| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
I always appreciate having a bit more information as to why something is
now an error. We can use this error to tell people why what they were
previously doing is insecure and give them hints on how to fix it.
Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
|
| |\
| |
| |
| | |
Refactor handling of :action default in routing
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The longstanding convention in Rails is that if the :action parameter
is missing or nil then it defaults to 'index'. Up until Rails 5.0.0.beta1
this was handled slightly differently than other routing defaults by
deleting it from the route options and adding it to the recall parameters.
With the recent focus of removing unnecessary duplications this has
exposed a problem in this strategy - we are now mutating the request's
path parameters and causing problems for later url generation. This will
typically affect url_for rather a named url helper since the latter
explicitly pass :controller, :action, etc.
The fix is to add a default for :action in the route class if the path
contains an :action segment and no default is passed. This change also
revealed an issue with the parameterized part expiry in that it doesn't
follow a right to left order - as soon as a dynamic segment is required
then all other segments become required.
Fixes #23019.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Follow-up to #23980.
- Fix grammar: "be remove" -> "be removed".
- Wrap lines at 80 chars.
Lurvely ;-)
|
| |/
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| | |
|
| |
|
|
|
|
|
|
| |
- Earlier only Hash was allowed as params argument to url_helpers.
- Now ActionController::Parameters instances will also be allowed.
- If the params are not secured then it will raise an ArgumentError to
indicate that constructing URLs with non-secure params is not recommended.
- Fixes #22832.
|
| | |
|
| |
|
|
|
| |
This code was added for migration from Rails 3.1 to upper,
now we are developing Rails 5.
|
| |
|
| |
`Forwardable` has been used in the past
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When generating the url for a mounted engine through its proxy, the path should be the sum of three parts:
1. Any `SCRIPT_NAME` request header or the value of `ActionDispatch::Routing::RouteSet#relative_url_root`.
2. A prefix (the engine's mounted path).
3. The path of the named route inside the engine.
Since commit https://github.com/rails/rails/commit/44ff0313c121f528a68b3bd21d6c7a96f313e3d3, this has been broken. Step 2 has been changed to:
2. A prefix (the value of `ActionDispatch::Routing::RouteSet#relative_url_root` + the engine's mounted path).
The value of `ActionDispatch::Routing::RouteSet#relative_url_root` is taken into account in step 1 of the route generation and should be ignored when generating the mounted engine's prefix in step 2.
This commit fixes the regression by having `ActionDispatch::Routing::RouteSet#url_for` check `options[:relative_url_root]` before falling back to `ActionDispatch::Routing::RouteSet#relative_url_root`. The prefix generating code then sets `options[:relative_url_root]` to an empty string. This empty string is used instead of `ActionDispatch::Routing::RouteSet#relative_url_root` and avoids the duplicate `relative_url_root` value in the final result.
This resolves #20920 and resolves #21459
|
| |
|
|
|
|
|
|
|
|
| |
Controllers should always have a request and response when responding.
Since we make this The Rule(tm), then controllers don't need to be
somewhere in limbo between "asking a response object for a rack
response" or "I, myself contain a rack response". This duality leads to
conditionals spread through the codebase that we can delete:
* https://github.com/rails/rails/blob/85a78d9358aa728298cd020cdc842b55c16f9549/actionpack/lib/action_controller/metal.rb#L221-L223
|
| |
|
|
| |
This saves a lambda and request allocation on each request.
|
| |
|
|
|
| |
controllers should always go through the `action` class method so that
their middleware is respected.
|
| |
|
|
|
| |
now the caller can just treat it like a regular controller even though
it will return a 404
|
| |
|
|
|
| |
the dispatcher class isn't configurable anymore, so pull up allocation
to the method that needs it.
|
| |
|
|
|
|
| |
Now that we don't have subclasses depending on this method (they augment
the request class instead of the dispatch class) we can remove this
method and directly ask the request object for the controller class
|
| | |
|
| |
|
|
| |
we don't need it anymore. We always use the same dispatcher in tests.
|
| |
|
|
|
|
| |
controller class resolution has been moved to the request object, so we
should override that method instead of relying on the RouteSet to
generate the controller class.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Since none of the action pack tests failed without this conditional it
didn't seem necessary. This fixes the build because it correctly returns
a 404 instead of a 500 for the asset routes test.
