aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* normalizes indentation and whitespace across the projectXavier Noria2016-08-0610-184/+184
|
* modernizes hash syntax in actionpackXavier Noria2016-08-068-27/+27
|
* applies new string literal convention in actionpack/libXavier Noria2016-08-0622-130/+130
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Move the YAML hook closer to `init_with`.Kasper Timm Hansen2016-08-021-8/+9
| | | | | Looked odd, so completely detached from the other necessary part of the implementation.
* Replace implicit formats with a case statement.Kasper Timm Hansen2016-08-021-7/+8
| | | | | | The coder that Psych passes in has a `tag` method we can use to detect which serialization format we're reviving for. Use it and make it clearer alongside the `load_tags` fiddling.
* Let Psych 2.0.9+ deserialize 2.0.8 serialized parameters.Kasper Timm Hansen2016-08-021-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | If we were to serialize an `ActionController::Parameters` on Psych 2.0.8, we'd get: ```yaml --- !ruby/hash:ActionController::Parameters key: :value ``` Because 2.0.8 didn't store instance variables, while 2.0.9 did: https://github.com/tenderlove/psych/commit/8f84ad0fc711a82a1040def861cb121e8985fd4c That, coupled with 2.0.8 calling `new` instead of `allocate` meant parameters was deserialized just fine: https://github.com/tenderlove/psych/commit/af308f8307899cb9e1c0fffea4bce3110a1c3926 However, if users have 2.0.8 serialized parameters, then upgrade to Psych 2.0.9+ and Rails 5, it would start to blow up because `initialize` will never be called, and thus `@parameters` will never be assigned. Hello, `NoMethodErrors` on `NilClass`! :) To fix this we register another variant of the previous serialization format and take it into account in `init_with`. I've tested this in our app and previously raising code now deserializes like a champ. I'm unsure how to test this in our suite because we use Psych 2.0.8 and don't know how to make us use 2.0.9+ for just one test.
* Make Parameters support legacy YAML encodings.Kasper Timm Hansen2016-08-011-0/+19
| | | | | | | | | | | | | | | | | | | | | By changing ActionController::Parameter's superclass, Rails 5 also changed the YAML serialization format. Since YAML doesn't know how to handle parameters it would fallback to its routine for the superclass, which in Rails 4.2 was Hash while just Object in Rails 5. As evident in the tags YAML would spit out: 4.2: !ruby/hash-with-ivars:ActionController::Parameters 5.0: !ruby/object:ActionController::Parameters Thus when loading parameters YAML from 4.2 in Rails 5, it would parse a hash dump as it would an Object class. To fix this we have to provide our own `init_with` to be aware of the past format as well as the new one. Then we add a `load_tags` mapping, such that when the YAML parser sees `!ruby/hash-with-ivars:ActionController::Parameters`, it knows to call our `init_with` function and not try to instantiate it as a normal hash subclass.
* Reset rack.input when the environment is scrubbed for the next requestNick Sieger2016-07-271-0/+1
| | | | | | | | | | | | | | | | | Before this change, posted parameters would leak across requests. The included test case failed like so: 1) Failure: TestCaseTest#test_multiple_mixed_method_process_should_scrub_rack_input: --- expected +++ actual @@ -1 +1 @@ -{"bar"=>"an bar", "controller"=>"test_case_test/test", "action"=>"test_params"} +{"foo"=>"an foo", "bar"=>"an bar", "controller"=>"test_case_test/test", "action"=>"test_params"} An argument could be made that this situation isn't encountered often and that one should limit the number of requests per test case, but I still think the parameter leaking is an unexpected side-effect.
* Fix incorrect indentation in method comment [ci skip]Junya Ogura2016-07-211-3/+3
|
* Fix adding implicitly rendered namespaced template digests to ETagsJavan Makhmali2016-07-131-1/+1
|
* Trust `Object#dup` in `ActionController::Parameters`, using ↵Tim Rogers2016-07-081-15/+1
| | | | | | `#initialize_copy` to manually duplicate the underlying parameters hash It looks like `ActionController::Parameters#dup` is leftover from when the class inherited from `Hash`. We can just trust `#dup`, which already copies the `@permitted` instance variable (confirmed by tests). We still define a `#initialize_copy` to make `@parameters` a copy that can be mutated without affecting the original instance.
* Changes to a dupped `ActionController::Parameters` mutate the originalTim Rogers2016-07-071-0/+5
| | | | | | | | | | | | | | When `ActionController::Parameters` is duplicated with `#dup`, it doesn't create a duplicate of the instance variables (e.g. `@parameters`) but rather maintains the reference (see <http://ruby-doc.org/core-2.3.1/Object.html>). Given that the parameters object is often manipulated as if it were a hash (e.g. with `#delete` and similar methods), this leads to unexpected behaviour, like the following: ``` params = ActionController::Parameters.new(foo: "bar") duplicated_params = params.dup duplicated_params.delete(:foo) params == duplicated_params ``` This fixes the bug by defining a private `#initialize_copy` method, used internally by `#dup`, which makes a copy of `@parameters`.
