diff options
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 433 |
1 files changed, 145 insertions, 288 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index de9722c392..055d4b4f5b 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,376 +1,233 @@ -* Deprecate implicit Array conversion for Response objects. It was added - (using `#to_ary`) so we could conveniently use implicit splatting: +* Non-string authenticity tokens do not raise NoMethodError when decoding + the masked token. - status, headers, body = response + *Ville Lautanala* - But it also means `response + response` works and `[response].flatten` - cascades down to the Rack body. Nonsense behavior. Instead, rely on - explicit conversion and splatting with `#to_a`: +* Add http_cache_forever to Action Controller, so we can cache a response that never gets expired. - status, header, body = *response + *arthurnn* - *Jeremy Kemper* +* ActionController#translate supports symbols as shortcuts. + When shortcut is given it also lookups without action name. -* Don't rescue `IPAddr::InvalidAddressError`. + *Max Melentiev* - `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3 - and fails for JRuby in 1.9 mode. +* Expand `ActionController::ConditionalGet#fresh_when` and `stale?` to also + accept a collection of records as the first argument, so that the + following code can be written in a shorter form. - *Peter Suschlik* + # Before + def index + @articles = Article.all + fresh_when(etag: @articles, last_modified: @articles.maximum(:updated_at)) + end -* Fix bug where the router would ignore any constraints added to redirect - routes. + # After + def index + @articles = Article.all + fresh_when(@articles) + end - Fixes #16605. + *claudiob* - *Agis Anastasopoulos* +* Explicitly ignored wildcard verbs when searching for HEAD routes before fallback -* Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object. + Fixes an issue where a mounted rack app at root would intercept the HEAD + request causing an incorrect behavior during the fall back to GET requests. Example: + ```ruby + draw do + get '/home' => 'test#index' + mount rack_app, at: '/' + end + head '/home' + assert_response :success + ``` + In this case, a HEAD request runs through the routes the first time and fails + to match anything. Then, it runs through the list with the fallback and matches + `get '/home'`. The original behavior would match the rack app in the first pass. - # config/environments/production.rb - config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16') + *Terence Sun* - *Sam Aarons* +* Migrating xhr methods to keyword arguments syntax + in `ActionController::TestCase` and `ActionDispatch::Integration` -* Avoid duplicating routes for HEAD requests. + Old syntax: - Instead of duplicating the routes, we will first match the HEAD request to - HEAD routes. If no match is found, we will then map the HEAD request to - GET routes. + xhr :get, :create, params: { id: 1 } - *Guo Xiang Tan*, *Andrew White* + New syntax example: -* Requests that hit `ActionDispatch::Static` can now take advantage - of gzipped assets on disk. By default a gzip asset will be served if - the client supports gzip and a compressed file is on disk. + get :create, params: { id: 1 }, xhr: true - *Richard Schneeman* + *Kir Shatrov* -* `ActionController::Parameters` will stop inheriting from `Hash` and - `HashWithIndifferentAccess` in the next major release. If you use any method - that is not available on `ActionController::Parameters` you should consider - calling `#to_h` to convert it to a `Hash` first before calling that method. +* Migrating to keyword arguments syntax in `ActionController::TestCase` and + `ActionDispatch::Integration` HTTP request methods. - *Prem Sichanugrist* - -* `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted - keys removed. This change is to reflect on a security concern where some - method performed on an `ActionController::Parameters` may yield a `Hash` - object which does not maintain `permitted?` status. If you would like to - get a `Hash` with all the keys intact, duplicate and mark it as permitted - before calling `#to_h`. - - params = ActionController::Parameters.new({ - name: 'Senjougahara Hitagi', - oddity: 'Heavy stone crab' - }) - params.to_h - # => {} - - unsafe_params = params.dup.permit! - unsafe_params.to_h - # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"} - - safe_params = params.permit(:name) - safe_params.to_h - # => {"name"=>"Senjougahara Hitagi"} - - This change is consider a stopgap as we cannot change the code to stop - `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` - in the next minor release. - - *Prem Sichanugrist* - -* Deprecated `TagAssertions`. - - *Kasper Timm Hansen* - -* Use the Active Support JSON encoder for cookie jars using the `:json` or - `:hybrid` serializer. This allows you to serialize custom Ruby objects into - cookies by defining the `#as_json` hook on such objects. - - Fixes #16520. - - *Godfrey Chan* - -* Add `config.action_dispatch.cookies_digest` option for setting custom - digest. The default remains the same - 'SHA1'. - - *Łukasz Strzałkowski* - -* Move `respond_with` (and the class-level `respond_to`) to - the `responders` gem. - - *José Valim* - -* When your templates change, browser caches bust automatically. - - New default: the template digest is automatically included in your ETags. - When you call `fresh_when @post`, the digest for `posts/show.html.erb` - is mixed in so future changes to the HTML will blow HTTP caches for you. - This makes it easy to HTTP-cache many more of your actions. - - If you render a different template, you can now pass the `:template` - option to include its digest instead: - - fresh_when @post, template: 'widgets/show' - - Pass `template: false` to skip the lookup. To turn this off entirely, set: - - config.action_controller.etag_with_template_digest = false - - *Jeremy Kemper* - -* Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError` - in favor of `AbstractController::Helpers::MissingHelperError`. - - *Yves Senn* - -* Fix `assert_template` not being able to assert that no files were rendered. - - *Guo Xiang Tan* - -* Extract source code for the entire exception stack trace for - better debugging and diagnosis. - - *Ryan Dao* - -* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8 - loopback address. - - *Earl St Sauver*, *Sven Riedel* - -* Preserve original path in `ShowExceptions` middleware by stashing it as - `env["action_dispatch.original_path"]` - - `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code - for the exception defined in `ExceptionWrapper`, so the path - the user was visiting when an exception occurred was not previously - available to any custom exceptions_app. The original `PATH_INFO` is now - stashed in `env["action_dispatch.original_path"]`. - - *Grey Baker* - -* Use `String#bytesize` instead of `String#size` when checking for cookie - overflow. - - *Agis Anastasopoulos* - -* `render nothing: true` or rendering a `nil` body no longer add a single - space to the response body. - - The old behavior was added as a workaround for a bug in an early version of - Safari, where the HTTP headers are not returned correctly if the response - body has a 0-length. This is been fixed since and the workaround is no - longer necessary. - - Use `render body: ' '` if the old behavior is desired. - - See #14883 for details. - - *Godfrey Chan* - -* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 - ("Rosetta Flash"). - - *Greg Campbell* - -* Because URI paths may contain non US-ASCII characters we need to force - the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. - This essentially replicates the functionality of the monkey patch to - URI.parser.unescape in active_support/core_ext/uri.rb. - - Fixes #16104. - - *Karl Entwistle* - -* Generate shallow paths for all children of shallow resources. - - Fixes #15783. - - *Seb Jacobs* - -* JSONP responses are now rendered with the `text/javascript` content type - when rendering through a `respond_to` block. - - Fixes #15081. - - *Lucas Mazza* - -* Add `config.action_controller.always_permitted_parameters` to configure which - parameters are permitted globally. The default value of this configuration is - `['controller', 'action']`. - - *Gary S. Weaver*, *Rafael Chacon* - -* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'. - - Fixes #15511. - - *Larry Lv* + Example: -* ActionController::Parameters#require now accepts `false` values. + post :create, params: { y: x }, session: { a: 'b' } + get :view, params: { id: 1 } + get :view, params: { id: 1 }, format: :json - Fixes #15685. + *Kir Shatrov* - *Sergio Romano* +* Preserve default url options when generating URLs. -* With authorization header `Authorization: Token token=`, `authenticate` now - recognize token as nil, instead of "token". + Fixes an issue that would cause default_url_options to be lost when + generating URLs with fewer positional arguments than parameters in the + route definition. - Fixes #14846. + *Tekin Suleyman* - *Larry Lv* +* Deprecate *_via_redirect integration test methods. -* Ensure the controller is always notified as soon as the client disconnects - during live streaming, even when the controller is blocked on a write. + Use `follow_redirect!` manually after the request call for the same behavior. - *Nicholas Jakobsen*, *Matthew Draper* + *Aditya Kapoor* -* Routes specifying 'to:' must be a string that contains a "#" or a rack - application. Use of a symbol should be replaced with `action: symbol`. - Use of a string without a "#" should be replaced with `controller: string`. +* Add `ActionController::Renderer` to render arbitrary templates + outside controller actions. - *Aaron Patterson* + Its functionality is accessible through class methods `render` and + `renderer` of `ActionController::Base`. -* Fix URL generation with `:trailing_slash` such that it does not add - a trailing slash after `.:format` + *Ravil Bayramgalin* - *Dan Langevin* +* Support `:assigns` option when rendering with controllers/mailers. -* Build full URI as string when processing path in integration tests for - performance reasons. + *Ravil Bayramgalin* - *Guo Xiang Tan* +* Default headers, removed in controller actions, are no longer reapplied on + the test response. -* Fix `'Stack level too deep'` when rendering `head :ok` in an action method - called 'status' in a controller. + *Jonas Baumann* - Fixes #13905. +* Deprecate all *_filter callbacks in favor of *_action callbacks. - *Christiaan Van den Poel* + *Rafael Mendonça França* -* Add MKCALENDAR HTTP method (RFC 4791). +* Allow you to pass `prepend: false` to protect_from_forgery to have the + verification callback appended instead of prepended to the chain. + This allows you to let the verification step depend on prior callbacks. - *Sergey Karpesh* + Example: -* Instrument fragment cache metrics. + class ApplicationController < ActionController::Base + before_action :authenticate + protect_from_forgery prepend: false, unless: -> { @authenticated_by.oauth? } - Adds `:controller`: and `:action` keys to the instrumentation payload - for the `*_fragment.action_controller` notifications. This allows tracking - e.g. the fragment cache hit rates for each controller action. + private + def authenticate + if oauth_request? + # authenticate with oauth + @authenticated_by = 'oauth'.inquiry + else + # authenticate with cookies + @authenticated_by = 'cookie'.inquiry + end + end + end - *Daniel Schierbeck* + *Josef Šimánek* -* Always use the provided port if the protocol is relative. +* Remove `ActionController::HideActions`. - Fixes #15043. + *Ravil Bayramgalin* - *Guilherme Cavalcanti*, *Andrew White* +* Remove `respond_to`/`respond_with` placeholder methods, this functionality + has been extracted to the `responders` gem. -* Moved `params[request_forgery_protection_token]` into its own method - and improved tests. + *Carlos Antonio da Silva* - Fixes #11316. +* Remove deprecated assertion files. - *Tom Kadwill* + *Rafael Mendonça França* -* Added verification of route constraints given as a Proc or an object responding - to `:matches?