aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/CHANGELOG.md
Commit message (Collapse)AuthorAgeFilesLines
* release notes, extract notable changes from Action Pack CHANGELOG.Yves Senn2015-12-221-24/+25
| | | | [ci skip]
* No more no changes entries in the CHANGELOGsGenadi Samokovarov2015-12-211-3/+0
| | | | | | | | | | | | | | During the `5.0.0.beta1` release, the CHANGELOGs got an entry like the following: ``` * No changes. ``` It is kinda confusing as there are indeed changes after it. Not a biggie, just a small pass over the CHANGELOGs. [ci skip]
* Add CHANGELOG headers for Rails 5.0.0.beta1eileencodes2015-12-181-0/+5
|
* Deprecate `redirect_to :back`Derek Prior2015-12-161-0/+6
| | | | | | | Applications that use `redirect_to :back` can be forced to 500 by clients that do not send the HTTP `Referer` (sic) header. `redirect_back` requires the user to consider this possibility up front and avoids this trivially-caused application error.
* Add `redirect_back` for safer referrer redirectsDerek Prior2015-12-161-0/+6
| | | | | | | | | | | | | | | | | `redirect_to :back` is a somewhat common pattern in Rails apps, but it is not completely safe. There are a number of circumstances where HTTP referrer information is not available on the request. This happens often with bot traffic and occasionally to user traffic depending on browser security settings. When there is no referrer available on the request, `redirect_to :back` will raise `ActionController::RedirectBackError`, usually resulting in an application error. `redirect_back` takes a required `fallback_location` keyword argument that specifies the redirect when the referrer information is not available. This prevents 500 errors caused by `ActionController::RedirectBackError`.
* Fix spacing on CHANGELOG nameeileencodes2015-12-121-1/+1
| | | | So that it appears correctly in the CHANGELOG on github.
* Remove ActionController::TestCase from documentationeileencodes2015-12-121-0/+12
| | | | | | | | | | | | | | | | | | In Rails 5.1 `ActionController::TestCase` will be moved out of Rails into it's own gem. Please use `ActionDispatch::IntegrationTest` going foward. Because this will be moved to a gem I used `# :stopdoc:` instead of deleting the documentation. This will remove it from the Rails documentation but still leave the method documented for when we move it to a gem. Guides have been updated to use the routing structure used in Integration and all test examples have been updated to inherit from `ActionDispatch::IntegrationTest` instead of `ActionController::TestCase. Fixes #22496
* Update Changelog with the added response_format option in AD::DebugExceptionsJorge Bejar2015-12-091-0/+10
|
* Change the `protect_from_forgery` prepend default to `false`eileencodes2015-12-071-0/+23
| | | | | | | | | | | | | | | | | | | | | Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
* [ci skip] Add author's name to CHANGELOGyui-knk2015-11-281-0/+2
|
* Merge pull request #21241 from pdg137/masterArthur Nogueira Neves2015-11-261-0/+4
|\ | | | | In url_for, never append ? when the query string is empty anyway.
| * In url_for, never append ? when the query string is empty anyway.Paul Grayson2015-10-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It used to behave like this: url_for(controller: 'x', action: 'y', q: {}) # -> "/x/y?" We previously avoided empty query strings in most cases by removing nil values, then checking whether params was empty. But as you can see above, even non-empty params can yield an empty query string. So I changed the code to just directly check whether the query string ended up empty. (To make everything more consistent, the "removing nil values" functionality should probably move to ActionPack's Hash#to_query, the place where empty hashes and arrays get removed. However, this would change a lot more behavior.)
* | Move `static_cache_contorl` deprecation changelog entry to Railties.Kasper Timm Hansen2015-11-041-5/+0
|/ | | | | | | The configuration for `config.static_cache_control`, and its replacement `config.public_file_server.headers` are implemented in Railties. People would configure this in environment files, which is Railties domain too.
* Revert "ActionController::Base#process() now only takes an action name"Aaron Patterson2015-10-291-4/+0
| | | | This reverts commit 9f93a5efbba3e1cbf0bfa700a17ec8d1ef60d7c6.
* ActionController::Base#process() now only takes an action nameAaron Patterson2015-10-291-0/+4
| | | | | | rather than an action name and *args. The *args were not being used in regular applications outside tests. This causes a backwards compatibility issue, but reduces array allocations for most users.
* Catch invalid UTF-8 querystring values and respond with BadRequestGrey Baker2015-10-231-0/+8
|
* Merge pull request #20715 from simsalabim/feature/parse-rss-atom-as-xmlSean Griffin2015-10-201-0/+4
| | | | parse RSS/ATOM responses as XML, not HTML
* Show helpful messages on invalid param. encodingsAgis Anastasopoulos2015-10-191-0/+7
| | | | | | | | | | | | | | | | | | Prior to this change, given a route: # config/routes.rb get ':a' => "foo#bar" If one pointed to http://example.com/%BE (param `a` has invalid encoding), a `BadRequest` would be raised with the following non-informative message: ActionController::BadRequest From now on the message displayed is: Invalid parameter encoding: hi => "\xBE" Fixes #21923.
