diff options
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 466 |
1 files changed, 78 insertions, 388 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index dc98fb583c..6cd0b2d15d 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,440 +1,130 @@ -* Fix stream closing when sending file with `ActionController::Live` included. +* Default headers, removed in controller actions, are no longer reapplied on + the test response. - Fixes #12381 + *Jonas Baumann* - *Alessandro Diaferia* +* Deprecate all *_filter callbacks in favor of *_action callbacks. -* Allow an absolute controller path inside a module scope. Fixes #12777. + *Rafael Mendonça França* +* Allow you to pass `prepend: false` to protect_from_forgery to have the + verification callback appended instead of prepended to the chain. + This allows you to let the verification step depend on prior callbacks. Example: - namespace :foo do - # will route to BarController without the namespace. - get '/special', to: '/bar#index' + class ApplicationController < ActionController::Base + before_action :authenticate + protect_from_forgery prepend: false, unless: -> { @authenticated_by.oauth? } + + private + def authenticate + if oauth_request? + # authenticate with oauth + @authenticated_by = 'oauth'.inquiry + else + # authenticate with cookies + @authenticated_by = 'cookie'.inquiry + end + end end + *Josef Šimánek* -* Unique the segment keys array for non-optimized url helpers +* Remove `ActionController::HideActions`. - In Rails 3.2 you only needed pass an argument for dynamic segment once so - unique the segment keys array to match the number of args. Since the number - of args is less than required parts the non-optimized code path is selected. - This means to benefit from optimized url generation the arg needs to be - specified as many times as it appears in the path. + *Ravil Bayramgalin* - Fixes #12808. +* Remove `respond_to`/`respond_with` placeholder methods, this functionality + has been extracted to the `responders` gem. - *Andrew White* - -* Show full route constraints in error message - - When an optimized helper fails to generate, show the full route constraints - in the error message. Previously it would only show the contraints that were - required as part of the path. - - Fixes #13592. - - *Andrew White* - -* Use a custom route visitor for optimized url generation. Fixes #13349. - - *Andrew White* - -* Allow engine root relative redirects using an empty string. - - Example: - - # application routes.rb - mount BlogEngine => '/blog' - - # engine routes.rb - get '/welcome' => redirect('') - - This now redirects to the path `/blog`, whereas before it would redirect - to the application root path. In the case of a path redirect or a custom - redirect if the path returned contains a host then the path is treated as - absolute. Similarly for option redirects, if the options hash returned - contains a `:host` or `:domain` key then the path is treated as absolute. - - Fixes #7977. - - *Andrew White* - -* Fix `Encoding::CompatibilityError` when public path is UTF-8 - - In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling - from blowing up before an application has had chance to deal with possibly invalid - urls. However this has a negative side effect of making it an incompatible encoding - if the application's public path has UTF-8 characters in it. - - To work around the problem we check to see if the path has a valid encoding once - it has been unescaped. If it is not valid then we can return early since it will - not match any file anyway. - - Fixes #13518. - - *Andrew White* - -* `ActionController::Parameters#permit!` permits hashes in array values. - - *Xavier Noria* - -* Converts hashes in arrays of unfiltered params to unpermitted params. - - Fixes #13382. - - *Xavier Noria* - -* New config option to opt out of params "deep munging" that was used to - address security vulnerability CVE-2013-0155. In your app config: - - config.action_dispatch.perform_deep_munge = false - - Take care to understand the security risk involved before disabling this. - [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI) - - *Bernard Potocki* - -* `rake routes` shows routes defined under assets prefix. - - *Ryunosuke SATO* - -* Extend cross-site request forgery (CSRF) protection to GET requests with - JavaScript responses, protecting apps from cross-origin `<script>` tags. - - *Jeremy Kemper* - -* Fix generating a path for engine inside a resources block. - - Fixes #8533. - - *Piotr Sarnacki* - -* Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types. - - *DHH* - -* Remove deprecated `ActionController::RecordIdentifier`, use - `ActionView::RecordIdentifier` instead. - - *kennyj* - -* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with - `options[:raise]`. - - This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f. - - *Shota Fukumori (sora_h)* - -* Introducing Variants - - We often want to render different html/json/xml templates for phones, - tablets, and desktop browsers. Variants make it easy. - - The request variant is a specialization of the request format, like `:tablet`, - `:phone`, or `:desktop`. - - You can set the variant in a `before_action`: - - request.variant = :tablet if request.user_agent =~ /iPad/ - - Respond to variants in the action just like you respond to formats: - - respond_to do |format| - format.html do |html| - html.tablet # renders app/views/projects/show.html+tablet.erb - html.phone { extra_setup; render ... } - end - end - - Provide separate templates for each format and variant: - - app/views/projects/show.html.erb - app/views/projects/show.html+tablet.erb - app/views/projects/show.html+phone.erb - - You can also simplify the variants definition using the inline syntax: - - respond_to do |format| - format.js { render "trash" } - format.html.phone { redirect_to progress_path } - format.html.none { render "trash" } - end - - Variants also support common `any`/`all` block that formats have. - - It works for both inline: - - respond_to do |format| - format.html.any { render text: "any" } - format.html.phone { render text: "phone" } - end - - and block syntax: - - respond_to do |format| - format.html do |variant| - variant.any(:tablet, :phablet){ render text: "any" } - variant.phone { render text: "phone" } - end - end - - *Łukasz Strzałkowski* - -* Fix render of localized templates without an explicit format using wrong - content header and not passing correct formats to template due to the - introduction of the `NullType` for mimes. - - Templates like `hello.it.erb` were subject to this issue. - - Fixes #13064. - - *Angelo Capilleri*, *Carlos Antonio da Silva* - -* Try to escape each part of a url correctly when using a redirect route. - - Fixes #13110. - - *Andrew White* - -* Better error message for typos in assert_response argument. - - When the response type argument to `assert_response` is not a known - response type, `assert_response` now throws an ArgumentError with a clear - message. This is intended to help debug typos in the response type. - - *Victor Costan* - -* Fix formatting for `rake routes` when a section is shorter than a header. - - *Sıtkı Bağdat* - -* Take a hash with options inside array in `#url_for`. - - Example: - - url_for [:new, :admin, :post, { param: 'value' }] - # => http://example.com/admin/posts/new?param=value - - *Andrey Ognevsky* - -* Add `session#fetch` method - - fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch). - It returns a value from the hash for the given key. - If the key can’t be found, there are several options: - - * With no other arguments, it will raise an KeyError exception. - * If a default value is given, then that will be returned. - * If the optional code block is specified, then that will be run and its result returned. - - *Damien Mathieu* - -* Don't let strong parameters mutate the given hash via `fetch` - - Create a new instance if the given parameter is a `Hash` instead of - passing it to the `convert_hashes_to_parameters` method since it is - overriding its default value. - - *Brendon Murphy*, *Doug Cole* - -* Add `params` option to `button_to` form helper, which renders the given hash - as hidden form fields. - - *Andy Waite* - -* Make assets helpers work in the controllers like it works in the views. - - Example: - - # config/application.rb - config.asset_host = 'http://mycdn.com' - - ActionController::Base.helpers.asset_path('fallback.png') - # => http://mycdn.com/assets/fallback.png - - Fixes #10051. - - *Tima Maslyuchenko* - -* Respect `SCRIPT_NAME` when using `redirect` with a relative path - - Example: - - # application routes.rb - mount BlogEngine => '/blog' - - # engine routes.rb - get '/admin' => redirect('admin/dashboard') - - This now redirects to the path `/blog/admin/dashboard`, whereas before it would've - generated an invalid url because there would be no slash between the host name and - the path. It also allows redirects to work where the application is deployed to a - subdirectory of a website. - - Fixes #7977. - - *Andrew White* - -* Fixing repond_with working directly on the options hash - This fixes an issue where the respond_with worked directly with the given - options hash, so that if a user relied on it after calling respond_with, - the hash wouldn't be the same. - - Fixes #12029. - - *bluehotdog* - -* Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing - attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set. - - Fixes #10844. - - *Tamir Duberstein* - -* Strong parameters should permit nested number as key. - - Fixes #12293. - - *kennyj* - -* Fix regex used to detect URI schemes in `redirect_to` to be consistent with - RFC 3986. - - *Derek Prior* - -* Fix incorrect `assert_redirected_to` failure message for protocol-relative - URLs. - - *Derek Prior* - -* Fix an issue where router can't recognize downcased url encoding path. - - Fixes #12269. - - *kennyj* - -* Fix custom flash type definition. Misusage of the `_flash_types` class variable - caused an error when reloading controllers with custom flash types. - - Fixes #12057. - - *Ricardo de Cillo* - -* Do not break params filtering on `nil` values. - - Fixes #12149. - - *Vasiliy Ermolovich* - -* Development mode exceptions are rendered in text format in case of XHR request. - - *Kir Shatrov* - -* Fix an issue where :if and :unless controller action procs were being run - before checking for the correct action in the :only and :unless options. - - Fixes #11799. + *Carlos Antonio da Silva* - *Nicholas