aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal
Commit message (Collapse)AuthorAgeFilesLines
...
* Simplify code branch, remove #tapCarlos Antonio da Silva2014-07-311-7/+6
|
* Avoid a new hash objectCarlos Antonio da Silva2014-07-311-1/+1
|
* Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
|
* docs, add ref where to find valid `head` status symbols.Yves Senn2014-07-251-0/+2
| | | | [ci skip]
* Don't accept parameters as argument for redirect to [via @homakov]Santiago Pastorino2014-07-161-0/+1
| | | | Closes #16170
* Removed single space padding from empty response body.Godfrey Chan2014-07-101-6/+2
| | | | | | | | | | | | `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired.
* Address CVE-2014-4671 (JSONP Flash exploit)Greg Campbell2014-07-091-1/+1
| | | | | | Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
* Merge pull request #16011 from xjlu/token_and_optionsRafael Mendonça França2014-07-041-1/+1
|\ | | | | Improve token_and_options regex and test
| * Improve token_and_options regex and testXinjiang Lu2014-07-011-1/+1
| | | | | | | | add a test case to test the regex for the helper method raw_params
* | Change the JSON renderer to enforce the 'JS' Content TypeLucas Mazza2014-07-021-1/+4
|/ | | | | | | The controller can set the response format as 'JSON' before the renderer code be evaluated, so we must replace it when necessary. Fixes #15081
* Merge pull request #15933 from rafael/masterRafael Mendonça França2014-06-271-5/+20
|\ | | | | | | | | | | Add always permitted parameters as a configurable option. [Rafael Mendonça França + Gary S. Weaver]
| * Improvements per code review.Rafael Chacón2014-06-271-4/+3
| | | | | | | | | | | | * General style fixes. * Add changes to configuration guide. * Add missing tests.
| * Add always_permitted_parameters as an option.Rafael Chacón2014-06-261-5/+21
| | | | | | | | | | | | | | | | | | * This commit adds back the always_permitted_parameters configuration option to strong paramaters. * The initial pull requests where this feature was added are the following: - https://github.com/rails/rails/pull/12682 - https://github.com/rails/strong_parameters/pull/174
* | `:nodoc: all` does not remove the constants from the API. [ci skip]Yves Senn2014-06-241-1/+1
| | | | | | | | | | Need to add individual `:nodoc:` for nested classes / modules to completely remove the constants from the API.
* | [ci skip] /javascript/ ~> JavaScriptAditya Kapoor2014-06-171-3/+3
| |
* | Merge pull request #15692 from sromano/falseClassMatthew Draper2014-06-141-1/+6
|\ \ | | | | | | | | | ActionController::Parameters#require now accepts FalseClass values
| * | ActionController::Parameters#require now accepts FalseClass valuesSergio Romano2014-06-131-0/+1
|/ / | | | | | | Fixes #15685.
* | Fix parsed token value with header `Authorization token=`.Larry Lv2014-06-131-2/+2
| |
* | Set the status before of setting the response bodyGuillermo Iguaran2014-06-131-2/+2
| | | | | | | | | | | | | | The 401 status should be set first because setting the response body in a live controller also closes the response to further changes. Fixes #14229.
* | Handle client disconnect during live streamingMatthew Draper2014-06-081-0/+48
| | | | | | | | .. even when the producer is blocked for a write.
* | adds some details to the rationale of converted_arrays [ci skip]Xavier Noria2014-06-071-0/+4
| |
* | Revert "Convert StrongParameters cache to a hash. This fixes an unbounded"Xavier Noria2014-06-071-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We cannot cache keys because arrays are mutable. We rather want to cache the arrays. This behaviour is tailor-made for the usage pattern strongs params is designed for. In a forthcoming commit I am going to add a test that covers why we need to cache by value. Every strong params instance has a live span of a request, the cache goes away with the object. Since strong params have such a concrete intention, it would be interesting to see if there are actually any real-world use cases that are an actual leak, one that practically may matter. I am not convinced that the theoretical leak has any practical consequences, but if it can be shown there are, then I believe we should either get rid of the cache (which is an optimization), or else wipe it in the mutating API. This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
* | [ci skip] Fix capitalizationAkshay Vishnoi2014-06-071-1/+1
| |
* | eliminate wasteful AS::SafeBuffer allocationAaron Patterson2014-06-061-1/+1
| |
* | Avoid misuse of underscore argumentCorey Ward2014-06-051-2/+2
| | | | | | Per convention, underscore-only argument names should be used for unused parameters.