* Merge pull request #19135 from yuki24/access-control-supportJeremy Daer2015-10-131-0/+19
|\ | | | | | | Add basic support for access control headers to ActionDispatch::Static
| * Add the ability of returning arbitrary headers to ActionDispatch::StaticYuki Nishijima2015-06-131-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now ActionDispatch::Static can accept HTTP headers so that developers will have control of returning arbitrary headers like 'Access-Control-Allow-Origin' when a response is delivered. They can be configured through `#config.public_file_server.headers`: config.public_file_server.headers = { "Cache-Control" => "public, max-age=60", "Access-Control-Allow-Origin" => "http://rubyonrails.org" } Also deprecate `config.static_cache_control` in favor of `config.public_file_server.headers`.
* | Allow multiple `root` routes in same scope levelRafael Sales2015-10-101-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an application has multiple root entries with different constraints, the current solution is to use `get '/'`. Example: **Currently I have to do:** ```ruby get '/', to: 'portfolio#show', constraints: ->(req) { Hostname.portfolio_site?(req.host) } get '/', to: 'blog#show', constraints: ->(req) { Hostname.blog_site?(req.host) } root 'landing#show' ``` **But I would like to do:** ```ruby root 'portfolio#show', constraints: ->(req) { Hostname.portfolio_site?(req.host) } root 'blog#show', constraints: ->(req) { Hostname.blog_site?(req.host) } root 'landing#show' ``` Other URL matchers such as `get`, `post`, etc, already allows this, so I think it's fair that `root` also allow it since it's just a shortcut for a `get` internally.
* | Fix mounted engine named routes regressionMatthew Erhard2015-10-071-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When generating the url for a mounted engine through its proxy, the path should be the sum of three parts: 1. Any `SCRIPT_NAME` request header or the value of `ActionDispatch::Routing::RouteSet#relative_url_root`. 2. A prefix (the engine's mounted path). 3. The path of the named route inside the engine. Since commit https://github.com/rails/rails/commit/44ff0313c121f528a68b3bd21d6c7a96f313e3d3, this has been broken. Step 2 has been changed to: 2. A prefix (the value of `ActionDispatch::Routing::RouteSet#relative_url_root` + the engine's mounted path). The value of `ActionDispatch::Routing::RouteSet#relative_url_root` is taken into account in step 1 of the route generation and should be ignored when generating the mounted engine's prefix in step 2. This commit fixes the regression by having `ActionDispatch::Routing::RouteSet#url_for` check `options[:relative_url_root]` before falling back to `ActionDispatch::Routing::RouteSet#relative_url_root`. The prefix generating code then sets `options[:relative_url_root]` to an empty string. This empty string is used instead of `ActionDispatch::Routing::RouteSet#relative_url_root` and avoids the duplicate `relative_url_root` value in the final result. This resolves #20920 and resolves #21459
* | Use `Mime[:foo]` instead of `Mime::Type[:FOO]` for back compatJeremy Daer2015-10-061-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries that support multiple Rails versions would've had to feature-detect whether to use `Mime::Type[:FOO]` or `Mime::FOO`. `Mime[:foo]` has been around for ages to look up registered MIME types by symbol / extension, though, so libraries and plugins can safely switch to that without breaking backward- or forward-compatibility. Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup by type or extension, so it's not available as `Mime[:all]`. We use it internally as a wildcard for `respond_to` negotiation. If you use this internal constant, continue to reference it with `Mime::ALL`. Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
* | stop applying default headers in ActionDispatch::ResponseAaron Patterson2015-09-231-0/+5
| | | | | | | | | | | | | | | | | | | | I'm making this change so that I can construct response objects that *don't* have the default headers applied. For example, I would like to construct a response object from the return value of a controller. If you need to construct a response object with the default headers, then please use the alternate constructor: `ActionDispatch::Response.create`
* | Fix a typo: Mime::Types should be Mime::Type [ci skip]Juanito Fatas2015-09-221-1/+1
| |
* | update changelog for mime changesAaron Patterson2015-09-211-0/+13
| |
* | Merge pull request #21502 from ↵Rafael Mendonça França2015-09-081-0/+4
|\ \ | | | | | | | | | | | | | | | bernerdschaefer/bs-polymorphic-url_for-dups-arguments `url_for` does not modify polymorphic options
| * | `url_for` does not modify polymorphic optionsBernerd Schaefer2015-09-041-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `url_for` methods in `actionpack` and `actionview` now make a copy of the provided options before generating polymorphic paths or URLs. The bug in the previous behavior is most noticeable in a case like: url_options = [:new, :post, param: 'value'] if current_page?(url_options) css_class = "active" end link_to "New Post", url_options, class: css_class
* | | Make `config.force_ssl` less dangerous to try and easier to disableJeremy Daer2015-09-071-0/+27
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
* | minor copy edit. [ci skip]Yves Senn2015-08-271-2/+2
| | | | | | | | Follow up to #21384.
