| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
JSONP should use mimetype application/javascript
|
| |\ |
|
| | |
| | |
| | |
| | | |
application/javascript
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This may break existing tests that are asserting the whole session contents
but should not break existing tests that are asserting individual keys - e.g:
class SomeControllerTest < ActionController::TestCase
setup do
session['user_id'] = 1
end
test "some test" do
get :some_action, nil, { 'another_var' => 2 }
# This assertion will now fail
assert_equal({ 'another_var' => 2 }, session)
# This assertion will still pass
assert_equal 2, session['another_var]
end
end
Fixes #1529.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| | |
| | |
| | |
| | |
| | | |
ActionController::RoutingError are raised in router execution time and can not be
rescued in a controller.
|
|\ \ \
| | | |
| | | | |
Document that default_url_options must return a hash with symbolized keys
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 174cf8b22064c3999dfa685014d5b31ac993bb54, reversing
changes made to 7ecd6a731bd60665bc6de94095137f0b2c4ada2a.
The reverted commit improved the performance in the wrong place, now we
have added this 6ddbd1844a6fd6aca2992f5f75c9f605cf89808f improvement.
|
|\ \ \
| | | |
| | | | |
Remove unnecessary in HTML 5 type attribute with default value
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
stringified keys
|
|\ \ \ \
| | | | |
| | | | | |
mo fasta and mo betta the url_for
|
| |/ / / |
|
|\ \ \ \
| |/ / /
|/| | | |
prevent the cache sweeper ignores NoMethodError
|
| | | | |
|
| | | | |
|
|/ / / |
|
| | |
| | |
| | |
| | | |
Closes #5632
|
| | |
| | |
| | |
| | |
| | | |
If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is a regression introduced in 16ee611fa, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously `rendered_format` was set only based on mime types
passed in Accept header, which was wrong if first type from
Accept was different than rendered partial. The fix is to simply
move setting rendered_format to the place where template
is available and grab format from the template. If it fails
we can fallback to formats passed by Accept header.
|
| | |
| | |
| | |
| | | |
Fix for #5440
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
add tests for stripping \r\n chars since that's already happening
|
| | |
| | |
| | |
| | |
| | |
| | | |
This method has no effect since exception handling was
moved to middlewares and ActionController tests do not
use any middlewares.
|
| | |
| | |
| | |
| | | |
forms if you pass true
|
| | |
| | |
| | |
| | | |
forms use the meta-tag value
|
| | | |
|
|\ \ \
| | | |
| | | | |
Don't ignore call to undefined method in Sweeper
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
More info http://edgeguides.rubyonrails.org/api_app.html
[Carlos Antonio da Silva & Santiago Pastorino]
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
configure how unverified request will be handled
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option
possible values:
- :reset_session (default)
- :exception
new applications are generated with:
protect_from_forgery :with => :exception
|
|/ / / / |
|
|/ / / |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
Allow the root route helper to accept just a string
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Optimize routes generation in simple cases.
If you pass to the route helper the same amount of arguments
as the required segments, route generation will be optimized
as a string interpolation. After this commit, `post_path(post)`
is about 6.5 times faster, `post_url(post)` is about 5 times.
|
| | | | |
|
|/ / / |
|
| | | |
|
| | | |
|
| | | |
|