aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #17186 from tgxworld/header_authentication_tokenMatthew Draper2014-11-271-2/+9
|\ | | | | | | Allow authentication header to not have to specify 'token=' key.
| * Allow authentication header to not have to specify 'token=' key.Guo Xiang Tan2014-10-101-2/+9
| | | | | | | | Fixes: https://github.com/rails/rails/issues/17108.
* | Remove extra empty lineArtur Cygan2014-11-261-1/+0
| |
* | :scissors:Rafael Mendonça França2014-11-261-1/+1
| |
* | getting the location of the serverdilpreet922014-11-261-2/+2
| |
* | Deprecate `use_route` in controller testsGodfrey Chan2014-11-231-1/+22
| | | | | | | | Reference #17453
* | Wrap code snippets in +, not backticks, in sdocclaudiob2014-11-202-5/+5
| | | | | | | | | | | | | | | | I grepped the source code for code snippets wrapped in backticks in the comments and replaced the backticks with plus signs so they are correctly displayed in the Rails documentation. [ci skip]
* | Use request method instead of ActionDispatch::Request#request_method instead ↵Ilya Katz2014-11-201-1/+1
| | | | | | | | of ActionDispatch::Request#method to pick up overrides by the middleware
* | Make sure assert_select can assert body tagRafael Mendonça França2014-11-181-4/+4
| | | | | | | | | | | | | | | | | | This reverts commit f93df52845766216f0fe36a4586f8abad505cac4, reversing changes made to a455e3f4e9dbfb9630d47878e1239bc424fb7d13. Conflicts: actionpack/lib/action_controller/test_case.rb actionview/lib/action_view/test_case.rb
* | document_root_element need to be publicRafael Mendonça França2014-11-171-4/+4
| |
* | Pass the route name explicitlyGodfrey Chan2014-11-101-1/+2
| | | | | | | | | | | | Follow up to 212057b9. Since that commit, we need to pass the `route_name` explicitly. This is one of the left-over cases that was not handled in that commit, which was causing `use_route` to be ignored in functional tests.
* | Removed documentation that still mentioned using respond_with in placeRobert Evans2014-11-052-18/+5
| | | | | | | | | | of respond_to. respond_with was moved into the responders gem and deprecated inside rails, so there is no need to mention it within rails itself.
* | Call gsub with a Regexp instead of a String for better performancePablo Herrero2014-11-011-1/+1
| |
* | let's warn with heredocsXavier Noria2014-10-281-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | The current style for warning messages without newlines uses concatenation of string literals with manual trailing spaces where needed. Heredocs have better readability, and with `squish` we can still produce a single line. This is a similar use case to the one that motivated defining `strip_heredoc`, heredocs are super clean.
* | UrlGenerationError are not catched as 404 anymoreJean Boussier2014-10-271-1/+1
| |
* | Use AS secure_compare for CSRF token comparisonGuillermo Iguaran2014-10-231-2/+2
| |
* | remove duplicate method (_status_code) in action_dispatchAbdelkader Boudih2014-10-191-1/+1
| |
* | Make _status_code methods nodocPrathamesh Sonpatki2014-10-191-3/+3
| | | | | | | | | | - Also one minor change for documenting url_for method in ActionController::Metal. [ci skip]
* | Replace (slower) block.call with (faster) yieldclaudiob2014-10-171-2/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | Performance optimization: `yield` with an implicit `block` is faster than `block.call`. See http://youtu.be/fGFM_UrSp70?t=10m35s and the following benchmark: ```ruby require 'benchmark/ips' def fast yield end def slow(&block) block.call end Benchmark.ips do |x| x.report('fast') { fast{} } x.report('slow') { slow{} } end # => fast 154095 i/100ms # => slow 71454 i/100ms # => # => fast 7511067.8 (±5.0%) i/s - 37445085 in 4.999660s # => slow 1227576.9 (±6.8%) i/s - 6145044 in 5.028356s ```
* Rephrasing sentencesNeeraj Singh2014-10-071-2/+2
|
* Parse HTML as document fragment.Kasper Timm Hansen2014-09-291-1/+1
| | | | This is to match the changes in Rails Dom Testing rails/rails-dom-testing#20.
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-09-281-6/+6
|\
| * Consistently markup etag options.Steven Harman2014-09-161-3/+3
| |
| * Consistently capitalize ETag.Steven Harman2014-09-161-3/+3
| |
* | code gardening in ActionController::RenderersXavier Noria2014-09-041-7/+12
|/ | | | | | | | | | | | | | | | | | | * Renames _handle_render_options to _render_to_body_with_renderer, which is more intention-revealing. * The name of the dynamically generated method for a renderer with key :js was "_render_option_js". That name is too weak. :js is an option if you see the render argument as just a generic options hash, but in the context of renderers that's the renderer key, is what identifies the renderer. Now "_render_with_renderer_js" is generated instead, which is crystal clear. * The name of the dynamically generated method for the renderer was constructed using string literals in a few places. That is now encapsulated in a method. * Since we were on it, also removed a couple of redundant selfs.
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-191-3/+84
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-191-2/+2
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | Uppercase HTML in docs.Hendy Tanata2014-08-082-9/+9
| | | | | | | | | | | | [skip ci]
* | | Merge pull request #15889 from carnesmedia/model-nameRafael Mendonça França2014-08-171-1/+1
|\ \ \ | | | | | | | | | | | | Use #model_name on instances instead of classes
| * | | Use #model_name on instances instead of classesAmiel Martin2014-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class. Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
* | | | Merge branch 'master' into loofahRafael Mendonça França2014-08-177-531/+109
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * | | | `responders` 1.x won't do it. Told you to RTFM for details!Godfrey Chan2014-08-171-3/+6
| | | | |
| * | | | The gem is called 'responders'Godfrey Chan2014-08-171-2/+2
| | | | |
| * | | | Raise a more helpful error for people who are using these extracted featuresGodfrey Chan2014-08-171-1/+16
| | | | |
| * | | | Move respond_with to the responders gemJosé Valim2014-08-172-528/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | respond_with (and consequently the class-level respond_to) are being removed from Rails. Instead of moving it to a 3rd library, the functionality will be moved to responders gem (at github.com/plataformatec/responders) which already provides some responders extensions.
| * | | | When your templates change, browser caches bust automatically.Jeremy Kemper2014-08-173-6/+82
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New default: the template digest is automatically included in your ETags. When you call `fresh_when @post`, the digest for `posts/show.html.erb` is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions. If you render a different template, you can now pass the `:template` option to include its digest instead: fresh_when @post, template: 'widgets/show' Pass `template: false` to skip the lookup. To turn this off entirely, set: config.action_controller.etag_with_template_digest = false
| * | | Merge pull request #16027 from tgxworld/template_assertionsYves Senn2014-08-141-0/+9
| |\ \ \ | | | | | | | | | | Fixes to ActionController::TemplateAssertions
| | * | | Fix assert_template for files.Guo Xiang Tan2014-08-141-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | The test was not failing for `assert_template file: nil` when a file has been rendered.
| * | | | [ci skip] correct default cache store classAditya Kapoor2014-08-131-1/+1
| |/ / /
* | | | Merge branch 'master' into loofahRafael Mendonça França2014-08-1210-92/+67
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | | Pass block for logging.Guo Xiang Tan2014-08-091-4/+6
| | | | | | | | | | | | | | | | This follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
| * | | Remove ActionController::RaiseActionExceptions.Guo Xiang Tan2014-08-071-34/+0
| | | | | | | | | | | | | | | | | | | | The latest modification to the code was done in https://github.com/rails/rails/commit/5e3517ea. In Rails 3.2, `ActionController#rescue_action` was deprecated and `rescue_action_without_handler` is no longer being used.
| * | | refactor Redirecting so we do not need a controller instanceAaron Patterson2014-08-061-3/+5
| | | |