* [ci skip] Add 'params' formatting in ActionController::BaseAlex Kitchens2016-06-301-4/+4
|
* Fix adding implicitly rendered template digests to ETagsJavan Makhmali2016-06-281-1/+7
| | | | Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* `params.permitted?` is false by defaultJon Moss2016-06-231-0/+2
| | | | | In the docs: "+permit_all_parameters+ - If it's +true+, all the parameters will be permitted by default. The default is +false+."
* Update ActionController::Parameters documentation [ci skip]Benjamin Quorning2016-06-221-19/+18
| | | | | | | | | | The changes in this commit are twofold: 1. The examples showing `#require` accepting two arguments were wrong - you have to wrap the arguments (two, or more) in an array. 2. `ActionController::Parameters` has an `#inspect` method now (since https://github.com/rails/rails/pull/23732), and the documentation should reflect that.
* Fix typo in ActionController::Renderer [ci skip]Alex Kitchens2016-06-101-1/+1
|
* Clean up the test request/response even after an exceptionMatthew Draper2016-06-011-23/+26
|
* Tiny document fixes [ci skip]Robin Dupret2016-05-301-1/+1
| | | | | | Add a missing capital letter and avoid using absolute links to the API because they may refer to out-dated documentation on the Edge site.
* ActionController::Parameters: Fix #dig doc codeChristian Wesselhoeft2016-05-291-5/+5
| | | This example code wasn't getting wrapped in a `<code>` tag due to incorrect indentation.
* fix incorrect class name [ci skip]yuuji.yaginuma2016-05-281-1/+1
|
* Respect `log_warning_on_csrf_failure` setting for all CSRF failuresMatthew Caruana Galizia2016-05-231-1/+3
| | | | | | | | | | | | CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* Action Mailer: Declarative exception handling with `rescue_from`.Jeremy Daer2016-05-151-12/+1
| | | | | | | | | | | | | | | | | | | | | | | Follows the same pattern as controllers and jobs. Exceptions raised in delivery jobs (enqueued by `#deliver_later`) are also delegated to the mailer's rescue_from handlers, so you can handle the DeserializationError raised by delivery jobs: ```ruby class MyMailer < ApplicationMailer rescue_from ActiveJob::DeserializationError do … end ``` ActiveSupport::Rescuable polish: * Add the `rescue_with_handler` class method so exceptions may be handled at the class level without requiring an instance. * Rationalize `exception.cause` handling. If no handler matches the exception, fall back to the handler that matches its cause. * Handle exceptions raised elsewhere. Pass `object: …` to execute the `rescue_from` handler (e.g. a method call or a block to instance_exec) against a different object. Defaults to `self`.
* Helpers doc grammar fix [skip ci]Jon Atack2016-05-071-2/+2
|
* Merge pull request #24029 from ↵Sean Griffin2016-05-062-8/+10
|\ | | | | | | | | | | | | rthbound/dont-call-each-when-calling-body-on-response Dont call each when calling body on response to fix #23964 Fixes #23964
| * Fixes #23964Ryan T. Hosford2016-03-132-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Adds #each_chunk to ActionDispatch::Response. it's a method which will be called by ActionDispatch::Response#each. - Make Response#each a proper method instead of delegating to @stream - In Live, instead of overriding #each, override #each_chunk. - `#each` should just spit out @str_body if it's already set - Adds #test_set_header_after_read_body_during_action to prove this fixes #23964 - Adds #test_each_isnt_called_if_str_body_is_written to ensure #each_chunk is not called when @str_body is available - Call `@response.sent!` in AC::TestCase's #perform so a test response acts a bit more like a real response. Makes test that call `#assert_stream_closed` pass again. - Additionally assert `#committed?` in `#assert_stream_closed` - Make test that was calling @response.stream.each pass again by calling @response.each instead.
* | Implement helpers proxy in controller instance levelRafael Mendonça França2016-05-052-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is a common pattern in the Rails community that when people want to :xa use any kind of helper that is defined inside app/helpers they includes the helper module inside the controller like: module UserHelper def my_user_helper # ... end end class UsersController < ApplicationController include UserHelper def index render inline: my_user_helper end end This has problem because the helper can't access anything that is defined in the view level context class. Also all public methods of the helper become available in the controller what can lead to undesirable methods being routed and behaving as actions. Also if you helper depends on other helpers or even Action View helpers you need to include each one of these dependencies in your controller otherwise your helper is not going to work. We already have a helpers proxy at controller class level but that proxy doesn't have access to the instance variables defined in the controller. With this new instance level helper proxy users can reuse helpers in the controller without having to include the modules and with access to instance variables defined in the controller. class UsersController < ApplicationController def index render inline: helpers.my_user_helper end end
* | Move protected instance variable to the right placeRafael Mendonça França2016-05-051-3/+4
| | | | | | | | | | | | | | | | | | There were a lot of protected instance variables in AbsctractController::Rendering that were related to Action Controller and Action View. Moving to ActionController::Base's protected instance list we make it closer to where they are really defined.