Test that was failing was in the `assets_test.rb` file and was the test
named `test_assets_routes_are_not_drawn_when_compilation_is_disabled`.
|
| |
|
|
|
|
|
|
|
|
| |
This refactoring moves the controller class name that was on the route
set to the request. The purpose of this refactoring is for changes we
need to move controller tests to integration tests, mainly being able to
access the controller on the request instead of having to go through
the router.
[Eileen M. Uchitelle & Aaron Patterson]
|
| |
|
|
|
|
|
| |
`ActiveSupport::Dependencies.constantize(const_name)` calls
`Reference.new` which is defined as
`ActiveSupport::Dependencies.constantize(const_name)` meaning this call
is already cached and we're doing caching that isn't necessary.
|
| |
|
|
|
| |
nobody should be touching the routes hash without going through the
NamedRouteCollection object.
|
| |
|
|
|
| |
The outer router object already keeps a hash of named routes, so we
should just use that.
|
| |
|
|
|
| |
refactor the tests with a backwards compatible method call so we can rm
add_route2 from the journey router
|
| |
|
|
|
| |
then we can let the mapping object derive stuff that the Route object
needs.
|
| |
|
|
|
| |
now that we aren't doing options manipulations, we can just pass the
mapping object down and read values from it.
|
| |
|
|
|
| |
now we don't need to add it to a hash and delete it from the hash later
just to pass it around
|
| |
|
|
| |
we don't need to keep adding it and deleting if from hashes.
|
| |
|
|
|
| |
It just constructs a Path::Pattern object with the AST that it already
has
|
| |
|
|
|
| |
This was a useless object. We can just directly construct a
Path::Pattern object without a Strexp object.
|
| |
|
|
|
| |
the caller already has it, there is no reason to pack it in to an object
and just throw that object away.
|
| | |
|
| |
|
|
|
| |
we always pass all parameters, so there is no reason to provide default
arguments.
|
| |
|
|
|
| |
This method raises conditionally not always so we should not documment
as it always raise.
|
| | |
|
| |
|
|
|
| |
We should return when the contoller key is not present or if the
controller doesn't exist and we didn't raised an error.
|
| |
|
|
|
|
|
| |
we need to get a grip on what `scope` actually does. This commit
removes some of the internal calls to `scope`. Eventually we should add
public facing methods that provide the API that `scope` is trying to
accomplish.
|
| |
|
|
|
|
| |
`prepare_params!` would raise an exception if `params` wasn't
initialized, so it must always be available. Remove the existence
conditional from the `controller` method.
|
| |
|
|
|
| |
The method we called already has the conditional we need. Just add an
else block so that we don't need two tests.
|
| |
|
|
|
|
|
| |
`Dispatcher` doesn't need to hold on to the defaults hash. It only used
the hash to determine whether or not it should raise an exception if
there is a name error. We can pass that in further up the stack and
alleviate Dispatcher from knowing about that hash.
|
| |\
| |
| | |
replace each with each_key when only the key is needed
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Using each_key is faster and more intention revealing.
Calculating -------------------------------------
each 31.378k i/100ms
each_key 33.790k i/100ms
-------------------------------------------------
each 450.225k (± 7.0%) i/s - 2.259M
each_key 494.459k (± 6.3%) i/s - 2.467M
Comparison:
each_key: 494459.4 i/s
each: 450225.1 i/s - 1.10x slower
|
| | | |
|
| | |
| |
| |
| | |
scope so that they are available to subclasses.
|
| |/ |
|
| |\
| |
| | |
Remove duplicated `Array#to_param`
|
