diff options
Diffstat (limited to 'guides/source/upgrading_ruby_on_rails.md')
-rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index b838874e2b..2f0f3573fb 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -27,6 +27,31 @@ Upgrading from Rails 4.0 to Rails 4.1 NOTE: This section is a work in progress. +### CSRF protection from remote `<script>` tags + +Or, "whaaat my tests are failing!!!?" + +Cross-site request forgery (CSRF) protection now covers GET requests with +JavaScript responses, too. That prevents a third-party site from referencing +your JavaScript URL and attempting to run it to extract sensitive data. + +This means that your functional and integration tests that use + +```ruby +get :index, format: :js +``` + +will now trigger CSRF protection. Switch to + +```ruby +xhr :get, :index, format: :js +``` + +to explicitly test an XmlHttpRequest. + +If you really mean to load JavaScript from remote `<script>` tags, skip CSRF +protection on that action. + ### Spring If you want to use Spring as your application preloader you need to: @@ -68,7 +93,7 @@ secrets, you need to: ### Changes in JSON handling -The are a few major changes related to JSON handling in Rails 4.1. +There are a few major changes related to JSON handling in Rails 4.1. #### MultiJSON removal @@ -200,6 +225,23 @@ Note that this option was added as a security measure, to ensure user input coul not be used as locale information unless previously known, so it's recommended not to disable this option unless you have a strong reason for doing so. +### Mutator methods called on Relation + +`Relation` no longer has mutator methods like `#map!` and `#delete_if`. Convert +to an `Array` by calling `#to_a` before using these methods. + +It intends to prevent odd bugs and confusion in code that call mutator +methods directly on the `Relation`. + +```ruby +# Instead of this +Author.where(name: 'Hank Moody').compact! + +# Now you have to do this +authors = Author.where(name: 'Hank Moody').to_a +authors.compact! +``` + Upgrading from Rails 3.2 to Rails 4.0 ------------------------------------- |