aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch
Commit message (Collapse)AuthorAgeFilesLines
* Replace `loop` to `until`Molchanov Andrey2016-05-071-2/+1
|
* Make flash messages cookie compatible with Rails 4Rafael Mendonça França2016-05-061-1/+1
| | | | | | | | In #18721 we removed the discard key from the session hash used to flash messages and that broke compatibility with Rails 4 applications because they try to map in the discarded flash messages and it returns nil. Fixes #24726.
* Merge pull request #24029 from ↵Sean Griffin2016-05-061-9/+24
|\ | | | | | | | | | | | | rthbound/dont-call-each-when-calling-body-on-response Dont call each when calling body on response to fix #23964 Fixes #23964
| * Fixes #23964Ryan T. Hosford2016-03-131-9/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Adds #each_chunk to ActionDispatch::Response. it's a method which will be called by ActionDispatch::Response#each. - Make Response#each a proper method instead of delegating to @stream - In Live, instead of overriding #each, override #each_chunk. - `#each` should just spit out @str_body if it's already set - Adds #test_set_header_after_read_body_during_action to prove this fixes #23964 - Adds #test_each_isnt_called_if_str_body_is_written to ensure #each_chunk is not called when @str_body is available - Call `@response.sent!` in AC::TestCase's #perform so a test response acts a bit more like a real response. Makes test that call `#assert_stream_closed` pass again. - Additionally assert `#committed?` in `#assert_stream_closed` - Make test that was calling @response.stream.each pass again by calling @response.each instead.
* | Ensure compatibility between ActionDispatch::Request::Session and RackJon Moss2016-05-041-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding the `each` method is required for ensuring compatibility between Rails, and other Rack frameworks (like Sinatra, etc.), that are mounted within Rails, and wish to use its session tooling. Prior to this, there was an inconsistency between ActionDispatch::Request::Session and Rack::Session::Cookie, due to the absence of the `each` method. This should hopefully fix that error. :) For a full integration test with Sinatra and a standalone Rack application, you can check out the gist for that here: https://gist.github.com/maclover7/08cd95b0bfe259465314311941326470. Solves #15843.
* | Remove last uses of `@env[]` and `@env[]=`Jon Moss2016-04-282-12/+12
| | | | | | | | | | | | | | | | | | Last August (2015), @tenderlove worked to remove all `@env[]` and `@env[]=`, in favor of using `set_header`, `get_header`, etc. (Here's an [example commit](https://github.com/rails/rails/commit/f16a33b68efc3dc57cfafa27651b9a765e363fbf)). This PR should remove the last uses of these methods, and fully convert them to the newly standardized API.
* | Add more info to insecure URL generation errorDerek Prior2016-04-263-2/+11
| | | | | | | | | | | | | | | | I always appreciate having a bit more information as to why something is now an error. We can use this error to tell people why what they were previously doing is insecure and give them hints on how to fix it. Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
* | Merge pull request #23103 from rails/refactor-handling-of-action-defaultJeremy Daer2016-04-244-18/+13
|\ \ | | | | | | | | | Refactor handling of :action default in routing
| * | Refactor handling of :action default in routingAndrew White2016-02-164-18/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The longstanding convention in Rails is that if the :action parameter is missing or nil then it defaults to 'index'. Up until Rails 5.0.0.beta1 this was handled slightly differently than other routing defaults by deleting it from the route options and adding it to the recall parameters. With the recent focus of removing unnecessary duplications this has exposed a problem in this strategy - we are now mutating the request's path parameters and causing problems for later url generation. This will typically affect url_for rather a named url helper since the latter explicitly pass :controller, :action, etc. The fix is to add a default for :action in the route class if the path contains an :action segment and no default is passed. This change also revealed an issue with the parameterized part expiry in that it doesn't follow a right to left order - as soon as a dynamic segment is required then all other segments become required. Fixes #23019.
* | | Deprecate `request_via_redirect` method.Prathamesh Sonpatki2016-04-241-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | - Followup of https://github.com/rails/rails/issues/18693. - I think we missed deprecating `request_via_redirect` in that pull request. - Originally requested by DHH here https://github.com/rails/rails/issues/18333.
* | | Merge pull request #24031 from ↵Jeremy Daer2016-04-191-2/+1
|\ \ \ | | | | | | | | | | | | | | | | | | | | samphilipd/sam/do_not_clobber_options_in_route_definitions Do not destructively mutate passed options hash in route definitions
| * | | Do not destructively mutate passed options hash in route definitionsSam Davies2016-03-031-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fixes #24030 An example scope might be specified as such: ```ruby HTML = { constraints: { format: :html } }.freeze scope HTML do get 'x' end ``` This currently raises an error because the mapper attempts to destructively modify the passed options hash. This is dangerous because this options hash might even be shared with other scopes. We should instead always instantiate a new object instead of modifying the passed options.
