activerecord 5.2.2 → 5.2.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38bf52e024134bc78c1daa8bf44ee21d685adcc62ddc9ded7feae3111c08a8e7
-  data.tar.gz: 89f9dbe14887a77a660722bb1a09ffbde6b11a4ab600b9a724458ac369548f09
+  metadata.gz: f7fc834af19132b6ad9d70b3809c7a19ae4e83c133e8332681ccbf6d7fd1f48d
+  data.tar.gz: 6257ed9838f4a3cae375ad8834f849a3178f8c571b09b525b60118f350018920
 SHA512:
-  metadata.gz: f0a17e48f08ba5082caa787efabf99f58bf0738de05a53f0fc4979ed27285f42f4f28e9406089f74845573f43d7a78718d5323bce8826a48d7bb673a77717055
-  data.tar.gz: '03572796340d73d6e9b1cfa04c1d10d84a528615e76d9e0f700af85086d4dad11c58e21ca96b8c44bddd303dd090a25e68489391046e6cd0b8cc7565d2393da8'
+  metadata.gz: ac8563d07cd073721ec55daaefa751752efb9d10657cb8900d0416bf072be299001452b7d59f133a09810abf4bd080d8b9a89250e1741c00eff7a65d2f275ec3
+  data.tar.gz: '0868ed81dbdac5476819f3cf7002778b42cbe1683ee73168f48c90743d684616d10b303e2fc222670613d59493051e3eca87beaf09ad28652d81b377a4f81fbc'

data/CHANGELOG.md

@@ -1,3 +1,115 @@
+## Rails 5.2.4.5 (February 10, 2021) ##
+
+*   Fix possible DoS vector in PostgreSQL money type
+
+    Carefully crafted input can cause a DoS via the regular expressions used
+    for validating the money format in the PostgreSQL adapter.  This patch
+    fixes the regexp.
+
+    Thanks to @dee-see from Hackerone for this patch!
+
+    [CVE-2021-22880]
+
+    *Aaron Patterson*
+
+
+## Rails 5.2.4.4 (September 09, 2020) ##
+
+*   No changes.
+
+
+## Rails 5.2.4.3 (May 18, 2020) ##
+
+*   No changes.
+
+
+## Rails 5.2.4.1 (December 18, 2019) ##
+
+*   No changes.
+
+
+## Rails 5.2.4 (November 27, 2019) ##
+
+*   Fix circular `autosave: true` causes invalid records to be saved.
+
+    Prior to the fix, when there was a circular series of `autosave: true`
+    associations, the callback for a `has_many` association was run while
+    another instance of the same callback on the same association hadn't
+    finished running. When control returned to the first instance of the
+    callback, the instance variable had changed, and subsequent associated
+    records weren't saved correctly. Specifically, the ID field for the
+    `belongs_to` corresponding to the `has_many` was `nil`.
+
+    Fixes #28080.
+
+    *Larry Reid*
+
+*   PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.
+
+    Fixes #36022.
+
+    *Ryuta Kamizono*
+
+*   Fix sqlite3 collation parsing when using decimal columns.
+
+    *Martin R. Schuster*
+
+*   Make ActiveRecord `ConnectionPool.connections` method thread-safe.
+
+    Fixes #36465.
+
+    *Jeff Doering*
+
+*   Assign all attributes before calling `build` to ensure the child record is visible in
+    `before_add` and `after_add` callbacks for `has_many :through` associations.
+
+    Fixes #33249.
+
+    *Ryan H. Kerr*
+
+
+## Rails 5.2.3 (March 27, 2019) ##
+
+*   Fix different `count` calculation when using `size` with manual `select` with DISTINCT.
+
+    Fixes #35214.
+
+    *Juani Villarejo*
+
+*   Fix prepared statements caching to be enabled even when query caching is enabled.
+
+    *Ryuta Kamizono*
+
+*   Don't allow `where` with invalid value matches to nil values.
+
+    Fixes #33624.
+
+    *Ryuta Kamizono*
+
+*   Restore an ability that class level `update` without giving ids.
+
+    Fixes #34743.
+
+    *Ryuta Kamizono*
+
+*   Fix join table column quoting with SQLite.
+
+    *Gannon McGibbon*
+
+*   Ensure that `delete_all` on collection proxy returns affected count.
+
+    *Ryuta Kamizono*
+
+*   Reset scope after delete on collection association to clear stale offsets of removed records.
+
+    *Gannon McGibbon*
+
+
+## Rails 5.2.2.1 (March 11, 2019) ##
+
+*   No changes.
+
+
 ## Rails 5.2.2 (December 04, 2018) ##
 
