aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller
Commit message (Collapse)AuthorAgeFilesLines
...
* | | `params.permitted?` is false by defaultJon Moss2016-06-231-0/+6
|/ / | | | | | | | | In the docs: "+permit_all_parameters+ - If it's +true+, all the parameters will be permitted by default. The default is +false+."
* | render_to_string Regression Outside of Real Requests in Rails 5.0.0.rc1 (#25308)Brandon Medenwald2016-06-091-0/+7
| | | | | | | | | | | | * Restore the functionality of PR#14129, but do so with not nil to better indicate the purpose of the conditional * Add a test when render_to_string called on ActionController::Base.new()
* | Add regression test to `as` option.Kasper Timm Hansen2016-06-071-0/+16
| | | | | | | | | | Was worried the `as` might impede on users doing the long form JSON response encoding; test for certainty.
* | Use `#performed?` to terminate controller callbacksJeff Kreeftmeijer2016-06-031-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since 69009f, `ActionController::Metal::DataStreaming#send_file` doesn't set `@_response_body` anymore. `AbstractController::Callbacks` used `@_response_body` in its callback terminator, so it failed to halt the callback cycle when using `#send_file` from a `before_action`. Instead, it now uses `#performed?` on `AbstractController::Base` and `ActionController::Metal`, which checks `response.committed?`, besides checking if `@_response_body` is set, if possible. Example application: https://gist.github.com/jeffkreeftmeijer/78ae4572f36b198e729724b0cf79ef8e
* | Clean up the test request/response even after an exceptionMatthew Draper2016-06-011-0/+24
| |
* | More Action Pack `abstract_unit` cleanup (#25211)Jon Moss2016-05-312-1/+21
| | | | | | | | | | - Remove dead classes / dead code - Move class definitions to where they are used, don't define in a shared space
* | Move `Workshop` class definitionJon Moss2016-05-301-0/+18
| | | | | | | | | | We should define it only where we need it, not in the global abstract unit :grimacing:
* | Respect `log_warning_on_csrf_failure` setting for all CSRF failuresMatthew Caruana Galizia2016-05-231-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* | Support for unified Integer class in Ruby 2.4+Jeremy Daer2016-05-182-3/+3
| | | | | | | | | | | | | | | | Ruby 2.4 unifies Fixnum and Bignum into Integer: https://bugs.ruby-lang.org/issues/12005 * Forward compat with new unified Integer class in Ruby 2.4+. * Backward compat with separate Fixnum/Bignum in Ruby 2.2 & 2.3. * Drops needless Fixnum distinction in docs, preferring Integer.
* | Action Mailer: Declarative exception handling with `rescue_from`.Jeremy Daer2016-05-151-30/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Follows the same pattern as controllers and jobs. Exceptions raised in delivery jobs (enqueued by `#deliver_later`) are also delegated to the mailer's rescue_from handlers, so you can handle the DeserializationError raised by delivery jobs: ```ruby class MyMailer < ApplicationMailer rescue_from ActiveJob::DeserializationError do … end ``` ActiveSupport::Rescuable polish: * Add the `rescue_with_handler` class method so exceptions may be handled at the class level without requiring an instance. * Rationalize `exception.cause` handling. If no handler matches the exception, fall back to the handler that matches its cause. * Handle exceptions raised elsewhere. Pass `object: …` to execute the `rescue_from` handler (e.g. a method call or a block to instance_exec) against a different object. Defaults to `self`.
* | Make flash messages cookie compatible with Rails 4Rafael Mendonça França2016-05-061-2/+2
| | | | | | | | | | | | | | | | In #18721 we removed the discard key from the session hash used to flash messages and that broke compatibility with Rails 4 applications because they try to map in the discarded flash messages and it returns nil. Fixes #24726.
