aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Use media_type instead of content_type internallyEugene Kenny2019-08-042-4/+4
| | | | | | | These calls to `content_type` were triggering the deprecation from c631e8d011a7cf3e7ade4e9e8db56d2b89bd530c in upgraded applications. We can use `media_type` in all of these cases to avoid the deprecation.
* ConditionalGet needs time core_extRafael Mendonça França2019-08-021-0/+1
|
* It may be better to explicitly require 'object/try' where we call `try`Akira Matsuda2019-08-011-0/+2
| | | | | | In most cases it works now without explicit require because it's accidentally required through active_support/core_ext/date_and_time/calculations.rb where we still call `try`, but that would stop working if we changed the Calculations implementation and remove the require call there.
* Use `try` only when we're unsure if the receiver would respond_to the methodAkira Matsuda2019-08-012-2/+2
|
* Reduce method invocations and object allocations in head()Akira Matsuda2019-07-311-1/+1
|
* Reduce block executionAkira Matsuda2019-07-311-3/+3
|
* Reduce method callsAkira Matsuda2019-07-311-2/+1
|
* Reduce Array assignment by not giving a name for unused `*args`Akira Matsuda2019-07-313-5/+5
|
* Reduce Hash object creation when normalizing request envAkira Matsuda2019-07-311-2/+3
|
* Reduce unnecessary String creation by not `to_s`ing until nothing matchesAkira Matsuda2019-07-311-1/+1
|
* No need to dup the payload for an instrumentationAkira Matsuda2019-07-311-1/+1
|
* Use match? where we don't need MatchDataAkira Matsuda2019-07-295-6/+6
|
* Add `Vary: Accept` header when renderingst00122019-07-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem description (quoted from @rafaelfranca's excellent explanation in https://github.com/rails/jquery-ujs/issues/318#issuecomment-88129005): > Let say that we requested /tasks/1 using Ajax, and the previous page has the same url. When we click the back button the browser tries to get the response from its cache and it gets the javascript response. With vary we "fix" this behavior because we are telling the browser that the url is the same but it is not from the same type what will skip the cache. And there's a Rails issue discussing about this problem as well https://github.com/rails/rails/issues/25842 Also, according to [RFC 7231 7.1.4](https://tools.ietf.org/html/rfc7231#section-7.1.4) > An origin server SHOULD send a Vary header field when its algorithm > for selecting a representation varies based on aspects of the request > message other than the method and request target we should add `Vary: Accept` header when determining content based on the `Accept` header. Although adding such header by default could cause unnecessary cache invalidation. But this PR only adds the header if: - The format param is not provided - The request is a `xhr` request - The request has accept headers and the headers are valid So if the user - sends request with explicit format, like `/users/1.json` - or sends a normal request (non xhr) - or doesn't specify accept headers then the header won't be added. See the discussion in https://github.com/rails/rails/issues/25842 and https://github.com/rails/rails/pull/36213 for more details.
* Merge pull request #36412 from robotdana/compact_blankRafael Mendonça França2019-07-251-0/+12
|\ | | | | | | Add compact_blank shortcut for reject(&:blank?)
| * Add compact_blank shortcut for reject(&:blank?)Dana Sherson2019-06-051-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | I frequently find myself having to .compact but for blank. which means on an array reject(&:blank?) (this is fine), or, on a hash `.reject { |_k, v| v.blank? }` which is slightly more frustrating and i usually write it as .reject(&:blank?) first and am confused when it's trying to check if the keys are blank. I've added the analagous .compact_blank! where there's a reject! to build on (there's also a reject! in Set, but there's no other core_ext touching Set so i've left that alone)
* | [ActionController] Fix send_file example for 404Yuya Tanaka2019-07-191-1/+1
| |
* | Merge pull request #36672 from jbaranov/strong-params-hashRafael França2019-07-161-0/+5
|\ \ | | | | | | Add hash method to ActionController::Parameters
| * | Add hash method to ActionController::ParametersEugene Baranov2019-07-141-0/+5
| | |
* | | Use reserved domain for example configurationJacob Bednarz2019-07-151-1/+1
|/ / | | | | | | | | | | | | Updates the generator output to use a reserved domain[1] instead of a potentially real world domain. [1]: https://tools.ietf.org/html/rfc2606#section-3
* | Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-102-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* | Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-1310-16/+0
|/ | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Change `ActionDispatch::Response#content_type` returning Content-Type header ↵yuuji.yaginuma2019-06-014-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | as it is Since #35709, `Response#conten_type` returns only MIME type correctly. It is a documented behavior that this method only returns MIME type, so this change seems appropriate. https://github.com/rails/rails/blob/39de7fac0507070e3c5f8b33fbad6fced84d97ed/actionpack/lib/action_dispatch/http/response.rb#L245-L249 But unfortunately, some users expect this method to return all Content-Type that does not contain charset. This seems to be breaking changes. We can change this behavior with the deprecate cycle. But, in that case, a method needs that include Content-Type with additional parameters. And that method name is probably the `content_type` seems to properly. So I changed the new behavior to more appropriate `media_type` method. And `Response#content_type` changed (as the method name) to return Content-Type header as it is. Fixes #35709. [Rafael Mendonça França & Yuuji Yaginuma ]
* Merge pull request #36329 from XrXr/no-doc-template-assertionsRafael França2019-05-221-1/+1
|\ | | | | Remove compatibility module from docs [ci skip]
| * Remove compatibility module from docs [ci skip]Alan Wu2019-05-221-1/+1
| | | | | | | | | | This module exists to warn old users. I think we should remove it from the docs so we don't advertise it.
