Rails 3.2.3.rc1 was released!

Rails 3.2.3.rc1 has been released.


This release changes the default value of
config.active_record.whitelist_attributes to true. This change only
affects newly generated applications so it should not cause any
backwards compatibility issues for users who are upgrading but it may
affect some tutorials and introductory material. For more information
see the mass assignment section of the ruby on rails security

We’ve also adjusted the dependencies on rack-cache and mail to address
the recent security vulnerabilities with those libraries. If you are
running a vulnerable version of mail or rack-cache you should update
both gems to a safe version. We also fixed a couple of regressions in
the render method.

If there are no release blockers, then I will be releasing the final
version on March 29th.
If you find something please open an issue on github and let me know
through email (santiago at wyeworks.com), tweet
(spastorino) or cc me on the github

CHANGES since 3.2.2


  • Upgrade mail version to 2.4.3 ML


  • Do not include the authenticity token in forms where remote: true
    as ajax forms use the meta-tag value DHH

  • Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
    check that info. Closes #5245. Santiago Pastorino

  • Fix #5238, rendered_format is not set when template is not
    rendered. Piotr Sarnacki

  • Upgrade rack-cache to 1.2. Jos Valim

  • ActionController::SessionManagement is deprecated. Santiago

  • Since the router holds references to many parts of the system like
    engines, controllers and the application itself, inspecting the route
    set can actually be really slow, therefore we default alias inspect to
    to_s. Jos Valim

  • Add a new line after the textarea opening tag. Closes #393

  • Always pass a respond block from to responder. We should let the
    responder to decide what to do with the given overridden response
    block, and not short circuit it. sikachu

  • Fixes layout rendering regression from 3.2.2. Jos Valim


  • No changes


  • Added find_or_create_by_{attribute}! dynamic method. Andrew White

  • Whitelist all attribute assignment by default. Change the default
    for newly generated applications to whitelist all attribute
    assignment. Also update the generated model classes so users are
    reminded of the importance of attr_accessible. NZKoz

  • Update ActiveRecord::AttributeMethods#attribute_present? to return
    false for empty strings. Jacobkg

  • Fix associations when using per class databases. larskanis

  • Revert setting NOT NULL constraints in add_timestamps fxn

  • Fix mysql to use proper text types. Fixes #3931. kennyj

  • Fix #5069 - Protect foreign key from mass assignment through
    association builder. byroot


  • No changes


  • No changes


  • No changes


  • SHA-1 (actionmailer-3.2.3.rc1.gem) =
  • SHA-1 (actionpack-3.2.3.rc1.gem) =
  • SHA-1 (activemodel-3.2.3.rc1.gem) =
  • SHA-1 (activerecord-3.2.3.rc1.gem) =
  • SHA-1 (activeresource-3.2.3.rc1.gem) =
  • SHA-1 (activesupport-3.2.3.rc1.gem) =
  • SHA-1 (rails-3.2.3.rc1.gem) = b1dec2b8c59c78111479e3dc36c106e54fe11f1a
  • SHA-1 (railties-3.2.3.rc1.gem) =

You can find an exhaustive list of changes on

Thanks to everyone, this is your last chance to hold the release if
something goes wrong. So please, give this release a try :).

Santiago Pastorino
WyeWorks Co-founder

Twitter: http://twitter.com/spastorino
Github: spastorino (Santiago Pastorino) · GitHub

Just a minor fix, I will release the final version on March 30th

On Tue, Mar 27, 2012 at 2:17 PM, Santiago Pastorino

Hi Santiago,

On Tue, Mar 27, 2012 at 12:16 PM, Santiago Pastorino
[email protected] wrote:

Rails 3.2.3.rc1 has been released.


  • Do not include the authenticity token in forms where remote: true
    as ajax forms use the meta-tag value DHH

Could you please point me to more on this?


That seems like it breaks any kind of progressive AJAX enhancement,
since a
remote submit form, submitted normally, will now fail CSRF protection.


was merged an rc2 is coming soon.