* | Convert StrongParameters cache to a hash. This fixes an unboundedRyan Davis2014-06-031-6/+6
| | | | | | | | | | | | memory leak demonstrated on @tenderlove's latest blog post: http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
* | Fix docs for ActionController::Renderers.addGuillermo Iguaran2014-05-261-1/+1
| |
* | use symbol keys for path_parametersAaron Patterson2014-05-221-1/+1
| |
* | we can just use Ruby hereAaron Patterson2014-05-211-2/+2
| |
* | fix formatting and text for ActionController::Redirecting docLaurel Fan2014-05-211-4/+8
| |
* | Merge pull request #11346 from tomykaira/fix_10257Rafael Mendonça França2014-05-201-2/+14
|\ \ | | | | | | Check authentication scheme in Basic auth
| * | Run login_procedure only when the auth_scheme is validtomykaira2013-07-081-7/+14
| | |
| * | Check authentication scheme in Basic authtomykaira2013-07-071-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
* | | Add ActionController::Renderers.remove.Zuhao Wan2014-05-201-0/+16
| | |
* | | fixes stack level too deep exception on action named 'status' returning ↵Christiaan Van den Poel2014-05-152-2/+2
| | | | | | | | | | | | 'head :ok'
* | | Add multiple lines message support for SSE moduleayaya2014-05-121-1/+2
| | |
* | | Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-1/+1
| | | | | | | | | | | | improved tests.
* | | do not allocate strings while creating urlsAaron Patterson2014-04-301-1/+1
| | |
* | | don't allocate string on hash accessAaron Patterson2014-04-301-1/+1
| | |
* | | ActionController::Renderers documentation fixStevie Graham2014-04-201-2/+2
| | | | | | | | | | | | | | | ActionController::Renderers::RENDERERS is an instance of Set. Docs incorrectly state that it's a Hash.
* | | [ci skip] builtin -> built-inAkshay Vishnoi2014-04-201-1/+1
| | |
* | | Tiny doc fix for Strong ParametersIan C. Anderson2014-03-301-1/+1
| | | | | | | | | - accepts_nested_attribute_for -> accepts_nested_attributes_for
* | | Replace trivial regexp with string or index, twice as fastKelley Reynolds2014-03-281-1/+1
| | |
* | | re-raise error if error occurs before committing in streamingKevin Casey2014-03-141-10/+11
| | | | | | | | | | | | update the tests, using an if-else
* | | use the body proxy to freeze headersAaron Patterson2014-03-121-2/+8
| | | | | | | | | | | | | | | | | | avoid freezing the headers until the web server has actually read data from the body proxy. Once the webserver has read data, then we should throw an error if someone tries to set a header
* | | just ask the response for the commit status, we do not need to ask the jarAaron Patterson2014-03-121-1/+1
| | |
* | | only write the jar if the response isn't committedAaron Patterson2014-03-121-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when streaming responses, we need to make sure the cookie jar is written to the headers before returning up the stack. This commit introduces a new method on the response object that writes the cookie jar to the headers as the response is committed. The middleware and test framework will not write the cookie headers if the response has already been committed. fixes #14352
* | | Merge pull request #14280 from joho/make_csrf_failure_logging_optionalSantiago Pastorino2014-03-081-1/+7
|\ \ \ | | | | | | | | Make CSRF failure logging optional/configurable.
| * | | Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-1/+7
| | | | | | | | | | | | | | | | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* | | | Do note remove `Content-Type` when `render :body`Prem Sichanugrist2014-03-052-5/+3
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `render :body` should just not set the `Content-Type` header. By removing the header, it breaks the compatibility with other parts. After this commit, `render :body` will returns `text/html` content type, sets by default from `ActionDispatch::Response`, and it will preserve the overridden content type if you override it. Fixes #14197, #14238 This partially reverts commit 3047376870d4a7adc7ff15c3cb4852e073c8f1da.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 02:40:38 +0000