diff options
| author | John Hawthorn <john@hawthorn.email> | 2019-07-13 21:13:42 -0700 |
|---|---|---|
| committer | John Hawthorn <john@hawthorn.email> | 2019-07-13 21:32:13 -0700 |
| commit | 9fe5aa32a7c962e084117af94351061009cd350b (patch) | |
| tree | d749a880528272599d28f2e2b29e783d8537386f /guides | |
| parent | 85fa9b6549f6bf0b4ab0262b869bdd3d25969939 (diff) | |
| download | rails-9fe5aa32a7c962e084117af94351061009cd350b.tar.gz rails-9fe5aa32a7c962e084117af94351061009cd350b.tar.bz2 rails-9fe5aa32a7c962e084117af94351061009cd350b.zip | |
Update guide for render file:
Most of this section was written from the time that render file: was the
default, before CVE-2016-0752.
This updates the guide to the Rails 6 `render file:` behaviour, moves it
to a more appropriate part of the file.
[ci skip]
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/layouts_and_rendering.md | 36 |
1 files changed, 17 insertions, 19 deletions
diff --git a/guides/source/layouts_and_rendering.md b/guides/source/layouts_and_rendering.md index a4f48d29c1..ce90a60e36 100644 --- a/guides/source/layouts_and_rendering.md +++ b/guides/source/layouts_and_rendering.md @@ -149,25 +149,6 @@ Rails knows that this view belongs to a different controller because of the embe render template: "products/show" ``` -#### Rendering an Arbitrary File - -The `render` method can also use a view that's entirely outside of your application: - -```ruby -render file: "/u/apps/warehouse_app/current/app/views/products/show" -``` - -The `:file` option takes an absolute file-system path. Of course, you need to have rights -to the view that you're using to render the content. - -NOTE: Using the `:file` option in combination with users input can lead to security problems -since an attacker could use this action to access security sensitive files in your file system. - -NOTE: By default, the file is rendered using the current layout. - -TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to -render a file, because Windows filenames do not have the same format as Unix filenames. - #### Wrapping it up The above three ways of rendering (rendering another template within the controller, rendering a template within another controller, and rendering an arbitrary file on the file system) are actually variants of the same action. @@ -279,6 +260,23 @@ time. NOTE: Unless overridden, your response returned from this render option will be `text/plain`, as that is the default content type of Action Dispatch response. +#### Rendering raw file + +Rails can render a raw file from an absolute path. This is useful for +conditionally rendering static files like error pages. + +```ruby +render file: "#{Rails.root}/public/404.html", layout: false +``` + +This renders the raw file (it doesn't support ERB or other handlers). By +default it is rendered within the current layout. + +WARNING: Using the `:file` option in combination with users input can lead to security problems +since an attacker could use this action to access security sensitive files in your file system. + +TIP: `send_file` is often a faster and better option if a layout isn't required. + #### Options for `render` Calls to the `render` method generally accept five options: |