1 files changed, 78 insertions, 388 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index dc98fb583c..6cd0b2d15d 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,440 +1,130 @@
-*   Fix stream closing when sending file with `ActionController::Live` included.
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
 
-    Fixes #12381
+    *Jonas Baumann*
 
-    *Alessandro Diaferia*
+*   Deprecate all *_filter callbacks in favor of *_action callbacks.
 
-*   Allow an absolute controller path inside a module scope. Fixes #12777.
+    *Rafael Mendonça França*
 
+*   Allow you to pass `prepend: false` to protect_from_forgery to have the
+    verification callback appended instead of prepended to the chain.
+    This allows you to let the verification step depend on prior callbacks.
     Example:
 
-        namespace :foo do
-          # will route to BarController without the namespace.
-          get '/special', to: '/bar#index'
+        class ApplicationController < ActionController::Base
+          before_action :authenticate
+          protect_from_forgery prepend: false, unless: -> { @authenticated_by.oauth? }
+
+          private
+            def authenticate
+              if oauth_request?
+                # authenticate with oauth
+                @authenticated_by = 'oauth'.inquiry
+              else
+                # authenticate with cookies
+                @authenticated_by = 'cookie'.inquiry
+              end
+            end
         end
 
+    *Josef Šimánek*
 
-*   Unique the segment keys array for non-optimized url helpers
+*   Remove `ActionController::HideActions`.
 
-    In Rails 3.2 you only needed pass an argument for dynamic segment once so
-    unique the segment keys array to match the number of args. Since the number
-    of args is less than required parts the non-optimized code path is selected.
-    This means to benefit from optimized url generation the arg needs to be
-    specified as many times as it appears in the path.
+    *Ravil Bayramgalin*
 
-    Fixes #12808.
+*   Remove `respond_to`/`respond_with` placeholder methods, this functionality
+    has been extracted to the `responders` gem.
 
