aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Remove single space response body for head requestPrathamesh Sonpatki2014-12-301-2/+2
| | | | | | | | | | | | | | - The single space response was added due to a bug in safari in https://github.com/rails/rails/commit/cb0f8fda9652c4d24d04693bdb82cecd3b067e5c and https://github.com/rails/rails/commit/807df4fcf021fc4d15972aa1c17ba7398d43ab0d. - This was removed from the `render nothing: true` in https://github.com/rails/rails/pull/14883. - Removing it from response of :head also. As :head is more obvious alternative to call `render nothing: true`(http://guides.rubyonrails.org/layouts_and_rendering.html#using-head-to-build-header-only-responses), removing it from head method also. - Closes #18253.
* Minor documentation edits [ci skip]Robin Dupret2014-12-281-1/+1
|
* Update example test documentationBen Prew2014-12-281-4/+2
| | | Example does not work with session headers, should use request headers. [ci skip]
* Remove ActionController::ModelNamingclaudiob2014-12-251-12/+0
| | | | | | | | | | | | | | The methods in these modules are not used anywhere. They used to be invoked in polymorphic_routes.rb but their usage was removed in e821045. What is your opinion about removing these methods? They do belong to the public API, but in reality their code has already been duplicated to ActionView::ModelNaming, since they are used by methods like `dom_id` and `dom_class` to associated records with DOM elements (in ActionView). Please tell me if you think that removing this module is a good idea and, in that case, if the PR is okay as it is, or you'd rather start by showing a deprecation message, and remove the module in Rails 5.1.
* Merge pull request #18102 from arthurnn/nodoc_constantArthur Nogueira Neves2014-12-191-0/+1
| | | | Add nodoc to some constants [skip ci]
* Revert "Merge pull request #18003 from ↵Godfrey Chan2014-12-191-11/+6
| | | | | | | | | | sikachu/permit_all_parameters-thread-safety" This reverts commit da5cc10e945552da54234f858470238a3fc36767. Fixes #18091 See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
* Fix typo in nodoc should be `:nodoc:` for RDoc to parse correctlyZachary Scott2014-12-171-1/+1
|
* Merge pull request #17995 from ↵Rafael Mendonça França2014-12-161-0/+2
|\ | | | | | | | | jethroo/fix/assert_template_with_unsupported_layout_type assert template should raise ArgumentError for unsupported layout types
| * adding that assert_template with :layout will raise ArgumentError for ↵Carsten Wirth2014-12-161-0/+2
| | | | | | | | unknown layout type
* | Don't convert empty arrays to nils when deep munging paramsChris Sinjakli2014-12-151-9/+0
| |
* | Merge pull request #18006 from sikachu/add-params-to_unsafe_hRafael Mendonça França2014-12-121-0/+6
|\ \ | | | | | | Add AC::Parameters#to_unsafe_h
| * | Add AC::Parameters#to_unsafe_hPrem Sichanugrist2014-12-121-0/+6
| |/ | | | | | | | | | | | | | | | | As suggested in #16299([1]), this method should be a new public API for retrieving unfiltered parameters from `ActionController::Parameters` object, given that `Parameters#to_hash` will no longer work in Rails 5.0+ as we stop inheriting `Parameters` from `Hash`. [1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
* / Make AC::Params.permit_all_parameters thread safePrem Sichanugrist2014-12-121-1/+10
|/ | | | | | | As discussed in #16299[1], this attribute is not thread safe and could potentially create a security issue. [1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
* remove unused #await_closeSergey Alekseev2014-12-041-6/+0
| | | | | | | | | The method was added in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-5055d9f16b442adb1d2f0f65903a196bR141. With the method call in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-cc7bb557df2247c0a42bc180fdb6eb05R47. Later one more method call was added in https://github.com/rails/rails/commit/401787db4bc428dce88b04e343a64c6a6c3b681c#diff-cc7bb557df2247c0a42bc180fdb6eb05R183. And both method calls were deleted in https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L47 and https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L189. Just do `grep -nr 'await_close' .`.
* Pass symbol as an argument instead of a blockErik Michaels-Ober2014-11-291-1/+1
|
* Merge pull request #17186 from tgxworld/header_authentication_tokenMatthew Draper2014-11-271-2/+9
|\ | | | | | | Allow authentication header to not have to specify 'token=' key.
| * Allow authentication header to not have to specify 'token=' key.Guo Xiang Tan2014-10-101-2/+9
| | | | | | | | Fixes: https://github.com/rails/rails/issues/17108.
