aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #36672 from jbaranov/strong-params-hashRafael França2019-07-161-0/+5
|\ | | | | Add hash method to ActionController::Parameters
| * Add hash method to ActionController::ParametersEugene Baranov2019-07-141-0/+5
| |
* | Use reserved domain for example configurationJacob Bednarz2019-07-151-1/+1
|/ | | | | | | Updates the generator output to use a reserved domain[1] instead of a potentially real world domain. [1]: https://tools.ietf.org/html/rfc2606#section-3
* Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-102-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-1310-16/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Change `ActionDispatch::Response#content_type` returning Content-Type header ↵yuuji.yaginuma2019-06-014-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | as it is Since #35709, `Response#conten_type` returns only MIME type correctly. It is a documented behavior that this method only returns MIME type, so this change seems appropriate. https://github.com/rails/rails/blob/39de7fac0507070e3c5f8b33fbad6fced84d97ed/actionpack/lib/action_dispatch/http/response.rb#L245-L249 But unfortunately, some users expect this method to return all Content-Type that does not contain charset. This seems to be breaking changes. We can change this behavior with the deprecate cycle. But, in that case, a method needs that include Content-Type with additional parameters. And that method name is probably the `content_type` seems to properly. So I changed the new behavior to more appropriate `media_type` method. And `Response#content_type` changed (as the method name) to return Content-Type header as it is. Fixes #35709. [Rafael Mendonça França & Yuuji Yaginuma ]
* Merge pull request #36329 from XrXr/no-doc-template-assertionsRafael França2019-05-221-1/+1
|\ | | | | Remove compatibility module from docs [ci skip]
| * Remove compatibility module from docs [ci skip]Alan Wu2019-05-221-1/+1
| | | | | | | | | | This module exists to warn old users. I think we should remove it from the docs so we don't advertise it.
* | Implemented deep_transform_keys/! for ActionController::ParametersGustavo Gutierrez2019-05-221-0/+17
|/
* Return parameters enumerator from transform_keys/!Eugene Kenny2019-05-181-7/+5
| | | | | | | | | | | | | | | | | Previously calling `ActionController::Parameters#transform_keys/!` without passing a block would return an enumerator for the underlying hash, which was inconsistent with the behaviour when a block was passed: ActionController::Parameters.new(foo: "bar").transform_keys { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false> ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => {"foo"=>"bar"} An enumerator for the parameters is now returned instead, ensuring that evaluating it produces another parameters object instead of a hash: ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false>
* fixed usage of Parameters when a non-numeric key existsL.Fexon2019-05-131-7/+17
| | | | | | | | | | test for non-numeric key in nested attributes test: extra blank line between tests removed test for non-numeric key fixed (by Daniel) Update according to feedback
* Revert "Include Caching module for ActionController::API"Rafael França2019-04-221-1/+0
|
* Make sure api controllers can perform caching as wellst00122019-04-191-0/+1
| | | | | | | | | | Currently ActionController::API doesn't include Caching module, so it can't perform caching. And even if users include it later manually, it won't inherit application's default cache store for action_controllers. So the only way to solve this issue is to include Caching module in ActionController::API, too. This closes #35602
* Remove unused modules from StrongParametersPatrik Bóna2019-04-151-4/+0
| | | | | | Unless I'm missing some undocumented use case, these modules aren't needed in `StrongParameters` anymore since 8e221127ab. Also, all actionpack tests are passing without them.
* Merge pull request #32541 from sergiogomez/remove-lock-from-params-wrapperMatthew Draper2019-04-121-1/+1
|\ | | | | Remove lock from method model
| * Remove lock from method modelSergio Gómez2018-04-121-1/+1
| |
* | Deduplicate strings held by the routerJean Boussier2019-04-031-1/+1
| |
* | Fix annotated typoPrathamesh Sonpatki2019-03-291-1/+1
| |
* | Suggest 'strict-origin' Referrer-Policy headerTom Richards2019-03-171-1/+1
| |
* | Update small typo in documentation.Kurt Mueller2019-03-121-1/+1
| |
* | Merge pull request #35121 from utilum/warning_tried_to_create_proc_without_blockKasper Timm Hansen2019-03-101-2/+2
|\ \ | | | | | | Ruby 2.7 warning: creating a Proc without a block
| * | ActionPack Proc.new without a blockutilum2019-02-131-2/+2
| | | | | | | | | | | | | | | | | | This commit fixes cases that use pre Ruby [r66772](https://bugs.ruby-lang.org/projects/ruby-trunk/repository/trunk/revisions/66772) syntax that are not tickled by the test suite.