* | Merge pull request #24029 from ↵Sean Griffin2016-05-061-1/+2
|\ \ | | | | | | | | | | | | | | | | | | rthbound/dont-call-each-when-calling-body-on-response Dont call each when calling body on response to fix #23964 Fixes #23964
| * | Fixes #23964Ryan T. Hosford2016-03-131-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Adds #each_chunk to ActionDispatch::Response. it's a method which will be called by ActionDispatch::Response#each. - Make Response#each a proper method instead of delegating to @stream - In Live, instead of overriding #each, override #each_chunk. - `#each` should just spit out @str_body if it's already set - Adds #test_set_header_after_read_body_during_action to prove this fixes #23964 - Adds #test_each_isnt_called_if_str_body_is_written to ensure #each_chunk is not called when @str_body is available - Call `@response.sent!` in AC::TestCase's #perform so a test response acts a bit more like a real response. Makes test that call `#assert_stream_closed` pass again. - Additionally assert `#committed?` in `#assert_stream_closed` - Make test that was calling @response.stream.each pass again by calling @response.each instead.
* | | Implement helpers proxy in controller instance levelRafael Mendonça França2016-05-051-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is a common pattern in the Rails community that when people want to :xa use any kind of helper that is defined inside app/helpers they includes the helper module inside the controller like: module UserHelper def my_user_helper # ... end end class UsersController < ApplicationController include UserHelper def index render inline: my_user_helper end end This has problem because the helper can't access anything that is defined in the view level context class. Also all public methods of the helper become available in the controller what can lead to undesirable methods being routed and behaving as actions. Also if you helper depends on other helpers or even Action View helpers you need to include each one of these dependencies in your controller otherwise your helper is not going to work. We already have a helpers proxy at controller class level but that proxy doesn't have access to the instance variables defined in the controller. With this new instance level helper proxy users can reuse helpers in the controller without having to include the modules and with access to instance variables defined in the controller. class UsersController < ApplicationController def index render inline: helpers.my_user_helper end end
* | | Add more info to insecure URL generation errorDerek Prior2016-04-261-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | I always appreciate having a bit more information as to why something is now an error. We can use this error to tell people why what they were previously doing is insecure and give them hints on how to fix it. Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
* | | Merge pull request #24641 from rafaelfranca/fix-per-form-token-with-full-urlJeremy Daer2016-04-251-0/+13
|\ \ \ | | | | | | | | | | | | Discart the schema and host information when building the per-form token
| * | | Discart the schema and host information when building the per-form tokenRafael Mendonça França2016-04-201-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
* | | | Merge pull request #23103 from rails/refactor-handling-of-action-defaultJeremy Daer2016-04-241-2/+2
|\ \ \ \ | | | | | | | | | | | | | | | Refactor handling of :action default in routing
| * | | | Refactor handling of :action default in routingAndrew White2016-02-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The longstanding convention in Rails is that if the :action parameter is missing or nil then it defaults to 'index'. Up until Rails 5.0.0.beta1 this was handled slightly differently than other routing defaults by deleting it from the route options and adding it to the recall parameters. With the recent focus of removing unnecessary duplications this has exposed a problem in this strategy - we are now mutating the request's path parameters and causing problems for later url generation. This will typically affect url_for rather a named url helper since the latter explicitly pass :controller, :action, etc. The fix is to add a default for :action in the route class if the path contains an :action segment and no default is passed. This change also revealed an issue with the parameterized part expiry in that it doesn't follow a right to left order - as soon as a dynamic segment is required then all other segments become required. Fixes #23019.
* | | | | Deprecate `request_via_redirect` method.Prathamesh Sonpatki2016-04-241-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Followup of https://github.com/rails/rails/issues/18693. - I think we missed deprecating `request_via_redirect` in that pull request. - Originally requested by DHH here https://github.com/rails/rails/issues/18333.
