord-oracle-adapter gem. And so on and so forth for all the extractions.
To install the preview release through gems, do:gem install rails —source http://gems.rubyonrails.org
To try it from an SVN tag, use:rake rails:freeze:edge TAG=rel_2-0-0_PR
We’ll also be putting out Rails 1.2.4 shortly which will include a few more deprecations to warn you in time for 2.0.
In any case, as I explained in the beginning, this is a preview release. Use it to get a feel for 2.0. See where your currently application might need tweaks. And try creating a new application from scratch to see the new defaults. In a few weeks we’ll get on with the release candidates.
Thanks to everyone who’ve been involved with the development of Rails 2.0. We’ve been working on this for more than six months and it’s great finally to be able to share it with a larger audience. Enjoy!
Jason Hoffman from Joyent had a great tutorial at RailsConf Europe on Scaling a Rails Application from the Bottom Up. It defines the key terms and measurements of scaling and explains why scaling in essence have nothing to do with Rails. It’s a great story to have in hand when the inevitable fudzy “But does it scale?” nonsense is thrown at you.
Now you can get all of Jason’s slides from the tutorial.
The QuarkRuby blog has created a great Ruby on Rails Security Guide that gives you a wealth of links to articles and plugins dealing with security in Rails applications. Everything fromn XSS to CSRF stuff is covered.