* | Updating TestSession to access with indifferenceJeremy Friesen2015-08-261-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following Rails code failed (with a `KeyError` exception) under test: ```ruby class ApplicationController < ActionController::Base def user_strategy # At this point: # ```ruby # session == { # "user_strategy"=>"email", # "user_identifying_value"=>"hello@world.com" # } # ``` if session.key?(:user_strategy) session.fetch(:user_strategy) end end end ``` When I checked the session's keys (`session.keys`), I got an array of strings. If I accessed `session[:user_strategy]` I got the expected `'email'` value. However if I used `session.fetch(:user_strategy)` I got a `KeyError` exception. This appears to be a Rails 4.2.4 regression (as the code works under Rails 4.2.3). Closes #21383
* | Using strings or symbols for middleware class names is deprecated.Aaron Patterson2015-08-071-0/+9
| | | | | | | | | | | | | | | | | | | | Convert things like this: middleware.use "Foo::Bar" to this: middleware.use Foo::Bar
* | Adds missing argument handling for ActionController::TestSession toMatthew Gerrior2015-08-061-0/+9
| | | | | | | | allow testing controllers that use session#fetch with a default value.
* | Fix exception overwritten for parameters fetch methodRoque Pinel2015-07-181-0/+5
| | | | | | | | | | | | | | | | | | When executing an `ActionController::Parameters#fetch` with a block that raises a `KeyError` the raised `KeyError` will be rescued and converted to an `ActionController::ParameterMissing` exception, covering up the original exception. [Jonas Schubert Erlandsson & Roque Pinel]
* | [skip ci] Lookup can be a noun but it is not a verbJon Atack2015-07-171-1/+2
| | | | | | | | Various grammar corrections and wrap to 80 characters.
* | Update documentation on `AC::Parameters`Prem Sichanugrist2015-07-151-1/+1
| |
* | Make AC::Parameters not inherited from HashPrem Sichanugrist2015-07-151-0/+14
| | | | | | | | | | | | | | | | This is another take at #14384 as we decided to wait until `master` is targeting Rails 5.0. This commit is implementation-complete, as it guarantees that all the public methods on the hash-inherited Parameters are still working (based on test case). We can decide to follow-up later if we want to remove some methods out from Parameters.
* | Replaced `ActiveSupport::Concurrency::Latch` with concurrent-ruby.Jerry D'Antonio2015-07-131-0/+5
| | | | | | | | | | | | | | | | | | | | The concurrent-ruby gem is a toolset containing many concurrency utilities. Many of these utilities include runtime-specific optimizations when possible. Rather than clutter the Rails codebase with concurrency utilities separate from the core task, such tools can be superseded by similar tools in the more specialized gem. This commit replaces `ActiveSupport::Concurrency::Latch` with `Concurrent::CountDownLatch`, which is functionally equivalent.
* | Allow filtering params based on parent keysGuillaume Malette2015-06-221-0/+10
| | | | | | | | | | | | | | | | | | | | Add the possibility to only filter parameters based on their full path instead of relying on the immediate key. config.filter_parameters += ['credit_card.code'] { 'credit_card' => { 'code' => '[FILTERED]' }, 'source' => { 'code' => '<%= puts 5 %>' } }
* | Revert "Merge pull request #20584 from arthurnn/fix_url"Arthur Neves2015-06-171-4/+0
| | | | | | | | | | | | | | | | This reverts commit 0b3397872582f2cf1bc6960960a6393f477c55e6, reversing changes made to 56d52e3749180e6c1dcf7166adbad967470aa78b. As pointed out on the PR, this will hide development mistakes too, which is not ideal.
* | Catch InvalidURIError on bad paths on redirect.Arthur Neves2015-06-161-0/+4
| | | | | | | | | | Handle URI::InvalidURIError errors on the redirect route method, so it wont raise a 500 if a bad path is given.
* | Deprecate passing hash as first parameter into ActionController::HeadMehmet Emin İNAÇ2015-06-151-0/+4
| |
* | quick pass over changelogs. [ci skip]Yves Senn2015-06-151-4/+4
|/
* Handle param-parsing errors from Rack in ExceptionWrapperGrey Baker2015-06-121-0/+6
|
* Add CHANGELOG entries for API apps functionalitySantiago Pastorino2015-06-111-0/+6
|
* Merge pull request #19094 from phoet/have_bearer_be_valid_as_wellRafael Mendonça França2015-06-011-0/+10
|\ | | | | Have Bearer be valid as well
| * add changelog entryphoet2015-06-011-0/+10
| |
* | Remove `assigns` and `assert_template`.Guo Xiang Tan2015-05-301-0/+7
|/
* Merge pull request #20017 from eliotsykes/configurable-static-index-filenameRafael Mendonça França2015-05-281-0/+8
|\ | | | | | | config.static_index configures directory Index "index.html" filename
| * config.static_index configures directory index "index.html" filenameEliot Sykes2015-05-281-0/+8
| | | | | | | | | | | | Set `config.static_index` to serve a static directory index file not named `index`. For example, to serve `main.html` instead of `index.html` for directory requests, set `config.static_index` to `"main"`.