* | Fix some typos in comments.Joe Rafaniello2016-05-041-1/+1
| | | | | | | | [ci skip]
* | Merge pull request #24845 from tomkadwill/action_controller_typosRafael França2016-05-042-3/+3
|\ \ | | | | | | Fix actionpack typos [ci skip]
| * | Fix actionpack typos [ci skip]Tom Kadwill2016-05-042-3/+3
| | |
* | | Merge pull request #24777 from tomkadwill/action_pack_typos_3Vipul A M2016-04-302-5/+5
|\ \ \ | | | | | | | | Fix actionpack typos [ci skip]
| * | | Fix actionpack typos [ci skip]Tom Kadwill2016-04-302-5/+5
| |/ /
* | | Merge pull request #24641 from rafaelfranca/fix-per-form-token-with-full-urlJeremy Daer2016-04-251-1/+2
|\ \ \ | | | | | | | | | | | | Discart the schema and host information when building the per-form token
| * | | Discart the schema and host information when building the per-form tokenRafael Mendonça França2016-04-201-1/+2
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
* | | Merge pull request #24697 from tomkadwill/action_pack_typos_2Vipul A M2016-04-234-10/+10
|\ \ \ | | | | | | | | Actionpack documentation typos [ci skip]
| * | | Actionpack documentation typos [ci skip]Tom Kadwill2016-04-234-10/+10
| |/ /
* | | Merge pull request #24669 from tomkadwill/action_pack_typosVipul A M2016-04-221-10/+9
|\ \ \ | | | | | | | | Actioncable and Actionpack documentation typos [ci skip]
| * | | Actioncable and Actionpack documentation typos [ci skip]Tom Kadwill2016-04-211-10/+9
| |/ /
* / / Fix ApplicationController.renderer.defaults.merge!Jon Moss2016-04-201-1/+1
|/ / | | | | | | | | | | | | Previously, users were trying to modify a frozen Hash. Includes a regression test :) Fixes #22975
* | Update send_data documentation [ci skip]Anton Rieder2016-04-191-1/+1
| | | | | | Add missing period after sentence.
* | Filter scalar values when params permit hashes or arraysSean Griffin2016-04-151-1/+5
| | | | | | | | | | | | This brings the behavior more inline with other similar cases, such as receiving a hash when an array of scalars was expected. Prior to this commit, the key would be present, but the value would be `nil`
* | Merge pull request #24504 from nickmalcolm/masterVipul A M2016-04-121-1/+6
|\ \ | | | | | | Encourage best practice in the HTTP Token authentication example code
| * | [ci skip] This modifies the HTTP Token authentication example's ↵Nick Malcolm2016-04-121-1/+6
| | | | | | | | | | | | `authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
* | | Pass over all Rails 5 warnings, to make sure:Vipul A M2016-04-121-1/+1
|/ / | | | | | | | | | | | | | | | | | | - we are ending sentences properly - fixing of space issues - fixed continuity issues in some sentences. Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 . This change reverts making sure we add '.' at end of deprecation sentences. This is to keep sentences within Rails itself consistent and with a '.' at the end.
* | quick edits on the AC::API RDoc [ci skip]Xavier Noria2016-04-051-19/+20
| | | | | | | | | | | | | | | | | | | | | | In particular, the fact that ApplicationController is the only one inheriting from AC::API is not a default. You could say at most that generators generate them that way, but the creation of controllers is something which is out of our control because programmers write controllers by hand. Instead, we can say that normally, conventionally, as in the majority of Rails apps, that is the actually the case.
* | Fixes #24239Ryan T. Hosford2016-04-041-1/+1
| | | | | | | | | | - skip calling helper_method if it's not there: if we don't have helpers, we needn't define one. - tests that an api controller can include and use ActionController::Cookies
* | Merge branch 'master' of github.com:rails/docrailsVijay Dev2016-04-031-0/+7
|\ \
| * | [ci skip] Fix example of ActionController::Parameters#to_unsafe_hPrathamesh Sonpatki2016-03-241-1/+1
| | | | | | | | | | | | - Added missing `"`.
| * | Add example for ActionController::Parameters#to_unsafe_hGaurish Sharma2016-03-121-0/+7
| | | | | | | | | | | | [ci-skip]