* | | [ci skip] Fix typosShailesh Kalamkar2019-03-071-1/+1
| | |
* | | Merge pull request #35400 from aglushkov/stream_manual_cache_controlAaron Patterson2019-02-251-1/+1
|\ \ \ | | | | | | | | Allow custom cache-control header in AC::Live
| * | | Allow custom cache-control header in AC::LiveAndrey Glushkov2019-02-251-1/+1
| |/ / | | | | | | | | | https://github.com/rails/rails/issues/35312
* / / Pass the template format to the digestorAaron Patterson2019-02-151-1/+1
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit passes the template format to the digestor in order to come up with a key. Before this commit, the digestor would depend on the side effect of the template renderer setting the rendered_format on the lookup context. I would like to remove that mutation, so I've changed this to pass the template format in to the digestor. I've introduced a new instance variable that will be alive during a template render. When the template is being rendered, it pushes the current template on to a stack, setting `@current_template` to the template currently being rendered. When the cache helper asks the digestor for a key, it uses the format of the template currently on the stack.
* | Tighten up the AV::Base constructorAaron Patterson2019-01-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The AV::Base constructor was too complicated, and this commit tightens up the parameters it will take. At runtime, AV::Base is most commonly constructed here: https://github.com/rails/rails/blob/94d54fa4ab641a0ddeb173409cb41cc5becc02a9/actionview/lib/action_view/rendering.rb#L72-L74 This provides an AV::Renderer instance, a hash of assignments, and a controller instance. Since this is the common case for construction, we should remove logic from the constructor that handles other cases. This commit introduces special constructors for those other cases. Interestingly, most code paths that construct AV::Base "strangely" are tests.
* | Typo fixes action pack.alkesh262019-01-262-2/+2
| |
* | Merge pull request #35018 from gmcgibbon/revert_redirect_to_allow_other_hostRafael França2019-01-222-29/+7
|\ \ | | | | | | Revert ensure external redirects are explicitly allowed
| * | Revert ensure external redirects are explicitly allowedGannon McGibbon2019-01-222-29/+7
| | |
* | | Merge pull request #34952 from rails/template-stuffAaron Patterson2019-01-222-3/+3
|\ \ \ | |/ / |/| | Template Handler Refactoring
| * | Remove args from `default_render`Aaron Patterson2019-01-172-3/+3
| | | | | | | | | | | | It's always called with 0 params, so just remove the parameter
* | | Update the promisse that ActionController::TestCase will be extractedRafael Mendonça França2019-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | We are past 5.1 and it was not extrated yet, so while we still have plans they will not be realized on 6.0, so it is better to not set expectations of which release will exclude it just yet. [ci skip]
* | | Ensure external redirects are explicitly allowedGannon McGibbon2019-01-173-17/+39
| | | | | | | | | | | | Add `fallback_location` and `allow_other_host` options to `redirect_to`.
* | | Document that `format.any` can match all formatsDaniel Schierbeck2019-01-161-0/+8
|/ / | | | | I had to dig around the code to discover this, since I had a use case for the behavior.