* | | | Merge pull request #24318 from bogdanvlviv/patch-1Rafael Mendonça França2016-04-121-1/+1
|\ \ \ \ | | | | | | | | | | | | | | | extension synonyms yml and yaml
| * | | | extension synonyms yml and yamlBogdan2016-03-271-1/+1
| | | | |
* | | | | Pass over all Rails 5 warnings, to make sure:Vipul A M2016-04-123-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - we are ending sentences properly - fixing of space issues - fixed continuity issues in some sentences. Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 . This change reverts making sure we add '.' at end of deprecation sentences. This is to keep sentences within Rails itself consistent and with a '.' at the end.
* | | | | Strong ETag validatorsJeremy Daer2016-03-311-15/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag. Strong ETags are desirable when you're serving byte-for-byte identical responses that support Range requests, like PDFs or videos (typically done by reproxying the response from a backend storage service). Also desirable when fronted by some CDNs that support strong ETags only, like Akamai. * No longer strips quotes (`"`) from ETag values before comparing them. Quotes are significant, part of the ETag. A quoted ETag and an unquoted one are not the same entity. * Support `If-None-Match: *`. Rarely useful for GET requests; meant to provide some optimistic concurrency control for PUT requests.
* | | | | Fix deprecation warning for ParamsParser instance :smile:Prathamesh Sonpatki2016-03-301-1/+1
| | | | |
* | | | | Deprecate ActionDispatch::ParamsParser instance.Rafael Mendonça França2016-03-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Related with 38d2bf5fd1f3e014f2397898d371c339baa627b1. cc @tenderlove
* | | | | Fix typo in headers commentGrey Baker2016-03-291-1/+1
|/ / / /
* | | | Fix request.reset_session for API controllersJon Moss2016-03-192-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to that `ActionDispatch::Flash` (the flash API's middleware) is not included for API controllers, the `request.reset_session` method, which relies on there being a `flash=` method which is in fact defined by the middleware, was previously breaking. Similarly to how add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be overridden by the flash middleware in order to ensure non-breakage, this is how flashes are now reset. Fixes #24222
* | | | [skip ci] Reorder paragraphsDamir2016-03-101-3/+3
| | | | | | | | | | | | The previous order made sense [when `match` was used twice to point to two different actions](https://github.com/rails/rails/commit/7305ef842b675bf965f063de681a96294577fb84). In this case the note was misleading as posting to `/posts/:id` would still route to `show` action.
* | | | extract ActionDispatch::IntegrationTest::BehaviorScott Bronson2016-03-071-22/+35
| | | | | | | | | | | | | | | | | | | | Similar to 176fbfd6, this makes it possible for other test frameworks to hook into Rails integration test facilities.
* | | | Prevent not-intended loading of `ActionDispatch::IntegrationTest`yui-knk2016-03-071-0/+2
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | After 9d378747326d26cf1afdac4433ead22967af0984 `ActionDispatch::IntegrationTest` class is loaded and defined in all Rails environments, not only test but also production. This is not-intended loading of a class which is only used in test environment. To prevent not-intended loading, add `ActiveSupport.run_load_hooks` to `ActionDispatch::IntegrationTest` with `action_dispatch_integration_test` name and use it in `ActionMailer`.
* | | [ci skip] Fix constrain_to documentation.Kasper Timm Hansen2016-03-031-1/+1
| | | | | | | | | | | | | | | Forgot to update the documentation on the line just above the one I was changing in 4933132. Well done, Kasper :+1:
* | | Rename constrain_to to exclude.Kasper Timm Hansen2016-03-031-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some. The `constrain_to` option inverts this, so it sounds like the middleware only handles a few requests, rather than the majority with a few routes to opt out of the redirect. Renaming to `exclude` matches this intent more closely.
* | | Merge pull request #24027 from mechanicles/a-to-anXavier Noria2016-03-032-2/+2
|\ \ \ | |/ / |/| | Change 'a HTTP' to 'an HTTP' [ci skip]
| * | Change 'a HTTP' to 'an HTTP' [ci skip]Santosh Wadghule2016-03-032-2/+2
| | |
* | | Niceify the dynamic routes deprecation messagesJon Atack2016-03-031-2/+8
|/ / | | | | | | | | | | | | | | | | | | Follow-up to #23980. - Fix grammar: "be remove" -> "be removed". - Wrap lines at 80 chars. Lurvely ;-)
* | Do not run app.executor callbacks in integration testsJorge Bejar and Santiago Pastorino2016-03-021-11/+2
| | | | | | | | | | | | | | | | This reverts changes made to integration tests in PR #23807. The issue happens when using capybara with a driver that needs to start a server in a separate thread like (poltergeist, selenium, etc). Both threads the capybara server one and the test thread end running syncronize over the interlock.