 *   Do not ignore the scoping with query methods in the scope block.

data/lib/active_record/associations/builder/collection_association.rb

@@ -20,10 +20,10 @@ module ActiveRecord::Associations::Builder # :nodoc:
       }
     end
 
-    def self.define_extensions(model, name)
+    def self.define_extensions(model, name, &block)
       if block_given?
         extension_module_name = "#{model.name.demodulize}#{name.to_s.camelize}AssociationExtension"
-        extension = Module.new(&Proc.new)
+        extension = Module.new(&block)
         model.parent.const_set(extension_module_name, extension)
       end
     end

data/lib/active_record/associations/collection_association.rb

@@ -109,9 +109,8 @@ module ActiveRecord
         end
       end
 
-      # Add +records+ to this association. Returns +self+ so method calls may
-      # be chained. Since << flattens its argument list and inserts each record,
-      # +push+ and +concat+ behave identically.
+      # Add +records+ to this association. Since +<<+ flattens its argument list
+      # and inserts each record, +push+ and +concat+ behave identically.
       def concat(*records)
         records = records.flatten
         if owner.new_record?
@@ -362,7 +361,6 @@ module ActiveRecord
               add_to_target(record) do
                 result = insert_record(record, true, raise) {
                   @_was_loaded = loaded?
-                  @association_ids = nil
                 }
               end
               raise ActiveRecord::Rollback unless result
@@ -399,6 +397,7 @@ module ActiveRecord
 
           delete_records(existing_records, method) if existing_records.any?
           records.each { |record| target.delete(record) }
+          @association_ids = nil
 
           records.each { |record| callback(:after_remove, record) }
         end
@@ -439,7 +438,6 @@ module ActiveRecord
               unless owner.new_record?
                 result &&= insert_record(record, true, raise) {
                   @_was_loaded = loaded?
-                  @association_ids = nil
                 }
               end
             end
@@ -462,6 +460,7 @@ module ActiveRecord
           if index
             target[index] = record
           elsif @_was_loaded || !loaded?
+            @association_ids = nil
             target << record
           end
 

data/lib/active_record/associations/collection_proxy.rb

@@ -366,34 +366,6 @@ module ActiveRecord
         @association.create!(attributes, &block)
       end
 
-      # Add one or more records to the collection by setting their foreign keys
-      # to the association's primary key. Since #<< flattens its argument list and
-      # inserts each record, +push+ and #concat behave identically. Returns +self+
-      # so method calls may be chained.
-      #
-      #   class Person < ActiveRecord::Base
-      #     has_many :pets
-      #   end
-      #
-      #   person.pets.size # => 0
-      #   person.pets.concat(Pet.new(name: 'Fancy-Fancy'))
-      #   person.pets.concat(Pet.new(name: 'Spook'), Pet.new(name: 'Choo-Choo'))
-      #   person.pets.size # => 3
-      #
-      #   person.id # => 1
-      #   person.pets
-      #   # => [
-      #   #       #<Pet id: 1, name: "Fancy-Fancy", person_id: 1>,
-      #   #       #<Pet id: 2, name: "Spook", person_id: 1>,
-      #   #       #<Pet id: 3, name: "Choo-Choo", person_id: 1>
-      #   #    ]
-      #
-      #   person.pets.concat([Pet.new(name: 'Brain'), Pet.new(name: 'Benny')])
-      #   person.pets.size # => 5
-      def concat(*records)
-        @association.concat(*records)
-      end
-
       # Replaces this collection with +other_array+. This will perform a diff
       # and delete/add only records that have changed.
       #
@@ -500,7 +472,7 @@ module ActiveRecord
       #   Pet.find(1, 2, 3)
       #   # => ActiveRecord::RecordNotFound: Couldn't find all Pets with 'id': (1, 2, 3)
       def delete_all(dependent = nil)
-        @association.delete_all(dependent)
+        @association.delete_all(dependent).tap { reset_scope }
       end
 
       # Deletes the records of the collection directly from the database
@@ -527,7 +499,7 @@ module ActiveRecord
       #
       #   Pet.find(1) # => Couldn't find Pet with id=1
       def destroy_all
-        @association.destroy_all
+        @association.destroy_all.tap { reset_scope }
       end
 
