https://github.com/rails/rails/releases/tag/v6.0.4

安全更新

## Active Support

* Fixed issue in `ActiveSupport::Cache::RedisCacheStore` not passing options
to `read_multi` causing `fetch_multi` to not work properly.

*Rajesh Sharma*

* `with_options` copies its options hash again to avoid leaking mutations.

Fixes #39343.

*Eugene Kenny*



## Active Model

* No changes.



## Active Record

* Only warn about negative enums if a positive form that would cause conflicts exists.

Fixes #39065.

*Alex Ghiculescu*

* Allow the inverse of a `has_one` association that was previously autosaved to be loaded.

Fixes #34255.

*Steven Weber*

* Reset statement cache for association if `table_name` is changed.

Fixes #36453.

*Ryuta Kamizono*

* Type cast extra select for eager loading.

*Ryuta Kamizono*

* Prevent collection associations from being autosaved multiple times.

Fixes #39173.

*Eugene Kenny*

* Resolve issue with insert_all unique_by option when used with expression index.

When the `:unique_by` option of `ActiveRecord::Persistence.insert_all` and
`ActiveRecord::Persistence.upsert_all` was used with the name of an expression index, an error
was raised. Adding a guard around the formatting behavior for the `:unique_by` corrects this.

Usage:

```ruby
create_table :books, id: :integer, force: true do |t|
t.column :name, :string
t.index "lower(name)", unique: true
end

Book.insert_all [{ name: "MyTest" }], unique_by: :index_books_on_lower_name
```

Fixes #39516.

*Austen Madden*

* Fix preloading for polymorphic association with custom scope.

*Ryuta Kamizono*

* Allow relations with different SQL comments in the `or` method.

*Takumi Shotoku*

* Resolve conflict between counter cache and optimistic locking.

Bump an Active Record instance's lock version after updating its counter
cache. This avoids raising an unnecessary `ActiveRecord::StaleObjectError`
upon subsequent transactions by maintaining parity with the corresponding
database record's `lock_version` column.

Fixes #16449.

*Aaron Lipman*

* Fix through association with source/through scope which has joins.

*Ryuta Kamizono*

* Fix through association to respect source scope for includes/preload.

*Ryuta Kamizono*

* Fix eager load with Arel joins to maintain the original joins order.

*Ryuta Kamizono*

* Fix group by count with eager loading + order + limit/offset.

*Ryuta Kamizono*

* Fix left joins order when merging multiple left joins from different associations.

*Ryuta Kamizono*

* Fix index creation to preserve index comment in bulk change table on MySQL.

*Ryuta Kamizono*

* Change `remove_foreign_key` to not check `:validate` option if database
doesn't support the feature.

*Ryuta Kamizono*

* Fix the result of aggregations to maintain duplicated "group by" fields.

*Ryuta Kamizono*

* Do not return duplicated records when using preload.

*Bogdan Gusiev*



## Action View

* SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
call safe_list_sanitizer's class method

Fixes #39586

*Taufiq Muhammadi*



## Action Pack

* Accept base64_urlsafe CSRF tokens to make forward compatible.

Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.

In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.

In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.

```ruby
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
```

*Scott Blum*, *Étienne Barrié*

* Signed and encrypted cookies can now store `false` as their value when
`action_dispatch.use_cookies_with_metadata` is enabled.

*Rolandas Barysas*



## Active Job

* No changes.



## Action Mailer

* No changes.



## Action Cable

* No changes.



## Active Storage

* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.

*Vincent Robert*



## Action Mailbox

* No changes.



## Action Text

* No changes.



## Railties

* Allow relative paths with trailing slashes to be passed to `rails test`.

*Eugene Kenny*

* Return a 405 Method Not Allowed response when a request uses an unknown HTTP method.

Fixes #38998.

*Loren Norman*

Ruby on Rails 是一个可以使你开发、部署、维护 web 应用程序变得简单的框架。

暂无

暂无