| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current style for warning messages without newlines uses
concatenation of string literals with manual trailing spaces
where needed.
Heredocs have better readability, and with `squish` we can still
produce a single line.
This is a similar use case to the one that motivated defining
`strip_heredoc`, heredocs are super clean.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
- Also one minor change for documenting url_for method in ActionController::Metal.
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Performance optimization: `yield` with an implicit `block` is faster than `block.call`.
See http://youtu.be/fGFM_UrSp70?t=10m35s and the following benchmark:
```ruby
require 'benchmark/ips'
def fast
yield
end
def slow(&block)
block.call
end
Benchmark.ips do |x|
x.report('fast') { fast{} }
x.report('slow') { slow{} }
end
# => fast 154095 i/100ms
# => slow 71454 i/100ms
# =>
# => fast 7511067.8 (±5.0%) i/s - 37445085 in 4.999660s
# => slow 1227576.9 (±6.8%) i/s - 6145044 in 5.028356s
```
|
| | |
|
| |
|
|
| |
This is to match the changes in Rails Dom Testing rails/rails-dom-testing#20.
|
| |\ |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Renames _handle_render_options to _render_to_body_with_renderer, which is more
intention-revealing.
* The name of the dynamically generated method for a renderer with key :js was
"_render_option_js".
That name is too weak. :js is an option if you see the render argument as just
a generic options hash, but in the context of renderers that's the renderer
key, is what identifies the renderer.
Now "_render_with_renderer_js" is generated instead, which is crystal clear.
* The name of the dynamically generated method for the renderer was constructed
using string literals in a few places. That is now encapsulated in a method.
* Since we were on it, also removed a couple of redundant selfs.
|
| |\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
| |\ \
| | |
| | | |
Update `ActionController::Parameters` to be more secure on parameters handling
|
| | | |
| | |
| | |
| | | |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Conflicts:
actionpack/lib/action_controller/metal/mime_responds.rb
actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
activerecord/lib/active_record/type/value.rb
|
| | | |
| | |
| | |
| | | |
[skip ci]
|
| |\ \ \
| | | |
| | | |
| | | | |
Use #model_name on instances instead of classes
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class.
Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Conflicts:
actionpack/CHANGELOG.md
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
respond_with (and consequently the class-level respond_to)
are being removed from Rails. Instead of moving it to a 3rd
library, the functionality will be moved to responders gem
(at github.com/plataformatec/responders) which already provides
some responders extensions.
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
New default: the template digest is automatically included in your ETags.
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
is mixed in so future changes to the HTML will blow HTTP caches for you.
This makes it easy to HTTP-cache many more of your actions.
If you render a different template, you can now pass the `:template`
option to include its digest instead:
fresh_when @post, template: 'widgets/show'
Pass `template: false` to skip the lookup. To turn this off entirely, set:
config.action_controller.etag_with_template_digest = false
|
| | |\ \ \
| | | | |
| | | | | |
Fixes to ActionController::TemplateAssertions
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The test was not failing for `assert_template file: nil` when a file
has been rendered.
|
| | |/ / / |
|
| |\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/controller/integration_test.rb
actionview/CHANGELOG.md
|
| | | | |
| | | |
| | | |
| | | | |
This follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
The latest modification to the code was done in https://github.com/rails/rails/commit/5e3517ea. In Rails 3.2,
`ActionController#rescue_action` was deprecated and `rescue_action_without_handler` is no longer being used.
|
| | | | | |
|
| | | |/
| |/|
| | |
| | |
| | | |
we know that this call only wants the path returned, so lets call a
method that returns the path.
|
| | |\ \
| | | |
| | | |
| | | |
| | | | |
Conflicts:
guides/source/testing.md
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
[ci skip]
|
| | | | |
| | | |
| | | |
| | | | |
See https://github.com/rails/rails/pull/16234#commitcomment-7115670.
|
| | | | |
| | | |
| | | |
| | | | |
Fixes https://github.com/rails/rails/issues/16119.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The Logger by default includes a guard which checks for the
logging level. By removing the custom logging guards, we can decouple
the logging guard from the logging action to be done.
This also follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
|
