| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
implementation
and defaults to `Digest::MD5`.
Replaced calls to `::Digest::MD5.hexdigest` with calls to `ActiveSupport::Digest.hexdigest`.
|
|\
| |
| | |
Normalize/process Cache-Control headers consistently
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the existing logic, the `Cache-Control` header may or may not get
normalized by additional logic depending on whether `response.cache_conrol`
has been modified. This leads to inconsistent behavior, since sometimes
`Cache-Control` can contain whatever a user sets and sometimes it gets
normalized, based on the logic inside of `set_conditional_cache_control!`. It
seems like this normalization process should happen regardless to ensure
consistent behavior.
|
|/ |
|
| |
|
|
|
|
|
| |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
| |
|
|
|
|
|
|
| |
".. with __dir__ we can restore order in the Universe." - by @fxn
Related to 5b8738c2df003a96f0e490c43559747618d10f5f
|
|
|
|
|
|
|
|
| |
In 4.2, since AC::Params inherited `Hash`, processing in the case of
`Hash` was done. But in 5.x, since AC::Params does not inherit `Hash`,
need to add care for AC::Params.
Related to 00285e7cf75c96553719072a27c27e4ab7d25b40
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
assert [1, 3].includes?(2) fails with unhelpful "Asserting failed" message
assert_includes [1, 3], 2 fails with "Expected [1, 3] to include 2" which makes it easier to debug and more obvious what went wrong
|
| |
|
|
|
|
|
|
|
|
| |
Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces
Fix all violations in the repository.
|
| |
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
|
| |
Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
|
|
|
|
|
|
| |
* Restore the functionality of PR#14129, but do so with not nil to better indicate the purpose of the conditional
* Add a test when render_to_string called on ActionController::Base.new()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
Strong ETags are desirable when you're serving byte-for-byte identical
responses that support Range requests, like PDFs or videos (typically
done by reproxying the response from a backend storage service).
Also desirable when fronted by some CDNs that support strong ETags
only, like Akamai.
* No longer strips quotes (`"`) from ETag values before comparing them.
Quotes are significant, part of the ETag. A quoted ETag and an unquoted
one are not the same entity.
* Support `If-None-Match: *`. Rarely useful for GET requests; meant
to provide some optimistic concurrency control for PUT requests.
|
| |
|
|
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Conceptually revert #20276
The feature was implemented for the `responders` gem. In the end,
they did not need that feature, and have found a better fix (see
plataformatec/responders#131).
`ImplicitRender` is the place where Rails specifies our default
policies for the case where the user did not explicitly tell us
what to render, essentially describing a set of heuristics. If
the gem (or the user) knows exactly what they want, they could
just perform the correct `render` to avoid falling through to
here, as `responders` did (the user called `respond_with`).
Reverting the patch allows us to avoid exploding the complexity
and defining “the fallback for a fallback” policies.
2. `respond_to` and templates are considered exhaustive enumerations
If the user specified a list of formats/variants in a `respond_to`
block, anything that is not explicitly included should result
in an `UnknownFormat` error (which is then caught upstream to
mean “406 Not Acceptable” by default). This is already how it
works before this commit.
Same goes for templates – if the user defined a set of templates
(usually in the file system), that set is now considered exhaustive,
which means that “missing” templates are considered `UnknownFormat`
errors (406).
3. To keep API endpoints simple, the implicit render behavior for
actions with no templates defined at all (regardless of formats,
locales, variants, etc) are defaulted to “204 No Content”. This
is a strictly narrower version of the feature landed in #19036 and
#19377.
4. To avoid confusion when interacting in the browser, these actions
will raise an `UnknownFormat` error for “interactive” requests
instead. (The precise definition of “interactive” requests might
change – the spirit here is to give helpful messages and avoid
confusions.)
Closes #20666, #23062, #23077, #23564
[Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
|
| |
|
|
|
|
|
|
|
|
| |
This removes the following warning.
```
rails/actionpack/test/controller/render_test.rb:278: warning: assigned but unused variable - response
```
|
|
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
|
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
|
|
|
| |
[ci skip]
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The cache for `render file:` seems to also be used in the case of
`render(string)`. If one is supposed to be a hit and the other is
supposed to be a miss, and they both reference the same file, then the
cache could return incorrect values. This commit clears the cache
between runs so that we get non-cached behavior.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 5-0-beta-sec:
bumping version
fix version update task to deal with .beta1.1
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
|
| |
| |
| |
| |
| |
| | |
rails view directory
CVE-2016-0752
|
|/
|
|
| |
ActionDispatch::Http::Cache::Response#etag= such that etags set in fresh_when and stale? are weak. For #17556.
|
| |
|
|
|
|
|
|
| |
Since all controller instances are required to have a request and
response object, RackDelegation is no longer needed (we always have to
delegate to the response)
|
| |
|
|
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
|
| |
|
|
|
|
| |
`head` method works similar to `render` method with `:nothing` option
|
|
|
|
|
|
| |
It was returning false in normal circumstances.
This broke the `head :ok and return if` construct.
Add appropriate test.
|
|
|
|
|
|
|
|
|
| |
Add http_cache_forever to ActionController, so we can cache results
forever.
Things like static pages are a good candidate for this type of caching.
This cache only controls caching headers, so it is up to the browser to
cache those requests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The methods `fresh_when` and `stale?` from ActionController::ConditionalGet
accept a single record as a short form for a hash. For instance
```ruby
def show
@article = Article.find(params[:id])
fresh_when(@article)
end
```
is just a short form for:
```ruby
def show
@article = Article.find(params[:id])
fresh_when(etag: @article, last_modified: @article.created_at)
end
```
This commit extends `fresh_when` and `stale?` to also accept a collection
of records, so that a short form similar to the one above can be used in
an `index` action. After this commit, the following code:
```ruby
def index
@article = Article.all
fresh_when(etag: @articles, last_modified: @articles.maximum(:created_at))
end
```
can be simply written as:
```ruby
def index
@article = Article.all
fresh_when(@articles)
end
```
|
|
|
|
|
|
|
|
|
|
|
|
| |
PR #18772 changed the parameters of `stale?` to use `kwargs`.
[As for this comment](https://github.com/rails/rails/pull/18872/files#r24456288)
the default value for the `etag` parameter should be `record`, not `nil`.
This commit fixes the code and introduces a test that:
- passed before #18872
- fails on the current master (after #18772)
- passes again after setting the default value of `etag` to `record`.
|
|
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
|
|
|
|
|
|
|
|
| |
When `render` was moved from ActionPack to ActionView in acc8e259,
some fixtures required by the tests were duplicated, but they are
actually only required by ActionView tests.
To give one example, `double_render` is already defined [in the AV tests](https://github.com/rails/rails/blob/72139d8d310d896db78eaec98582c7a638135102/actionview/test/actionpack/controller/render_test.rb#L407)
and is never used in the ActionPack tests.
|