* | | | | Fix ApplicationController.renderer.defaults.merge!Jon Moss2016-04-201-0/+8
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | Previously, users were trying to modify a frozen Hash. Includes a regression test :) Fixes #22975
* | | | Properly verify that cache accepts and user `expires` value.Vipul A M2016-04-171-1/+4
| | | |
* | | | Filter scalar values when params permit hashes or arraysSean Griffin2016-04-151-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | This brings the behavior more inline with other similar cases, such as receiving a hash when an array of scalars was expected. Prior to this commit, the key would be present, but the value would be `nil`
* | | | Pass over all Rails 5 warnings, to make sure:Vipul A M2016-04-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - we are ending sentences properly - fixing of space issues - fixed continuity issues in some sentences. Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 . This change reverts making sure we add '.' at end of deprecation sentences. This is to keep sentences within Rails itself consistent and with a '.' at the end.
* | | | Fixes #24239Ryan T. Hosford2016-04-041-0/+21
| | | | | | | | | | | | | | | | | | | | - skip calling helper_method if it's not there: if we don't have helpers, we needn't define one. - tests that an api controller can include and use ActionController::Cookies
* | | | Strong ETag validatorsJeremy Daer2016-03-311-15/+43
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag. Strong ETags are desirable when you're serving byte-for-byte identical responses that support Range requests, like PDFs or videos (typically done by reproxying the response from a backend storage service). Also desirable when fronted by some CDNs that support strong ETags only, like Akamai. * No longer strips quotes (`"`) from ETag values before comparing them. Quotes are significant, part of the ETag. A quoted ETag and an unquoted one are not the same entity. * Support `If-None-Match: *`. Rarely useful for GET requests; meant to provide some optimistic concurrency control for PUT requests.
* | | Use the most highest priority exception handler when cause is setSean Griffin2016-03-111-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There was some subtle breakage caused by #18774, when we removed `#original_exception` in favor of `#cause`. However, `#cause` is automatically set by Ruby when raising an exception from a rescue block. With this change, we will use whichever handler has the highest priority (whichever call to `rescue_from` came last). In cases where the outer has lower precidence than the cause, but the outer is what should be handled, cause will need to be explicitly unset. Fixes #23925
* | | Merge pull request #22854 from jcoyne/missing_templateSean Griffin2016-03-111-0/+15
|\ \ \ | | | | | | | | | | | | Default rendering behavior if respond_to collector doesn't have a block.
| * | | Render default template if block doesn't renderJustin Coyne2016-02-251-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a `respond_to` collector doesn't have a response, then a `:no_content` response should be rendered. This brings the default rendering behavior introduced by https://github.com/rails/rails/issues/19036 to controller methods employing `respond_to`
* | | | Add `ActionController::Parameters#dig`Sean Griffin2016-03-091-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | This method will only be added when used with Ruby 2.3.0 or greater. This method has the same behavior as `Hash#dig`, except it will convert hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.
* | | | Pass headers through to payload for logging.Gareth du Plooy2016-03-081-0/+6
| | | | | | | | | | | | | | | | Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.
* | | | Remove http_cache_forever's version parameterJean Boussier2016-03-051-9/+1
| |_|/ |/| |
* | | Deprecate :controller and :action path parametersAndrew White2016-03-0119-114/+292
|/ / | | | | | | | | | | | | | | Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
* | Lock down new `ImplicitRender` behavior for 5.0 RCGodfrey Chan2016-02-252-35/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Conceptually revert #20276 The feature was implemented for the `responders` gem. In the end, they did not need that feature, and have found a better fix (see plataformatec/responders#131). `ImplicitRender` is the place where Rails specifies our default policies for the case where the user did not explicitly tell us what to render, essentially describing a set of heuristics. If the gem (or the user) knows exactly what they want, they could just perform the correct `render` to avoid falling through to here, as `responders` did (the user called `respond_with`). Reverting the patch allows us to avoid exploding the complexity and defining “the fallback for a fallback” policies. 2. `respond_to` and templates are considered exhaustive enumerations If the user specified a list of formats/variants in a `respond_to` block, anything that is not explicitly included should result in an `UnknownFormat` error (which is then caught upstream to mean “406 Not Acceptable” by default). This is already how it works before this commit. Same goes for templates – if the user defined a set of templates (usually in the file system), that set is now considered exhaustive, which means that “missing” templates are considered `UnknownFormat` errors (406). 3. To keep API endpoints simple, the implicit render behavior for actions with no templates defined at all (regardless of formats, locales, variants, etc) are defaulted to “204 No Content”. This is a strictly narrower version of the feature landed in #19036 and #19377. 4. To avoid confusion when interacting in the browser, these actions will raise an `UnknownFormat` error for “interactive” requests instead. (The precise definition of “interactive” requests might change – the spirit here is to give helpful messages and avoid confusions.) Closes #20666, #23062, #23077, #23564 [Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
* | Show permitted flag in the output of AC::Parameters#inspectPrathamesh Sonpatki2016-02-241-3/+13
| | | | | | | | - Fixes #23822.