-    *Andrew White*
-
-*   Show full route constraints in error message
-
-    When an optimized helper fails to generate, show the full route constraints
-    in the error message. Previously it would only show the contraints that were
-    required as part of the path.
-
-    Fixes #13592.
-
-    *Andrew White*
-
-*   Use a custom route visitor for optimized url generation. Fixes #13349.
-
-    *Andrew White*
-
-*   Allow engine root relative redirects using an empty string.
-
-    Example:
-
-        # application routes.rb
-        mount BlogEngine => '/blog'
-
-        # engine routes.rb
-        get '/welcome' => redirect('')
-
-    This now redirects to the path `/blog`, whereas before it would redirect
-    to the application root path. In the case of a path redirect or a custom
-    redirect if the path returned contains a host then the path is treated as
-    absolute. Similarly for option redirects, if the options hash returned
-    contains a `:host` or `:domain` key then the path is treated as absolute.
-
-    Fixes #7977.
-
-    *Andrew White*
-
-*   Fix `Encoding::CompatibilityError` when public path is UTF-8
-
-    In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling
-    from blowing up before an application has had chance to deal with possibly invalid
-    urls. However this has a negative side effect of making it an incompatible encoding
-    if the application's public path has UTF-8 characters in it.
-
-    To work around the problem we check to see if the path has a valid encoding once
-    it has been unescaped. If it is not valid then we can return early since it will
-    not match any file anyway.
-
-    Fixes #13518.
-
-    *Andrew White*
-
-*   `ActionController::Parameters#permit!` permits hashes in array values.
-
-    *Xavier Noria*
-
-*   Converts hashes in arrays of unfiltered params to unpermitted params.
-
-    Fixes #13382.
-
-    *Xavier Noria*
-
-*   New config option to opt out of params "deep munging" that was used to
-    address security vulnerability CVE-2013-0155. In your app config:
-
-        config.action_dispatch.perform_deep_munge = false
-
-    Take care to understand the security risk involved before disabling this.
-    [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
-
-    *Bernard Potocki*
-
-*   `rake routes` shows routes defined under assets prefix.
-
-    *Ryunosuke SATO*
-
-*   Extend cross-site request forgery (CSRF) protection to GET requests with
-    JavaScript responses, protecting apps from cross-origin `<script>` tags.
-
-    *Jeremy Kemper*
-
-*   Fix generating a path for engine inside a resources block.
-
-    Fixes #8533.
-
-    *Piotr Sarnacki*
-
-*   Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
-
-    *DHH*
-
-*   Remove deprecated `ActionController::RecordIdentifier`, use
-    `ActionView::RecordIdentifier` instead.
-
-    *kennyj*
-
-*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
-    `options[:raise]`.
-
-    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
-
-    *Shota Fukumori (sora_h)*
-
-*   Introducing Variants
-
-    We often want to render different html/json/xml templates for phones,
-    tablets, and desktop browsers. Variants make it easy.
-
-    The request variant is a specialization of the request format, like `:tablet`,
-    `:phone`, or `:desktop`.
-
-    You can set the variant in a `before_action`:
-
-        request.variant = :tablet if request.user_agent =~ /iPad/
-
-    Respond to variants in the action just like you respond to formats:
-
-        respond_to do |format|
-          format.html do |html|
-            html.tablet # renders app/views/projects/show.html+tablet.erb
-            html.phone { extra_setup; render ... }
-          end
-        end
-
-    Provide separate templates for each format and variant:
-
-        app/views/projects/show.html.erb
-        app/views/projects/show.html+tablet.erb
-        app/views/projects/show.html+phone.erb
-
-    You can also simplify the variants definition using the inline syntax:
-
-        respond_to do |format|
-          format.js         { render "trash" }
-          format.html.phone { redirect_to progress_path }
-          format.html.none  { render "trash" }
-        end
-
-    Variants also support common `any`/`all` block that formats have.
-
-    It works for both inline:
-
-        respond_to do |format|
-          format.html.any   { render text: "any"   }
-          format.html.phone { render text: "phone" }
-        end
-
-    and block syntax:
-
-        respond_to do |format|
-          format.html do |variant|