`. Previously, when given an non-complying object, it would just - silently fail to enforce the constraint. It will now raise an `ArgumentError` - when setting up the routes. +* Remove deprecated usage of string keys in URL helpers. - *Xavier Defrang* + *Rafael Mendonça França* -* Properly treat the entire IPv6 User Local Address space as private for - purposes of remote IP detection. Also handle uppercase private IPv6 - addresses. +* Remove deprecated `only_path` option on `*_path` helpers. - Fixes #12638. + *Rafael Mendonça França* - *Caleb Spare* +* Remove deprecated `NamedRouteCollection#helpers`. -* Fixed an issue with migrating legacy json cookies. + *Rafael Mendonça França* - Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming - cookies are marshal-encoded. This is not the case when `secret_token` is - used in conjunction with the `:json` or `:hybrid` serializer. +* Remove deprecated support to define routes with `:to` option that doesn't contain `#`. - In those case, when upgrading to use `secret_key_base`, this would cause a - `TypeError: incompatible marshal file format` and a 500 error for the user. + *Rafael Mendonça França* - Fixes #14774. +* Remove deprecated `ActionDispatch::Response#to_ary`. - *Godfrey Chan* + *Rafael Mendonça França* -* Make URL escaping more consistent: +* Remove deprecated `ActionDispatch::Request#deep_munge`. - 1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers - 2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters - 3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation - 4. Use `escape_segment` rather than `escape_path` in URL generation + *Rafael Mendonça França* - For point 4 there are two exceptions. Firstly, when a route uses wildcard segments - (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This - means that wildcard routes can't be optimized. Secondly, if a `:controller` segment - is used in the path then this uses `escape_path` as the controller may be namespaced. +* Remove deprecated `ActionDispatch::Http::Parameters#symbolized_path_parameters`. - Fixes #14629, #14636 and #14070. + *Rafael Mendonça França* - *Andrew White*, *Edho Arief* +* Remove deprecated option `use_route` in controller tests. -* Add alias `ActionDispatch::Http::UploadedFile#to_io` to - `ActionDispatch::Http::UploadedFile#tempfile`. + *Rafael Mendonça França* - *Tim Linquist* +* Ensure `append_info_to_payload` is called even if an exception is raised. -* Returns null type format when format is not know and controller is using `any` - format block. + Fixes an issue where when an exception is raised in the request the additonal + payload data is not available. - Fixes #14462. + See: + * #14903 + * https://github.com/roidrage/lograge/issues/37 - *Rafael Mendonça França* + *Dieter Komendera*, *Margus Pärt* -* Improve routing error page with fuzzy matching search. +* Correctly rely on the response's status code to handle calls to `head`. - *Winston* + *Robin Dupret* -* Only make deeply nested routes shallow when parent is shallow. +* Using `head` method returns empty response_body instead + of returning a single space " ". - Fixes #14684. + The old behavior was added as a workaround for a bug in an early + version of Safari, where the HTTP headers are not returned correctly + if the response body has a 0-length. This is been fixed since and + the workaround is no longer necessary. - *Andrew White*, *James Coglan* + Fixes #18253. -* Append link to bad code to backtrace when exception is `SyntaxError`. + *Prathamesh Sonpatki* - *Boris Kuznetsov* +* Fix how polymorphic routes works with objects that implement `to_model`. -* Swapped the parameters of assert_equal in `assert_select` so that the - proper values were printed correctly. + *Travis Grathwell* - Fixes #14422. +* Stop converting empty arrays in `params` to `nil`. - *Vishal Lal* + This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694 + and CVE-2013-0155 -* The method `shallow?` returns false if the parent resource is a singleton so - we need to check if we're not inside a nested scope before copying the :path - and :as options to their shallow equivalents. + ActiveRecord now issues a safe query when passing an empty array into + a where clause, so there is no longer a need to defend against this type + of input (any nils are still stripped from the array). - Fixes #14388. + *Chris Sinjakli* - *Andrew White* +* Fixed usage of optional scopes in url helpers. -* Make logging of CSRF failures optional (but on by default) with the - `log_warning_on_csrf_failure` configuration setting in - `ActionController::RequestForgeryProtection`. + *Alex Robbin* - *John Barton* +* Fixed handling of positional url helper arguments when `format: false`. -* Fix URL generation in controller tests with request-dependent - `default_url_options` methods. + Fixes #17819. - *Tony Wooster* + *Andrew White*, *Tatiana Soukiassian* -Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes. +Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes. |