* | Remove extra empty lineArtur Cygan2014-11-261-1/+0
| |
* | :scissors:Rafael Mendonça França2014-11-261-1/+1
| |
* | getting the location of the serverdilpreet922014-11-261-2/+2
| |
* | Deprecate `use_route` in controller testsGodfrey Chan2014-11-231-1/+22
| | | | | | | | Reference #17453
* | Wrap code snippets in +, not backticks, in sdocclaudiob2014-11-202-5/+5
| | | | | | | | | | | | | | | | I grepped the source code for code snippets wrapped in backticks in the comments and replaced the backticks with plus signs so they are correctly displayed in the Rails documentation. [ci skip]
* | Use request method instead of ActionDispatch::Request#request_method instead ↵Ilya Katz2014-11-201-1/+1
| | | | | | | | of ActionDispatch::Request#method to pick up overrides by the middleware
* | Make sure assert_select can assert body tagRafael Mendonça França2014-11-181-4/+4
| | | | | | | | | | | | | | | | | | This reverts commit f93df52845766216f0fe36a4586f8abad505cac4, reversing changes made to a455e3f4e9dbfb9630d47878e1239bc424fb7d13. Conflicts: actionpack/lib/action_controller/test_case.rb actionview/lib/action_view/test_case.rb
* | document_root_element need to be publicRafael Mendonça França2014-11-171-4/+4
| |
* | Pass the route name explicitlyGodfrey Chan2014-11-101-1/+2
| | | | | | | | | | | | Follow up to 212057b9. Since that commit, we need to pass the `route_name` explicitly. This is one of the left-over cases that was not handled in that commit, which was causing `use_route` to be ignored in functional tests.
* | Removed documentation that still mentioned using respond_with in placeRobert Evans2014-11-052-18/+5
| | | | | | | | | | of respond_to. respond_with was moved into the responders gem and deprecated inside rails, so there is no need to mention it within rails itself.
* | Call gsub with a Regexp instead of a String for better performancePablo Herrero2014-11-011-1/+1
| |
* | let's warn with heredocsXavier Noria2014-10-281-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | The current style for warning messages without newlines uses concatenation of string literals with manual trailing spaces where needed. Heredocs have better readability, and with `squish` we can still produce a single line. This is a similar use case to the one that motivated defining `strip_heredoc`, heredocs are super clean.
* | UrlGenerationError are not catched as 404 anymoreJean Boussier2014-10-271-1/+1
| |
* | Use AS secure_compare for CSRF token comparisonGuillermo Iguaran2014-10-231-2/+2
| |
* | remove duplicate method (_status_code) in action_dispatchAbdelkader Boudih2014-10-191-1/+1
| |
* | Make _status_code methods nodocPrathamesh Sonpatki2014-10-191-3/+3
| | | | | | | | | | - Also one minor change for documenting url_for method in ActionController::Metal. [ci skip]
* | Replace (slower) block.call with (faster) yieldclaudiob2014-10-171-2/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | Performance optimization: `yield` with an implicit `block` is faster than `block.call`. See http://youtu.be/fGFM_UrSp70?t=10m35s and the following benchmark: ```ruby require 'benchmark/ips' def fast yield end def slow(&block) block.call end Benchmark.ips do |x| x.report('fast') { fast{} } x.report('slow') { slow{} } end # => fast 154095 i/100ms # => slow 71454 i/100ms # => # => fast 7511067.8 (±5.0%) i/s - 37445085 in 4.999660s # => slow 1227576.9 (±6.8%) i/s - 6145044 in 5.028356s ```
* Rephrasing sentencesNeeraj Singh2014-10-071-2/+2
|
* Parse HTML as document fragment.Kasper Timm Hansen2014-09-291-1/+1
| | | | This is to match the changes in Rails Dom Testing rails/rails-dom-testing#20.
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-09-281-6/+6
|\
| * Consistently markup etag options.Steven Harman2014-09-161-3/+3
| |
| * Consistently capitalize ETag.Steven Harman2014-09-161-3/+3
| |
* | code gardening in ActionController::RenderersXavier Noria2014-09-041-7/+12
|/ | | | | | | | | | | | | | | | | | | * Renames _handle_render_options to _render_to_body_with_renderer, which is more intention-revealing. * The name of the dynamically generated method for a renderer with key :js was "_render_option_js". That name is too weak. :js is an option if you see the render argument as just a generic options hash, but in the context of renderers that's the renderer key, is what identifies the renderer. Now "_render_with_renderer_js" is generated instead, which is crystal clear. * The name of the dynamically generated method for the renderer was constructed using string literals in a few places. That is now encapsulated in a method. * Since we were on it, also removed a couple of redundant selfs.
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-191-3/+84
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-191-2/+2
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | Uppercase HTML in docs.Hendy Tanata2014-08-082-9/+9
| | | | | | | | | | | | [skip ci]