* Deprecated TagAssertions.
*Kasper Timm Hansen*
* Use the Active Support JSON encoder for cookie jars using the `:json` or
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
cookies by defining the `#as_json` hook on such objects.
Fixes #16520.
*Godfrey Chan*
* Add `config.action_dispatch.cookies_digest` option for setting custom
digest. The default remains the same - 'SHA1'.
*Łukasz Strzałkowski*
* Move `respond_with` (and the class-level `respond_to`) to
the `responders` gem.
*José Valim*
* When your templates change, browser caches bust automatically.
New default: the template digest is automatically included in your ETags.
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
is mixed in so future changes to the HTML will blow HTTP caches for you.
This makes it easy to HTTP-cache many more of your actions.
If you render a different template, you can now pass the `:template`
option to include its digest instead:
fresh_when @post, template: 'widgets/show'
Pass `template: false` to skip the lookup. To turn this off entirely, set:
config.action_controller.etag_with_template_digest = false
*Jeremy Kemper*
* Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
in favor of `AbstractController::Helpers::MissingHelperError`.
*Yves Senn*
* Fix `assert_template` not being able to assert that no files were rendered.
*Guo Xiang Tan*
* Extract source code for the entire exception stack trace for
better debugging and diagnosis.
*Ryan Dao*
* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
loopback address.
*Earl St Sauver*, *Sven Riedel*
* Preserve original path in `ShowExceptions` middleware by stashing it as
`env["action_dispatch.original_path"]`
`ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
for the exception defined in `ExceptionWrapper`, so the path
the user was visiting when an exception occurred was not previously
available to any custom exceptions_app. The original `PATH_INFO` is now
stashed in `env["action_dispatch.original_path"]`.
*Grey Baker*
* Use `String#bytesize` instead of `String#size` when checking for cookie
overflow.
*Agis Anastasopoulos*
* `render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
See #14883 for details.
*Godfrey Chan*
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
("Rosetta Flash")
*Greg Campbell*
* Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
*Karl Entwistle*
* Generate shallow paths for all children of shallow resources.
Fixes #15783.
*Seb Jacobs*
* JSONP responses are now rendered with the `text/javascript` content type
when rendering through a `respond_to` block.
Fixes #15081.
*Lucas Mazza*
* Add `config.action_controller.always_permitted_parameters` to configure which
parameters are permitted globally. The default value of this configuration is
`['controller', 'action']`.
*Gary S. Weaver*, *Rafael Chacon*
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
*Larry Lv*
* ActionController::Parameters#require now accepts `false` values.
Fixes #15685.
*Sergio Romano*
* With authorization header `Authorization: Token token=`, `authenticate` now
recognize token as nil, instead of "token".
Fixes #14846.
*Larry Lv*
* Ensure the controller is always notified as soon as the client disconnects
during live streaming, even when the controller is blocked on a write.
*Nicholas Jakobsen*, *Matthew Draper*
* Routes specifying 'to:' must be a string that contains a "#" or a rack
application. Use of a symbol should be replaced with `action: symbol`.
Use of a string without a "#" should be replaced with `controller: string`.
*Aaron Patterson*
* Fix URL generation with `:trailing_slash` such that it does not add
a trailing slash after `.:format`
*Dan Langevin*
* Build full URI as string when processing path in integration tests for
performance reasons.
*Guo Xiang Tan*
* Fix `'Stack level too deep'` when rendering `head :ok` in an action method
called 'status' in a controller.
Fixes #13905.
*Christiaan Van den Poel*
* Add MKCALENDAR HTTP method (RFC 4791).
*Sergey Karpesh*
* Instrument fragment cache metrics.
Adds `:controller`: and `:action` keys to the instrumentation payload
for the `*_fragment.action_controller` notifications. This allows tracking
e.g. the fragment cache hit rates for each controller action.
*Daniel Schierbeck*
* Always use the provided port if the protocol is relative.
Fixes #15043.
*Guilherme Cavalcanti*, *Andrew White*
* Moved `params[request_forgery_protection_token]` into its own method
and improved tests.
Fixes #11316.
*Tom Kadwill*
* Added verification of route constraints given as a Proc or an object responding
to `:matches?`. Previously, when given an non-complying object, it would just
silently fail to enforce the constraint. It will now raise an `ArgumentError`
when setting up the routes.
*Xavier Defrang*
* Properly treat the entire IPv6 User Local Address space as private for
purposes of remote IP detection. Also handle uppercase private IPv6
addresses.
Fixes #12638.
*Caleb Spare*
* Fixed an issue with migrating legacy json cookies.
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
cookies are marshal-encoded. This is not the case when `secret_token` is
used in conjunction with the `:json` or `:hybrid` serializer.
In those case, when upgrading to use `secret_key_base`, this would cause a
`TypeError: incompatible marshal file format` and a 500 error for the user.
Fixes #14774.
*Godfrey Chan*
* Make URL escaping more consistent:
1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
4. Use `escape_segment` rather than `escape_path` in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
is used in the path then this uses `escape_path` as the controller may be namespaced.
Fixes #14629, #14636 and #14070.
*Andrew White*, *Edho Arief*
* Add alias `ActionDispatch::Http::UploadedFile#to_io` to
`ActionDispatch::Http::UploadedFile#tempfile`.
*Tim Linquist*
* Returns null type format when format is not know and controller is using `any`
format block.
Fixes #14462.
*Rafael Mendonça França*
* Improve routing error page with fuzzy matching search.
*Winston*
* Only make deeply nested routes shallow when parent is shallow.
Fixes #14684.
*Andrew White*, *James Coglan*
* Append link to bad code to backtrace when exception is `SyntaxError`.
*Boris Kuznetsov*
* Swapped the parameters of assert_equal in `assert_select` so that the
proper values were printed correctly.
Fixes #14422.
*Vishal Lal*
* The method `shallow?` returns false if the parent resource is a singleton so
we need to check if we're not inside a nested scope before copying the :path
and :as options to their shallow equivalents.
Fixes #14388.
*Andrew White*
* Make logging of CSRF failures optional (but on by default) with the
`log_warning_on_csrf_failure` configuration setting in
`ActionController::RequestForgeryProtection`.
*John Barton*
* Fix URL generation in controller tests with request-dependent
`default_url_options` methods.
*Tony Wooster*
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.