* | Capture parsing errors for ActionController::ParamsWrapper#process_actionHaroon Ahmed2019-01-081-16/+17
| |
* | Remove mention about `Test::Unit::TestCase` [ci skip]bogdanvlviv2019-01-021-3/+0
| | | | | | | | | | | | We've switched from `Test::Unit::TestCase` to `ActiveSupport::TestCase` since Rails 2.3. See https://edgeguides.rubyonrails.org/2_3_release_notes.html#other-railties-changes
* | Import Action MailboxGeorge Claghorn2018-12-251-12/+11
| |
* | Enable `Style/RedundantBegin` cop to avoid newly adding redundant begin blockRyuta Kamizono2018-12-211-5/+3
| | | | | | | | | | | | | | | | | | | | Currently we sometimes find a redundant begin block in code review (e.g. https://github.com/rails/rails/pull/33604#discussion_r209784205). I'd like to enable `Style/RedundantBegin` cop to avoid that, since rescue/else/ensure are allowed inside do/end blocks in Ruby 2.5 (https://bugs.ruby-lang.org/issues/12906), so we'd probably meets with that situation than before.
* | Use native `Array#append`, `Array#prepend`, `Hash#transform_keys`, and ↵Ryuta Kamizono2018-12-202-4/+0
| | | | | | | | | | | | | | | | | | | | `Hash#transform_keys!` Since Rails 6 requires Ruby 2.5. https://github.com/ruby/ruby/blob/ruby_2_5/NEWS Follow up #34754.
* | Allow nil params on controller HTTP test methodsr7kamura2018-12-181-2/+2
| |
* | colorize the unpermitted params log messageblahed2018-12-031-1/+1
| |
* | Allow rescue from parameter parse errorsGannon McGibbon2018-11-131-1/+4
| | | | | | | | [Gannon McGibbon + Josh Cheek]
* | Merge pull request #34314 from bf4/patch-2Gannon McGibbon2018-10-301-1/+1
|\ \ | | | | | | ActionController::API *does* support cookies, sessions
| * | ActionController::API *does* support cookies, sessionsBenjamin Fleischer2018-10-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | ActionController::Metal provides session support by delegating `session to the request (`"@_request"`) https://github.com/rails/rails/blob/a3dcba42e2422eb9c2e77011a39ce72dc934b420/actionpack/lib/action_controller/metal.rb#L149 Though the ActionController::Cookies modules isn't included, it's really a convenience for providing a first class `cookies` object. *all* ActionController::Metal subclasses support setting cookies via the `session` object.
* | | We don't want these internal methods as public methods in our controllersAkira Matsuda2018-10-301-23/+25
|/ / | | | | | | or they would be listed in `action_methods`
* | Fix `ActionController::Parameters#each_value` and add changelog entry to ↵Bogdan2018-10-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | this method (#34210) * Fix `ActionController::Parameters#each_value` `each_value` should yield with "value" of the params instead of "value" as an array. Related to #33979 * Add changelog entry about `ActionController::Parameters#each_value`. Follow up #33979
* | Add allocations to template renderer subscriptionEileen Uchitelle2018-10-101-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR adds the allocations to the instrumentation for template and partial rendering. Before: ``` Rendering posts/new.html.erb within layouts/application Rendered posts/_form.html.erb (9.7ms) Rendered posts/new.html.erb within layouts/application (10.9ms) Completed 200 OK in 902ms (Views: 890.8ms | ActiveRecord: 0.8ms) ``` After: ``` Rendering posts/new.html.erb within layouts/application Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004) Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654) Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564) ```
* | Fix call sitesGannon McGibbon2018-10-021-1/+1
| |
* | Add `Style/RedundantFreeze` to remove redudant `.freeze`Yasuo Honda2018-09-296-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since Rails 6.0 will support Ruby 2.4.1 or higher `# frozen_string_literal: true` magic comment is enough to make string object frozen. This magic comment is enabled by `Style/FrozenStringLiteralComment` cop. * Exclude these files not to auto correct false positive `Regexp#freeze` - 'actionpack/lib/action_dispatch/journey/router/utils.rb' - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb' It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333 Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed. * Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required - 'actionpack/test/controller/test_case_test.rb' - 'activemodel/test/cases/type/string_test.rb' - 'activesupport/lib/active_support/core_ext/string/strip.rb' - 'activesupport/test/core_ext/string_ext_test.rb' - 'railties/test/generators/actions_test.rb'