Jakobsen* +* Remove deprecated assertion files. -* Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were - ignoring the passed failure message argument. + *Rafael Mendonça França* - Fixes #11751. +* Remove deprecated usage of string keys in URL helpers. - *Ryan McGeary* + *Rafael Mendonça França* -* Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from - the environment passed into `ActionDispatch::TestRequest.new`. +* Remove deprecated `only_path` option on `*_path` helpers. - Fixes #11590. + *Rafael Mendonça França* - *Andrew White* +* Remove deprecated `NamedRouteCollection#helpers`. -* Fix an issue where Journey was failing to clear the named routes hash when the - routes were reloaded and since it doesn't overwrite existing routes then if a - route changed but wasn't renamed it kept the old definition. This was being - masked by the optimised url helpers so it only became apparent when passing an - options hash to the url helper. + *Rafael Mendonça França* - *Andrew White* +* Remove deprecated support to define routes with `:to` option that doesn't contain `#`. -* Skip routes pointing to a redirect or mounted application when generating urls - using an options hash as they aren't relevant and generate incorrect urls. + *Rafael Mendonça França* - Fixes #8018. +* Remove deprecated `ActionDispatch::Response#to_ary`. - *Andrew White* + *Rafael Mendonça França* -* Move `MissingHelperError` out of the `ClassMethods` module. +* Remove deprecated `ActionDispatch::Request#deep_munge`. - *Yves Senn* + *Rafael Mendonça França* -* Fix an issue where rails raise exception about missing helper where it - should throw `LoadError`. When helper file exists and only loaded file from - this helper does not exist rails should throw LoadError instead of - `MissingHelperError`. +* Remove deprecated `ActionDispatch::Http::Parameters#symbolized_path_parameters`. - *Piotr Niełacny* + *Rafael Mendonça França* -* Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind body input stream on - parsing json params. +* Remove deprecated option `use_route` in controller tests. - Fixes #11345. + *Rafael Mendonça França* - *Yuri Bol*, *Paul Nikitochkin* +* Ensure `append_info_to_payload` is called even if an exception is raised. -* Ignore spaces around delimiter in Set-Cookie header. + Fixes an issue where when an exception is raised in the request the additonal + payload data is not available. - *Yamagishi Kazutoshi* + See: + * #14903 + * https://github.com/roidrage/lograge/issues/37 -* Remove deprecated Rails application fallback for integration testing, set - `ActionDispatch.test_app` instead. + *Dieter Komendera*, *Margus Pärt* - *Carlos Antonio da Silva* +* Correctly rely on the response's status code to handle calls to `head`. -* Remove deprecated `page_cache_extension` config. + *Robin Dupret* - *Francesco Rodriguez* +* Using `head` method returns empty response_body instead + of returning a single space " ". -* Remove deprecated constants from Action Controller: + The old behavior was added as a workaround for a bug in an early + version of Safari, where the HTTP headers are not returned correctly + if the response body has a 0-length. This is been fixed since and + the workaround is no longer necessary. - ActionController::AbstractRequest => ActionDispatch::Request - ActionController::Request => ActionDispatch::Request - ActionController::AbstractResponse => ActionDispatch::Response - ActionController::Response => ActionDispatch::Response - ActionController::Routing => ActionDispatch::Routing - ActionController::Integration => ActionDispatch::Integration - ActionController::IntegrationTest => ActionDispatch::IntegrationTest + Fixes #18253. - *Carlos Antonio da Silva* + *Prathamesh Sonpatki* -* Fix `Mime::Type.parse` when bad accepts header is looked up. Previously it - was setting `request.formats` with an array containing a `nil` value, which - raised an error when setting the controller formats. +* Fix how polymorphic routes works with objects that implement `to_model`. - Fixes #10965. + *Travis Grathwell* - *Becker* +* Stop converting empty arrays in `params` to `nil` -* Merge `:action` from routing scope and assign endpoint if both `:controller` - and `:action` are present. The endpoint assignment only occurs if there is - no `:to` present in the options hash so should only affect routes using the - shorthand syntax (i.e. endpoint is inferred from the path). + This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694 + and CVE-2013-0155 - Fixes #9856. + ActiveRecord now issues a safe query when passing an empty array into + a where clause, so there is no longer a need to defend against this type + of input (any nils are still stripped from the array). - *Yves Senn*, *Andrew White* + *Chris Sinjakli* -* Action View extracted from Action Pack. +* Fixed usage of optional scopes in url helpers. - *Piotr Sarnacki*, *Łukasz Strzałkowski* + *Alex Robbin* -* Fix removing trailing slash for mounted apps. +* Fixed handling of positional url helper arguments when `format: false`. - Fixes #3215. + Fixes #17819. - *Piotr Sarnacki* + *Andrew White*, *Tatiana Soukiassian* -Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes. +Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes. |