* | Fix `request.ssl?` bug with Action CableJon Moss2016-02-231-0/+9
| | | | | | | | | | This bug affects `wss://` requests when running Action Cable in-app. Fixes #23620.
* | remove args from assert_nothing_raised in testsTara Scherner de la Fuente2016-02-221-1/+1
| |
* | Transform the mime object to symbol when registering the parsersRafael Mendonça França2016-02-221-1/+1
| | | | | | | | | | This will keep our current API working without having the users to change their codebases.
* | Use symbol of mime type instead of object to get correct parserMehmet Emin İNAÇ2016-02-221-2/+2
| | | | | | | | | | | | After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem. Closes #23766
* | Make per form token work when method is not providedRafael Mendonça França2016-02-221-2/+16
| | | | | | | | | | | | When `button_to 'Botton', url` form was being used the per form token was not correct because the method that is was being used to generate it was an empty string.
* | Merge pull request #23752 from vipulnsward/23524-fix-button_to_deleteRafael Mendonça França2016-02-221-48/+60
|\ \ | | | | | | | | | Fixed passing of delete method on button_to tag, creating wrong form csrf token
| * | Refactored Request Forgery CSRF PerFormTokensController tests and DRY'ed ↵Vipul A M2016-02-221-70/+38
| | | | | | | | | | | | them up.
| * | Fixed passing of delete method on button_to tag, creating wrong form csrf tokenVipul A M2016-02-211-0/+44
| | | | | | | | | | | | Fixes #23524
* | | Merge pull request #23695 from kaspth/remove-automatic-collection-cachingKasper Timm Hansen2016-02-201-16/+5
|\ \ \ | |/ / |/| | Make collection caching explicit.
| * | Make collection caching explicit.Kasper Timm Hansen2016-02-201-16/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Having collection caching that wraps templates and automatically tries to infer if they are cachable proved to be too much of a hassle. We'd rather have it be something you explicitly turn on. This removes much of the code and docs to explain the previous automatic behavior. This change also removes scoped cache keys and passing cache_options.
* | | Deprecate AC::Parameters#== with a HashBenjamin Quorning2016-02-191-2/+4
| | |
* | | Fix AC::Parameters#== with other AC::ParametersBenjamin Quorning2016-02-191-0/+33
| | | | | | | | | | | | Creating a protected getter method for `@parameters`.
* | | Tests for AC::Parameters#==Benjamin Quorning2016-02-191-0/+6
| | |
* | | Fix master buildJon Moss2016-02-181-1/+1
|/ /
* | fields_for_style needs to test for AC::ParametersAaron Patterson2016-02-171-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | While iterating an AC::Parameters object, the object will mutate itself and stick AC::Parameters objects where there used to be hashes: https://github.com/rails/rails/blob/f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9/actionpack/lib/action_controller/metal/strong_parameters.rb#L632 If you use `permit` after this iteration, the `fields_for_style` method wouldn't return true because the child objects are now AC::Parameters objects rather than Hashes. fixes #23701