* | Merge pull request #23980 from rails/deprecate-controller-action-segmentsAndrew White2016-03-011-0/+9
|\ \ | | | | | | Deprecate :controller and :action path parameters
| * | Deprecate :controller and :action path parametersAndrew White2016-03-011-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
* | | Don't reference Rails.application from inside a componentMatthew Draper2016-03-022-10/+8
| | |
* | | Publish AS::Executor and AS::Reloader APIsMatthew Draper2016-03-025-80/+58
|/ / | | | | | | | | | | These should allow external code to run blocks of user code to do "work", at a similar unit size to a web request, without needing to get intimate with ActionDipatch.
* | Merge pull request #23963 from gsamokovarov/exception-wrapper-no-ac-requireKasper Timm Hansen2016-02-291-1/+0
|\ \ | | | | | | Drop Action Controller require in ActionDispatch::ExceptionWrapper
| * | Drop Action Controller require in ActionDispatch::ExceptionWrapperGenadi Samokovarov2016-02-291-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We only reference the Action Controller error classes by name in ActionDispatch::ExceptionWrapper, so there is no need to explicitly require them. It drops a tiny coupling between Action Dispatch and Action Controller, so it makes me feel warm inside. We still have a lot of others AC requires in the AD code base, but here, we can save it. [ci skip]
* | | Add documentation for #13897 [skip ci]Bart de Water2016-02-291-3/+9
|/ /
* | add `constraint_to` option to SSL middlewareGreg Molnar2016-02-281-2/+6
| |
* | :nail_care:Rafael Mendonça França2016-02-251-2/+2
| |
* | Merge pull request #23852 from prathamesh-sonpatki/hsts-subdomainsRafael França2016-02-251-1/+12
|\ \ | | | | | | Enable HSTS with IncludeSubdomains header by default for new apps
| * | Update documentation and deprecation messagePrathamesh Sonpatki2016-02-251-3/+3
| | |
| * | Added deprecation for older appsPrathamesh Sonpatki2016-02-251-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | - For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
| * | HSTS without IncludeSubdomains is often uselessEgor Homakov2016-02-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | 1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
* | | Revert "Merge pull request #20851 from tomprats/indifferent-sessions"Matthew Draper2016-02-261-2/+2
| | | | | | | | | | | | | | | | | | | | | This reverts commit 22db455dbe9c26fe6d723cac0758705d9943ea4b, reversing changes made to 40be61dfda1e04c3f306022a40370862e3a2ce39. This finishes off what I meant to do in 6216a092ccfe6422f113db906a52fe8ffdafdbe6.
* | | Revert "Update Session to utilize indiffernt access"Matthew Draper2016-02-261-8/+14
|/ / | | | | | | | | | | | | | | | | | | | | This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a. HWIAs are better than silently deeply-stringified hashes... but that's a reaction to a shortcoming of one particular session store: we should not break the basic behaviour of other, more featureful, session stores in the process. Fixes #23884
* | [ci skip] Replace usage of rake routes with rails routesAbhishek Jain2016-02-252-2/+2
| |
* | Merge pull request #20851 from tomprats/indifferent-sessionsRafael Mendonça França2016-02-241-16/+10
|\ \ | | | | | | | | | Give Sessions Indifferent Access
| * | Update Session to utilize indiffernt accessTom Prats2016-01-301-14/+8
| | |
| * | Update session to have indifferent accessTom Prats2016-01-291-2/+2
| | |
* | | Fix `request.ssl?` bug with Action CableJon Moss2016-02-231-0/+4
| | | | | | | | | | | | | | | This bug affects `wss://` requests when running Action Cable in-app. Fixes #23620.
* | | Add `internal` attribute to routesJon Moss2016-02-223-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is meant to provide a way for Action Cable, Sprockets, and possibly other Rack applications to mark themselves as internal, and to exclude themselves from the routing inspector, and thus `rails routes` / `rake routes`. I think this is the only way to have mounted Rack apps be marked as internal, within AD/Journey. Another option would be to create an array of regexes for internal apps, and then to iterate over that everytime a request comes through. Also, I only had the first `add_route` method set `internal`'s default to false, to avoid littering it all over the codebase.