| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.
Fixes #24222
|
|
|
| |
The previous order made sense [when `match` was used twice to point to two different actions](https://github.com/rails/rails/commit/7305ef842b675bf965f063de681a96294577fb84). In this case the note was misleading as posting to `/posts/:id` would still route to `show` action.
|
|
|
|
|
| |
Similar to 176fbfd6, this makes it possible for other test
frameworks to hook into Rails integration test facilities.
|
|
|
|
|
|
|
|
|
|
| |
After 9d378747326d26cf1afdac4433ead22967af0984 `ActionDispatch::IntegrationTest`
class is loaded and defined in all Rails environments, not only test but also
production. This is not-intended loading of a class which is only used in
test environment.
To prevent not-intended loading, add `ActiveSupport.run_load_hooks` to
`ActionDispatch::IntegrationTest` with `action_dispatch_integration_test` name
and use it in `ActionMailer`.
|
|
|
|
|
| |
Forgot to update the documentation on the line just above the one
I was changing in 4933132. Well done, Kasper :+1:
|
|
|
|
|
|
|
|
|
| |
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.
Renaming to `exclude` matches this intent more closely.
|
|\
| |
| | |
Change 'a HTTP' to 'an HTTP' [ci skip]
|
| | |
|
|/
|
|
|
|
|
|
|
|
| |
Follow-up to #23980.
- Fix grammar: "be remove" -> "be removed".
- Wrap lines at 80 chars.
Lurvely ;-)
|
|
|
|
|
|
|
|
| |
This reverts changes made to integration tests in PR #23807.
The issue happens when using capybara with a driver that needs to start a
server in a separate thread like (poltergeist, selenium, etc).
Both threads the capybara server one and the test thread end running
syncronize over the interlock.
|
|\
| |
| | |
Deprecate :controller and :action path parameters
|
| |
| |
| |
| |
| |
| |
| |
| | |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| | |
|
|/
|
|
|
|
| |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|\
| |
| | |
Drop Action Controller require in ActionDispatch::ExceptionWrapper
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We only reference the Action Controller error classes by name in
ActionDispatch::ExceptionWrapper, so there is no need to explicitly
require them.
It drops a tiny coupling between Action Dispatch and Action Controller,
so it makes me feel warm inside. We still have a lot of others AC
requires in the AD code base, but here, we can save it.
[ci skip]
|
|/ |
|
| |
|
| |
|
|\
| |
| | |
Enable HSTS with IncludeSubdomains header by default for new apps
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
| |
| |
| |
| |
| |
| |
| |
| | |
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
|
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 22db455dbe9c26fe6d723cac0758705d9943ea4b, reversing
changes made to 40be61dfda1e04c3f306022a40370862e3a2ce39.
This finishes off what I meant to do in 6216a092ccfe6422f113db906a52fe8ffdafdbe6.
|
|/
|
|
|
|
|
|
|
|
|
| |
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
|
| |
|
|\
| |
| |
| | |
Give Sessions Indifferent Access
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is meant to provide a way for Action Cable, Sprockets, and possibly
other Rack applications to mark themselves as internal, and to exclude
themselves from the routing inspector, and thus `rails routes` / `rake
routes`.
I think this is the only way to have mounted Rack apps be marked as
internal, within AD/Journey. Another option would be to create an array
of regexes for internal apps, and then to iterate over that everytime a
request comes through. Also, I only had the first `add_route` method set
`internal`'s default to false, to avoid littering it all over the
codebase.
|
| |
| |
| |
| |
| | |
This will keep our current API working without having the users to
change their codebases.
|
| |
| |
| |
| |
| |
| | |
After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem.
Closes #23766
|
| | |
|
|\ \
| | |
| | | |
Remove unused Journey code
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- `VERSION` shouldn't be there anymore since Journey is technically part
of Action Dispatch now (and thus Action Pack, and follows the normal
Rails versioning scheme)
- `backwards.rb` was only in the file tree because early in the history
or Journey (back in 2011!), it was moved from under the Rack namespace, to its own
namespace, Journey! This file is no longer required, and is assigning
constants that are no longer needed.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
bf4/incorrect_to_accept_json_api_and_not_render_spec
The JSON API media type should only work wih a JSON API handler
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Since the media type 'application/vnd.api+json' is a spec,
it is inappropriate to handle it with the JSON renderer.
This PR removes support for a JSON API media type.
I would recommend the media type be registered on its own as `jsonapi`
when a jsonapi Renderer and deserializer (Http::Parameters::DEFAULT_PARSERS) are added.
Is related to work in https://github.com/rails/rails/pull/21496
|
| |/ /
|/| |
| | |
| | | |
This change was added in #23203 and it was not conforming our code style.
|
|\ \ \
| | | |
| | | | |
application/gzip added as default mime type into mime type list
|
| | | | |
|
|\ \ \ \
| |_|/ /
|/| | | |
WIP: Errors in logs should show log tags as well.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Changed formatted_code_for to return array of logs to be tagged for each line
- Changed some render tests to match new behaviour of return
Fixes #22979
|
|\ \ \ \
| | | | |
| | | | | |
Use a URL instead of an URL everywhere
|
| | |/ /
| |/| | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Multiple cookie values should be separated by '; ' according
to RFC 6265, section 5.4.4[1].
[1]: https://tools.ietf.org/html/rfc6265#section-5.4
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | | |
into ma2gedev-should-escape-cookie
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Get an incorrect cookie value in controller action method
if cookie value contains an escapable string.
|
| |/ / /
|/| | | |
|