This is a re-post of a message I just sent to the Columbus Ruby Brigade mailing list.
According to
changeset 6124 it looks like Rails 1.2.2 will be out soon. I'm not sure if this is
the primary reason for it, but currently in ActiveRecord a "hacker"
can change any of these class attributes through instance writers:
- logger
- configurations
- primary_key_prefix_type
- table_name_prefix
- table_name_suffix
- pluralize_table_names
- colorize_logging
- default_timezone
- allow_concurrency
- generate_read_methods
- schema_format
- verification_timeout
- lock_optimistically
- record_timestamps
It may seem really significant, but most of these get cached unless
the ActiveRecord database connection gets reset. The problem in 1.2.1
is that an instance writer is created for all of these class
attributes, so this:
User.new(:record_timestamps => false) will prevent created_at /
updated_at from working. Since most apps create/update models by
User.new(params[:user]) or User.update_attributes(params[:user]), this
can easily happen.
Even though you will see it soon in other RSS feeds and blogs, be
ready for 1.2.2 so nobody can mess with your table names or
timestamps. :-)
This also brings up a good security tip: you can use attr_accessible
and attr_protected to control which attributes can be updated through
mass assignment like this - take a look at both methods
in the Rails documentation.