-            variant.any(:tablet, :phablet){ render text: "any" }
-            variant.phone { render text: "phone" }
-          end
-        end
-
-    *Łukasz Strzałkowski*
-
-*   Fix render of localized templates without an explicit format using wrong
-    content header and not passing correct formats to template due to the
-    introduction of the `NullType` for mimes.
-
-    Templates like `hello.it.erb` were subject to this issue.
-
-    Fixes #13064.
-
-    *Angelo Capilleri*, *Carlos Antonio da Silva*
-
-*   Try to escape each part of a url correctly when using a redirect route.
-
-    Fixes #13110.
-
-    *Andrew White*
-
-*   Better error message for typos in assert_response argument.
-
-    When the response type argument to `assert_response` is not a known
-    response type, `assert_response` now throws an ArgumentError with a clear
-    message. This is intended to help debug typos in the response type.
-
-    *Victor Costan*
-
-*   Fix formatting for `rake routes` when a section is shorter than a header.
-
-    *Sıtkı Bağdat*
-
-*   Take a hash with options inside array in `#url_for`.
-
-    Example:
-
-        url_for [:new, :admin, :post, { param: 'value' }]
-        # => http://example.com/admin/posts/new?param=value
-
-    *Andrey Ognevsky*
-
-*   Add `session#fetch` method
-
-    fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
-    It returns a value from the hash for the given key.
-    If the key can’t be found, there are several options:
-
-      * With no other arguments, it will raise an KeyError exception.
-      * If a default value is given, then that will be returned.
-      * If the optional code block is specified, then that will be run and its result returned.
-
-    *Damien Mathieu*
-
-*   Don't let strong parameters mutate the given hash via `fetch`
-
-    Create a new instance if the given parameter is a `Hash` instead of
-    passing it to the `convert_hashes_to_parameters` method since it is
-    overriding its default value.
-
-    *Brendon Murphy*, *Doug Cole*
-
-*   Add `params` option to `button_to` form helper, which renders the given hash
-    as hidden form fields.
-
-    *Andy Waite*
-
-*   Make assets helpers work in the controllers like it works in the views.
-
-    Example:
-
-        # config/application.rb
-        config.asset_host = 'http://mycdn.com'
-
-        ActionController::Base.helpers.asset_path('fallback.png')
-        # => http://mycdn.com/assets/fallback.png
-
-    Fixes #10051.
-
-    *Tima Maslyuchenko*
-
-*   Respect `SCRIPT_NAME` when using `redirect` with a relative path
-
-    Example:
-
-        # application routes.rb
-        mount BlogEngine => '/blog'
-
-        # engine routes.rb
-        get '/admin' => redirect('admin/dashboard')
-
-    This now redirects to the path `/blog/admin/dashboard`, whereas before it would've
-    generated an invalid url because there would be no slash between the host name and
-    the path. It also allows redirects to work where the application is deployed to a
-    subdirectory of a website.
-
-    Fixes #7977.
-
-    *Andrew White*
-
-*   Fixing repond_with working directly on the options hash
-    This fixes an issue where the respond_with worked directly with the given
-    options hash, so that if a user relied on it after calling respond_with,
-    the hash wouldn't be the same.
-
-    Fixes #12029.
-
-    *bluehotdog*
-
-*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
-    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
-
-    Fixes #10844.
-
-    *Tamir Duberstein*
-
-*   Strong parameters should permit nested number as key.
-
-    Fixes #12293.
-
-    *kennyj*
-
-*   Fix regex used to detect URI schemes in `redirect_to` to be consistent with
-    RFC 3986.
-
-    *Derek Prior*
-
-*   Fix incorrect `assert_redirected_to` failure message for protocol-relative
-    URLs.
-
-    *Derek Prior*
-
-*   Fix an issue where router can't recognize downcased url encoding path.
-
-    Fixes #12269.
-
-    *kennyj*
-
-*   Fix custom flash type definition. Misusage of the `_flash_types` class variable
-    caused an error when reloading controllers with custom flash types.
-
-    Fixes #12057.
-
-    *Ricardo de Cillo*
-
-*   Do not break params filtering on `nil` values.
-
-    Fixes #12149.
-
-    *Vasiliy Ermolovich*
-
-*   Development mode exceptions are rendered in text format in case of XHR request.
-
-    *Kir Shatrov*
-
-*   Fix an issue where :if and :unless controller action procs were being run
-    before checking for the correct action in the :only and :unless options.
-
-    Fixes #11799.
+    *Carlos Antonio da Silva*
 