       # Deletes the +records+ supplied from the collection according to the strategy
@@ -646,7 +618,7 @@ module ActiveRecord
       #   #       #<Pet id: 3, name: "Choo-Choo", person_id: 1>
       #   #    ]
       def delete(*records)
-        @association.delete(*records)
+        @association.delete(*records).tap { reset_scope }
       end
 
       # Destroys the +records+ supplied and removes them from the collection.
@@ -718,7 +690,7 @@ module ActiveRecord
       #
       #   Pet.find(4, 5, 6) # => ActiveRecord::RecordNotFound: Couldn't find all Pets with 'id': (4, 5, 6)
       def destroy(*records)
-        @association.destroy(*records)
+        @association.destroy(*records).tap { reset_scope }
       end
 
       ##
@@ -1033,8 +1005,9 @@ module ActiveRecord
       end
 
       # Adds one or more +records+ to the collection by setting their foreign keys
-      # to the association's primary key. Returns +self+, so several appends may be
-      # chained together.
+      # to the association's primary key. Since +<<+ flattens its argument list and
+      # inserts each record, +push+ and +concat+ behave identically. Returns +self+
+      # so several appends may be chained together.
       #
       #   class Person < ActiveRecord::Base
       #     has_many :pets
@@ -1057,6 +1030,7 @@ module ActiveRecord
       end
       alias_method :push, :<<
       alias_method :append, :<<
+      alias_method :concat, :<<
 
       def prepend(*args)
         raise NoMethodError, "prepend on association is not defined. Please use <<, push or append"

data/lib/active_record/associations/has_many_association.rb

@@ -99,6 +99,7 @@ module ActiveRecord
         def delete_or_nullify_all_records(method)
           count = delete_count(method, scope)
           update_counter(-count)
+          count
         end
 
         # Deletes the records according to the <tt>:dependent</tt> option.

data/lib/active_record/associations/has_many_through_association.rb

@@ -57,21 +57,14 @@ module ActiveRecord
           @through_records[record.object_id] ||= begin
             ensure_mutable
 
-            through_record = through_association.build(*options_for_through_record)
-            through_record.send("#{source_reflection.name}=", record)
+            attributes = through_scope_attributes
+            attributes[source_reflection.name] = record
+            attributes[source_reflection.foreign_type] = options[:source_type] if options[:source_type]
 
-            if options[:source_type]
-              through_record.send("#{source_reflection.foreign_type}=", options[:source_type])
-            end
-
-            through_record
+            through_association.build(attributes)
           end
         end
 
-        def options_for_through_record
-          [through_scope_attributes]
-        end
-
         def through_scope_attributes
           scope.where_values_hash(through_association.reflection.name.to_s).
             except!(through_association.reflection.foreign_key,
@@ -161,6 +154,8 @@ module ActiveRecord
           else
             update_counter(-count)
           end
+
+          count
         end
 
         def difference(a, b)

data/lib/active_record/associations/join_dependency/join_association.rb

@@ -30,17 +30,21 @@ module ActiveRecord
             table = tables[-i]
             klass = reflection.klass
 
-            constraint = reflection.build_join_constraint(table, foreign_table)
+            join_scope = reflection.join_scope(table, foreign_table, foreign_klass)
 
-            joins << table.create_join(table, table.create_on(constraint), join_type)
-
-            join_scope = reflection.join_scope(table, foreign_klass)
             arel = join_scope.arel(alias_tracker.aliases)
+            nodes = arel.constraints.first
+
+            others, children = nodes.children.partition do |node|
+              !fetch_arel_attribute(node) { |attr| attr.relation.name == table.name }
+            end
+            nodes = table.create_and(children)
 
-            if arel.constraints.any?
+            joins << table.create_join(table, table.create_on(nodes), join_type)
+
+            unless others.empty?
               joins.concat arel.join_sources
-              right = joins.last.right
-              right.expr = right.expr.and(arel.constraints)
+              append_constraints(joins.last, others)
             end
 
             # The current table in this iteration becomes the foreign table in the next
@@ -54,6 +58,23 @@ module ActiveRecord
           @tables = tables
           @table  = tables.first
         end
+
+        private
+          def fetch_arel_attribute(value)
+            case value
+            when Arel::Nodes::Between, Arel::Nodes::In, Arel::Nodes::NotIn, Arel::Nodes::Equality, Arel::Nodes::NotEqual, Arel::Nodes::LessThan, Arel::Nodes::LessThanOrEqual, Arel::Nodes::GreaterThan, Arel::Nodes::GreaterThanOrEqual
+              yield value.left.is_a?(Arel::Attributes::Attribute) ? value.left : value.right
+            end
+          end
+
+          def append_constraints(join, constraints)
+            if join.is_a?(Arel::Nodes::StringJoin)
+              join_string = table.create_and(constraints.unshift(join.left))
+              join.left = Arel.sql(base_klass.connection.visitor.compile(join_string))
+            else
+              join.right.expr.children.concat(constraints)
+            end
+          end
       end
     end
   end

data/lib/active_record/associations/preloader.rb

@@ -177,7 +177,7 @@ module ActiveRecord
         # and attach it to a relation. The class returned implements a `run` method
         # that accepts a preloader.
         def preloader_for(reflection, owners)
-          if owners.first.association(reflection.name).loaded?
+          if owners.all? { |o| o.association(reflection.name).loaded? }
             return AlreadyLoaded
           end
           reflection.check_preloadable!

data/lib/active_record/autosave_association.rb

@@ -272,7 +272,7 @@ module ActiveRecord
       # or saved. If +autosave+ is +false+ only new records will be returned,
       # unless the parent is/was a new record itself.
       def associated_records_to_validate_or_save(association, new_record, autosave)
-        if new_record
+        if new_record || custom_validation_context?
           association && association.target
         elsif autosave
           association.target.find_all(&:changed_for_autosave?)
@@ -304,7 +304,7 @@ module ActiveRecord
       def validate_single_association(reflection)
         association = association_instance_get(reflection.name)
         record      = association && association.reader
-        association_valid?(reflection, record) if record
+        association_valid?(reflection, record) if record && (record.changed_for_autosave? || custom_validation_context?)
       end
 
       # Validate the associated records if <tt>:validate</tt> or
@@ -324,7 +324,7 @@ module ActiveRecord
       def association_valid?(reflection, record, index = nil)
         return true if record.destroyed? || (reflection.options[:autosave] && record.marked_for_destruction?)
 
-        context = validation_context unless [:create, :update].include?(validation_context)
+        context = validation_context if custom_validation_context?
 
         unless valid = record.valid?(context)
           if reflection.options[:autosave]
@@ -382,10 +382,14 @@ module ActiveRecord
         if association = association_instance_get(reflection.name)
           autosave = reflection.options[:autosave]
 
+          # By saving the instance variable in a local variable,
+          # we make the whole callback re-entrant.
+          new_record_before_save = @new_record_before_save
+
           # reconstruct the scope now that we know the owner's id
           association.reset_scope
 
-          if records = associated_records_to_validate_or_save(association, @new_record_before_save, autosave)
+          if records = associated_records_to_validate_or_save(association, new_record_before_save, autosave)
             if autosave
               records_to_destroy = records.select(&:marked_for_destruction?)
               records_to_destroy.each { |record| association.destroy(record) }
@@ -397,7 +401,7 @@ module ActiveRecord
 
               saved = true
 
-              if autosave != false && (@new_record_before_save || record.new_record?)
+              if autosave != false && (new_record_before_save || record.new_record?)
                 if autosave
                   saved = association.insert_record(record, false)
                 elsif !reflection.nested?
@@ -457,10 +461,16 @@ module ActiveRecord
       # If the record is new or it has changed, returns true.
       def record_changed?(reflection, record, key)
         record.new_record? ||
-          (record.has_attribute?(reflection.foreign_key) && record[reflection.foreign_key] != key) ||
+          association_foreign_key_changed?(reflection, record, key) ||
           record.will_save_change_to_attribute?(reflection.foreign_key)
       end
 
+      def association_foreign_key_changed?(reflection, record, key)
+        return false if reflection.through_reflection?
+
+        record.has_attribute?(reflection.foreign_key) && record[reflection.foreign_key] != key
+      end
+
       # Saves the associated record if it's new or <tt>:autosave</tt> is enabled.
       #
       # In addition, it will destroy the association if it was marked for destruction.
@@ -489,6 +499,10 @@ module ActiveRecord
         end
       end
 
+      def custom_validation_context?
+        validation_context && [:create, :update].exclude?(validation_context)
+      end
+
       def _ensure_no_duplicate_errors
         errors.messages.each_key do |attribute|
           errors[attribute].uniq!