* | Implemented deep_transform_keys/! for ActionController::ParametersGustavo Gutierrez2019-05-221-0/+17
|/
* Return parameters enumerator from transform_keys/!Eugene Kenny2019-05-181-7/+5
| | | | | | | | | | | | | | | | | Previously calling `ActionController::Parameters#transform_keys/!` without passing a block would return an enumerator for the underlying hash, which was inconsistent with the behaviour when a block was passed: ActionController::Parameters.new(foo: "bar").transform_keys { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false> ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => {"foo"=>"bar"} An enumerator for the parameters is now returned instead, ensuring that evaluating it produces another parameters object instead of a hash: ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false>
* fixed usage of Parameters when a non-numeric key existsL.Fexon2019-05-131-7/+17
| | | | | | | | | | test for non-numeric key in nested attributes test: extra blank line between tests removed test for non-numeric key fixed (by Daniel) Update according to feedback
* Revert "Include Caching module for ActionController::API"Rafael França2019-04-221-1/+0
|
* Make sure api controllers can perform caching as wellst00122019-04-191-0/+1
| | | | | | | | | | Currently ActionController::API doesn't include Caching module, so it can't perform caching. And even if users include it later manually, it won't inherit application's default cache store for action_controllers. So the only way to solve this issue is to include Caching module in ActionController::API, too. This closes #35602
* Remove unused modules from StrongParametersPatrik Bóna2019-04-151-4/+0
| | | | | | Unless I'm missing some undocumented use case, these modules aren't needed in `StrongParameters` anymore since 8e221127ab. Also, all actionpack tests are passing without them.
* Merge pull request #32541 from sergiogomez/remove-lock-from-params-wrapperMatthew Draper2019-04-121-1/+1
|\ | | | | Remove lock from method model
| * Remove lock from method modelSergio Gómez2018-04-121-1/+1
| |
* | Deduplicate strings held by the routerJean Boussier2019-04-031-1/+1
| |
* | Fix annotated typoPrathamesh Sonpatki2019-03-291-1/+1
| |
* | Suggest 'strict-origin' Referrer-Policy headerTom Richards2019-03-171-1/+1
| |
* | Update small typo in documentation.Kurt Mueller2019-03-121-1/+1
| |
* | Merge pull request #35121 from utilum/warning_tried_to_create_proc_without_blockKasper Timm Hansen2019-03-101-2/+2
|\ \ | | | | | | Ruby 2.7 warning: creating a Proc without a block
| * | ActionPack Proc.new without a blockutilum2019-02-131-2/+2
| | | | | | | | | | | | | | | | | | This commit fixes cases that use pre Ruby [r66772](https://bugs.ruby-lang.org/projects/ruby-trunk/repository/trunk/revisions/66772) syntax that are not tickled by the test suite.
* | | [ci skip] Fix typosShailesh Kalamkar2019-03-071-1/+1
| | |
* | | Merge pull request #35400 from aglushkov/stream_manual_cache_controlAaron Patterson2019-02-251-1/+1
|\ \ \ | | | | | | | | Allow custom cache-control header in AC::Live
| * | | Allow custom cache-control header in AC::LiveAndrey Glushkov2019-02-251-1/+1
| |/ / | | | | | | | | | https://github.com/rails/rails/issues/35312
* / / Pass the template format to the digestorAaron Patterson2019-02-151-1/+1
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit passes the template format to the digestor in order to come up with a key. Before this commit, the digestor would depend on the side effect of the template renderer setting the rendered_format on the lookup context. I would like to remove that mutation, so I've changed this to pass the template format in to the digestor. I've introduced a new instance variable that will be alive during a template render. When the template is being rendered, it pushes the current template on to a stack, setting `@current_template` to the template currently being rendered. When the cache helper asks the digestor for a key, it uses the format of the template currently on the stack.
* | Tighten up the AV::Base constructorAaron Patterson2019-01-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The AV::Base constructor was too complicated, and this commit tightens up the parameters it will take. At runtime, AV::Base is most commonly constructed here: https://github.com/rails/rails/blob/94d54fa4ab641a0ddeb173409cb41cc5becc02a9/actionview/lib/action_view/rendering.rb#L72-L74 This provides an AV::Renderer instance, a hash of assignments, and a controller instance. Since this is the common case for construction, we should remove logic from the constructor that handles other cases. This commit introduces special constructors for those other cases. Interestingly, most code paths that construct AV::Base "strangely" are tests.
* | Typo fixes action pack.alkesh262019-01-262-2/+2
| |
* | Merge pull request #35018 from gmcgibbon/revert_redirect_to_allow_other_hostRafael França2019-01-222-29/+7
|\ \ | | | | | | Revert ensure external redirects are explicitly allowed
| * | Revert ensure external redirects are explicitly allowedGannon McGibbon2019-01-222-29/+7
| | |
* | | Merge pull request #34952 from rails/template-stuffAaron Patterson2019-01-222-3/+3
|\ \ \ | |/ / |/| | Template Handler Refactoring
| * | Remove args from `default_render`Aaron Patterson2019-01-172-3/+3
| | | | | | | | | | | | It's always called with 0 params, so just remove the parameter
* | | Update the promisse that ActionController::TestCase will be extractedRafael Mendonça França2019-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | We are past 5.1 and it was not extrated yet, so while we still have plans they will not be realized on 6.0, so it is better to not set expectations of which release will exclude it just yet. [ci skip]
* | | Ensure external redirects are explicitly allowedGannon McGibbon2019-01-173-17/+39
| | | | | | | | | | | | Add `fallback_location` and `allow_other_host` options to `redirect_to`.