-    *Nicholas Jakobsen*
+*   Remove deprecated assertion files.
 
-*   Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were
-    ignoring the passed failure message argument.
+    *Rafael Mendonça França*
 
-    Fixes #11751.
+*   Remove deprecated usage of string keys in URL helpers.
 
-    *Ryan McGeary*
+    *Rafael Mendonça França*
 
-*   Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from
-    the environment passed into `ActionDispatch::TestRequest.new`.
+*   Remove deprecated `only_path` option on `*_path` helpers.
 
-    Fixes #11590.
+    *Rafael Mendonça França*
 
-    *Andrew White*
+*   Remove deprecated `NamedRouteCollection#helpers`.
 
-*   Fix an issue where Journey was failing to clear the named routes hash when the
-    routes were reloaded and since it doesn't overwrite existing routes then if a
-    route changed but wasn't renamed it kept the old definition. This was being
-    masked by the optimised url helpers so it only became apparent when passing an
-    options hash to the url helper.
+    *Rafael Mendonça França*
 
-    *Andrew White*
+*   Remove deprecated support to define routes with `:to` option that doesn't contain `#`.
 
-*   Skip routes pointing to a redirect or mounted application when generating urls
-    using an options hash as they aren't relevant and generate incorrect urls.
+    *Rafael Mendonça França*
 
-    Fixes #8018.
+*   Remove deprecated `ActionDispatch::Response#to_ary`.
 
-    *Andrew White*
+    *Rafael Mendonça França*
 
-*   Move `MissingHelperError` out of the `ClassMethods` module.
+*   Remove deprecated `ActionDispatch::Request#deep_munge`.
 
-    *Yves Senn*
+    *Rafael Mendonça França*
 
-*   Fix an issue where rails raise exception about missing helper where it
-    should throw `LoadError`. When helper file exists and only loaded file from
-    this helper does not exist rails should throw LoadError instead of
-    `MissingHelperError`.
+*   Remove deprecated `ActionDispatch::Http::Parameters#symbolized_path_parameters`.
 
-    *Piotr Niełacny*
+    *Rafael Mendonça França*
 
-*   Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind body input stream on
-    parsing json params.
+*   Remove deprecated option `use_route` in controller tests.
 
-    Fixes #11345.
+    *Rafael Mendonça França*
 
-    *Yuri Bol*, *Paul Nikitochkin*
+*   Ensure `append_info_to_payload` is called even if an exception is raised.
 
-*   Ignore spaces around delimiter in Set-Cookie header.
+    Fixes an issue where when an exception is raised in the request the additonal
+    payload data is not available.
 
-    *Yamagishi Kazutoshi*
+    See:
+    * #14903
+    * https://github.com/roidrage/lograge/issues/37
 
-*   Remove deprecated Rails application fallback for integration testing, set
-    `ActionDispatch.test_app` instead.
+    *Dieter Komendera*, *Margus Pärt*
 
-    *Carlos Antonio da Silva*
+*   Correctly rely on the response's status code to handle calls to `head`.
 
-*   Remove deprecated `page_cache_extension` config.
+    *Robin Dupret*
 
-    *Francesco Rodriguez*
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
 
-*   Remove deprecated constants from Action Controller:
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-        ActionController::AbstractRequest  => ActionDispatch::Request
-        ActionController::Request          => ActionDispatch::Request
-        ActionController::AbstractResponse => ActionDispatch::Response
-        ActionController::Response         => ActionDispatch::Response
-        ActionController::Routing          => ActionDispatch::Routing
-        ActionController::Integration      => ActionDispatch::Integration
-        ActionController::IntegrationTest  => ActionDispatch::IntegrationTest
+    Fixes #18253.
 
-    *Carlos Antonio da Silva*
+    *Prathamesh Sonpatki*
 
-*   Fix `Mime::Type.parse` when bad accepts header is looked up. Previously it
-    was setting `request.formats` with an array containing a `nil` value, which
-    raised an error when setting the controller formats.
+*   Fix how polymorphic routes works with objects that implement `to_model`.
 
-    Fixes #10965.
+    *Travis Grathwell*
 
-    *Becker*
+*   Stop converting empty arrays in `params` to `nil`
 
-*   Merge `:action` from routing scope and assign endpoint if both `:controller`
-    and `:action` are present. The endpoint assignment only occurs if there is
-    no `:to` present in the options hash so should only affect routes using the
-    shorthand syntax (i.e. endpoint is inferred from the path).
+    This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
 
-    Fixes #9856.
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
 
-    *Yves Senn*, *Andrew White*
+    *Chris Sinjakli*
 
-*   Action View extracted from Action Pack.
+*   Fixed usage of optional scopes in url helpers.
 
-    *Piotr Sarnacki*, *Łukasz Strzałkowski*
+    *Alex Robbin*
 
-*   Fix removing trailing slash for mounted apps.
+*   Fixed handling of positional url helper arguments when `format: false`.
 
-    Fixes #3215.
+    Fixes #17819.
 
-    *Piotr Sarnacki*
+    *Andrew White*, *Tatiana Soukiassian*
 
-Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes.