aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #24504 from nickmalcolm/masterVipul A M2016-04-121-1/+6
|\ | | | | Encourage best practice in the HTTP Token authentication example code
| * [ci skip] This modifies the HTTP Token authentication example's ↵Nick Malcolm2016-04-121-1/+6
| | | | | | | | `authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
* | Pass over all Rails 5 warnings, to make sure:Vipul A M2016-04-121-1/+1
|/ | | | | | | | | | - we are ending sentences properly - fixing of space issues - fixed continuity issues in some sentences. Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 . This change reverts making sure we add '.' at end of deprecation sentences. This is to keep sentences within Rails itself consistent and with a '.' at the end.
* quick edits on the AC::API RDoc [ci skip]Xavier Noria2016-04-051-19/+20
| | | | | | | | | | | In particular, the fact that ApplicationController is the only one inheriting from AC::API is not a default. You could say at most that generators generate them that way, but the creation of controllers is something which is out of our control because programmers write controllers by hand. Instead, we can say that normally, conventionally, as in the majority of Rails apps, that is the actually the case.
* Fixes #24239Ryan T. Hosford2016-04-041-1/+1
| | | | | - skip calling helper_method if it's not there: if we don't have helpers, we needn't define one. - tests that an api controller can include and use ActionController::Cookies
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2016-04-031-0/+7
|\
| * [ci skip] Fix example of ActionController::Parameters#to_unsafe_hPrathamesh Sonpatki2016-03-241-1/+1
| | | | | | | | - Added missing `"`.
| * Add example for ActionController::Parameters#to_unsafe_hGaurish Sharma2016-03-121-0/+7
| | | | | | | | [ci-skip]
* | Grammar fixes based on pass over ETag doc changesVipul A M2016-04-031-2/+2
| | | | | | | | [ci skip]
* | Grammer fix in comment: capitalize first word in sentence [ci skip].utilum2016-04-021-1/+1
| |
* | Strong ETag validatorsJeremy Daer2016-03-311-13/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag. Strong ETags are desirable when you're serving byte-for-byte identical responses that support Range requests, like PDFs or videos (typically done by reproxying the response from a backend storage service). Also desirable when fronted by some CDNs that support strong ETags only, like Akamai. * No longer strips quotes (`"`) from ETag values before comparing them. Quotes are significant, part of the ETag. A quoted ETag and an unquoted one are not the same entity. * Support `If-None-Match: *`. Rarely useful for GET requests; meant to provide some optimistic concurrency control for PUT requests.
* | Merge pull request #24037 from ↵Jeremy Daer2016-03-231-53/+34
|\ \ | | | | | | | | | | | | jeremy/implicit-render-raises-on-browser-GET-requests-only Are you missing that template or did you omit it on purpose?
| * | Refinement of our "are you missing a template or did you omit it on ↵Jeremy Daer2016-03-031-53/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | purpose?" heuristics Narrows the "are you in a browser, viewing the page?" check to exclude non-GET requests. Allows content-less APIs to use implicit responses without having to set a fake request format. This will need further attention. If you forget to redirect from a POST to a GET, you'll get a 204 No Content response that browsers will typically treat as… do nothing. It'll seem like the form just didn't work and knowing where to start debugging is non-obvious. On the flip side, redirecting from POST and others is the default, done everywhere, so it's less likely to be removed or otherwise missed. Alternatives are to do more explicit browser sniffing. Ref #23827.
* | | Fix typo for redirect_backArkadiusz Fal2016-03-221-1/+1
| | | | | | | | | | | | | | | indetical -> identical [skip ci]
* | | Add explanation about accepts_nested_attributes_for keys in the strong ↵Bart de Water2016-03-121-2/+3
| | | | | | | | | | | | parameters documentation [skip ci]
* | | Use the most highest priority exception handler when cause is setSean Griffin2016-03-111-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There was some subtle breakage caused by #18774, when we removed `#original_exception` in favor of `#cause`. However, `#cause` is automatically set by Ruby when raising an exception from a rescue block. With this change, we will use whichever handler has the highest priority (whichever call to `rescue_from` came last). In cases where the outer has lower precidence than the cause, but the outer is what should be handled, cause will need to be explicitly unset. Fixes #23925
* | | Merge pull request #22854 from jcoyne/missing_templateSean Griffin2016-03-111-1/+1
|\ \ \ | | | | | | | | | | | | Default rendering behavior if respond_to collector doesn't have a block.
| * | | Render default template if block doesn't renderJustin Coyne2016-02-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a `respond_to` collector doesn't have a response, then a `:no_content` response should be rendered. This brings the default rendering behavior introduced by https://github.com/rails/rails/issues/19036 to controller methods employing `respond_to`
* | | | add return values to example [ci skip]yuuji.yaginuma2016-03-101-1/+1
| | | |
* | | | Add `ActionController::Parameters#dig`Sean Griffin2016-03-091-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | This method will only be added when used with Ruby 2.3.0 or greater. This method has the same behavior as `Hash#dig`, except it will convert hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.
* | | | Pass headers through to payload for logging.Gareth du Plooy2016-03-081-0/+1
| |_|/ |/| | | | | | | | Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.
* | | Remove http_cache_forever's version parameterJean Boussier2016-03-051-4/+2
| |/ |/|
* | Change 'a HTTP' to 'an HTTP' [ci skip]Santosh Wadghule2016-03-032-5/+5
| |
* | Fix typo in implicit_renderMax Woolf2016-03-021-1/+1
| | | | | | When trying to make a request and the request doesn't have a suitable template, the new error messages are really helpful but there's a small (and I mean, VERY small) typo that has been bugging me for the last few days. This adds the space and restores order to the universe. :heart:
* | Revert "Update Session to utilize indiffernt access"Matthew Draper2016-02-261-1/+1
|/ | | | | | | | | | | This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a. HWIAs are better than silently deeply-stringified hashes... but that's a reaction to a shortcoming of one particular session store: we should not break the basic behaviour of other, more featureful, session stores in the process. Fixes #23884
* Additional review of 6b31761.Kasper Timm Hansen2016-02-251-1/+1
| | | | | * Fixes typos in error message and release notes. * Removes unused template test file.
* Lock down new `ImplicitRender` behavior for 5.0 RCGodfrey Chan2016-02-252-18/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Conceptually revert #20276 The feature was implemented for the `responders` gem. In the end, they did not need that feature, and have found a better fix (see plataformatec/responders#131). `ImplicitRender` is the place where Rails specifies our default policies for the case where the user did not explicitly tell us what to render, essentially describing a set of heuristics. If the gem (or the user) knows exactly what they want, they could just perform the correct `render` to avoid falling through to here, as `responders` did (the user called `respond_with`). Reverting the patch allows us to avoid exploding the complexity and defining “the fallback for a fallback” policies. 2. `respond_to` and templates are considered exhaustive enumerations If the user specified a list of formats/variants in a `respond_to` block, anything that is not explicitly included should result in an `UnknownFormat` error (which is then caught upstream to mean “406 Not Acceptable” by default). This is already how it works before this commit. Same goes for templates – if the user defined a set of templates (usually in the file system), that set is now considered exhaustive, which means that “missing” templates are considered `UnknownFormat` errors (406). 3. To keep API endpoints simple, the implicit render behavior for actions with no templates defined at all (regardless of formats, locales, variants, etc) are defaulted to “204 No Content”. This is a strictly narrower version of the feature landed in #19036 and #19377. 4. To avoid confusion when interacting in the browser, these actions will raise an `UnknownFormat` error for “interactive” requests instead. (The precise definition of “interactive” requests might change – the spirit here is to give helpful messages and avoid confusions.) Closes #20666, #23062, #23077, #23564 [Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
* Show permitted flag in the output of AC::Parameters#inspectPrathamesh Sonpatki2016-02-241-1/+1
| | | | - Fixes #23822.
* Merge pull request #20851 from tomprats/indifferent-sessionsRafael Mendonça França2016-02-241-1/+1
|\ | | | | | | Give Sessions Indifferent Access
| * Update Session to utilize indiffernt accessTom Prats2016-01-301-1/+1
| |
* | Move private methods to the private visibilityRafael Mendonça França2016-02-241-10/+12
| |
* | Move Caching module to Abstract ControllerRafael Mendonça França2016-02-231-3/+1
| | | | | | | | | | | | Abstract Controller is the common component between Action Mailer and Action Controller so if we need to share the caching component it need to be there.
* | Remove unnecessarily included modules in ActionController::CachingStan Lo2016-02-231-1/+0
| |
* | Make caching configuration more flexibleStan Lo2016-02-231-0/+12
| |
* | Move most caching methods to ActionDispatch::Caching, and let ActionMailer ↵Stan Lo2016-02-231-54/+3
| | | | | | | | and ActionController to include it
* | Move caching/fragments in ActionMailer and ActionController to ↵Stan Lo2016-02-232-153/+2
| | | | | | | | action_dispatch/caching/fragments
* | Use symbol of mime type instead of object to get correct parserMehmet Emin İNAÇ2016-02-221-2/+2
| | | | | | | | | | | | After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem. Closes #23766
* | Merge pull request #23682 from ShikChen/fast_strxorSantiago Pastorino2016-02-211-1/+2
|\ \ | | | | | | Improve the performance of string xor operation
| * | Improve the performance of string xor operationshik2016-02-151-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use `each_byte` instead of `bytes` to speed up string xor operation and reduce object allocations. Inspired by commit 02c3867882d6d23b10df262a6db5f937ca69fb53. ``` ruby require 'benchmark/ips' require 'allocation_tracer' a = 32.times.map { rand(256) }.pack('C*') b = 32.times.map { rand(256) }.pack('C*') def xor_byte_strings1(s1, s2) s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*') end def xor_byte_strings2(s1, s2) s2_bytes = s2.bytes s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*') end def xor_byte_strings3(s1, s2) s2_bytes = s2.bytes s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 } s2_bytes.pack('C*') end fail if xor_byte_strings1(a, b) != xor_byte_strings2(a, b) fail if xor_byte_strings1(a, b) != xor_byte_strings3(a, b) Benchmark.ips do |x| x.report('xor_byte_strings1') { xor_byte_strings1(a, b) } x.report('xor_byte_strings2') { xor_byte_strings2(a, b) } x.report('xor_byte_strings3') { xor_byte_strings3(a, b) } x.compare! end Tracer = ObjectSpace::AllocationTracer Tracer.setup(%i{type}) p xor_byte_strings1: Tracer.trace { xor_byte_strings1(a, b) } p xor_byte_strings2: Tracer.trace { xor_byte_strings2(a, b) } p xor_byte_strings3: Tracer.trace { xor_byte_strings3(a, b) } ``` ``` Warming up -------------------------------------- xor_byte_strings1 10.668k i/100ms xor_byte_strings2 11.814k i/100ms xor_byte_strings3 13.139k i/100ms Calculating ------------------------------------- xor_byte_strings1 116.667k (± 3.1%) i/s - 586.740k xor_byte_strings2 129.932k (± 4.3%) i/s - 649.770k xor_byte_strings3 142.506k (± 4.2%) i/s - 722.645k Comparison: xor_byte_strings3: 142506.3 i/s xor_byte_strings2: 129932.4 i/s - 1.10x slower xor_byte_strings1: 116666.8 i/s - 1.22x slower {:xor_byte_strings1=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings3=>{[:T_ARRAY]=>[1, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} ```
* | | Deprecate AC::Parameters#== with a HashBenjamin Quorning2016-02-191-9/+14
| | |
* | | Fix AC::Parameters#== with other AC::ParametersBenjamin Quorning2016-02-191-3/+4
| | | | | | | | | | | | Creating a protected getter method for `@parameters`.
* | | fields_for_style needs to test for AC::ParametersAaron Patterson2016-02-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While iterating an AC::Parameters object, the object will mutate itself and stick AC::Parameters objects where there used to be hashes: https://github.com/rails/rails/blob/f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9/actionpack/lib/action_controller/metal/strong_parameters.rb#L632 If you use `permit` after this iteration, the `fields_for_style` method wouldn't return true because the child objects are now AC::Parameters objects rather than Hashes. fixes #23701
* | | partially revert 69009f4473637a44ade26d954ef5ddea6ff903f2Aaron Patterson2016-02-171-4/+1
| | | | | | | | | | | | | | | we need to continue setting the body on the request object because of Fiber based streaming templates. Fixes #23659
* | | Implement ActionController::Parameters#inspectBenjamin Quorning2016-02-171-1/+5
|/ / | | | | | | Now that AC::Parameters is no longer a Hash, it shouldn't look like a hash.
* | Remove `const_missing` which fallback to deprecated `NEVER_UNPERMITTED_PARAMS`Ryuta Kamizono2016-02-151-10/+0
| | | | | | | | `NEVER_UNPERMITTED_PARAMS` is deprecated in Rails 4.2. See #15933.
* | `log_process_action` will return an array, so use `empty?`Aaron Patterson2016-02-091-1/+1
| | | | | | | | | | We don't need to use active support in this case because we know the type that will be returned.
* | Request#fullpath should not raise an exception, so remove the rescueAaron Patterson2016-02-091-1/+1
| |
* | AC::Request#format always returns a value, so we do not need to tryAaron Patterson2016-02-091-1/+1
| |
* | speed up string xor operation and reduce object allocationsAaron Patterson2016-02-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` [aaron@TC rails (master)]$ cat xor.rb a = "\x14b\"\xB4P8\x05\x8D\xC74\xC3\xEC}\xFDf\x8E!h\xCF^\xBF\xA5%\xC6\xF0\xA9\xF9x\x04\xFA\xF1\x82" b = "O.\xF7\x01\xA9D\xA3\xE1D\x7FU\x85\xFC\x8Ak\e\x04\x8A\x97\x91\xD01\x02\xA4G\x1EIf:Y\x0F@" def xor_byte_strings(s1, s2) s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*') end def xor_byte_strings2(s1, s2) s2_bytes = s2.bytes s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*') end require 'benchmark/ips' require 'allocation_tracer' Benchmark.ips do |x| x.report 'xor_byte_strings' do xor_byte_strings a, b end x.report 'xor_byte_strings2' do xor_byte_strings2 a, b end end ObjectSpace::AllocationTracer.setup(%i{type}) result = ObjectSpace::AllocationTracer.trace do xor_byte_strings a, b end p :xor_byte_strings => result ObjectSpace::AllocationTracer.clear result = ObjectSpace::AllocationTracer.trace do xor_byte_strings2 a, b end p :xor_byte_strings2 => result [aaron@TC rails (master)]$ ruby -I~/git/allocation_tracer/lib xor.rb Calculating ------------------------------------- xor_byte_strings 10.087k i/100ms xor_byte_strings2 11.339k i/100ms ------------------------------------------------- xor_byte_strings 108.386k (± 5.8%) i/s - 544.698k xor_byte_strings2 122.239k (± 3.0%) i/s - 612.306k {:xor_byte_strings=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} ```
* | Merge pull request #23534 from bronson/fix-redefined-warningArthur Nogueira Neves2016-02-081-0/+1
|\ \ | | | | | | fix 'method redefined' warnings