| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
#13382]
|
| |\
| |
| |
| |
| |
| |
| | |
Add configuration option to optionally disable deep_munge
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Closes #9625
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Change most tests to make use of assert_raise returning the raised
exception rather than relying on a combination of flunk + rescue to
check for exception types/messages.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
renamed to `Minitest`
Ref: https://github.com/seattlerb/minitest/blob/master/History.txt
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
CSRF protection from cross-origin <script> tags
|
| | | | |
| | | |
| | | |
| | | | |
Thanks to @homakov for sounding the alarm about JSONP-style data leaking
|
| |/ / / |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Session#fetch was mutating the session when given a default argument
and/or a block. Since Session duck-types as a Hash, it should behave
like one in these cases.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When a route is mounted inside a resources block, it's automatically
prefixed, so a following code:
resources :users do
mount Blog::Engine => '/blog'
end
will generate a user_blog path helper.
In order to access engine helpers, we also use "mounted_helpers", a list
of helpers associated with each mounted engine, so a path to blog's post
can be generated using user_blog.post_path(user, post).
The problem I'm fixing here is that mount used a raw :as option, without
taking nestings into account. As a result, blog was added to a route set
as a `user_blog`, but helper was generated for just `blog`.
This commit applies the proper logic for defining a helper for a mounted
engine nested in resources or resource block.
(closes #8533)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In most cases, when setting variant specific code, you're not sharing any code
within format.
Inline syntax can vastly simplify defining variants in those situations:
respond_to do |format|
format.js { render "trash" }
format.html do |variant|
variant.phone { redirect_to progress_path }
variant.none { render "trash" }
end
end
Becomes:
respond_to do |format|
format.js { render "trash" }
format.html.phone { redirect_to progress_path }
format.html.none { render "trash" }
end
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
little more work!
This reverts commit 186161148a189839a1e0924043f068a8d155ce69, reversing
changes made to cad9eb178ea5eec0e27d74e93518f4ed34e2f997.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In most cases, when setting variant specific code, you're not sharing any code
within format.
Inline syntax can vastly simplify defining variants in those sitiations:
respond_to do |format|
format.js { render "trash" }
format.html do |variant|
variant.phone { redirect_to progress_path }
variant.none { render "trash" }
end
end
`
Becomes:
respond_to do |format|
format.js { render "trash" }
format.html.phone { redirect_to progress_path }
format.html.none { render "trash" }
end
|
| | | |
| | |
| | |
| | | |
controller
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Added here 13dd38cee79be39f7b399e142fd78295dddd2abb
|
| | |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By default, variants in the templates will be picked up if a variant is set
and there's a match. The format will be:
app/views/projects/show.html.erb
app/views/projects/show.html+tablet.erb
app/views/projects/show.html+phone.erb
If request.variant = :tablet is set, we'll automatically be rendering the
html+tablet template.
In the controller, we can also tailer to the variants with this syntax:
class ProjectsController < ActionController::Base
def show
respond_to do |format|
format.html do |html|
@stars = @project.stars
html.tablet { @notifications = @project.notifications }
html.phone { @chat_heads = @project.chat_heads }
end
format.js
format.atom
end
end
end
The variant itself is nil by default, but can be set in before filters, like
so:
class ApplicationController < ActionController::Base
before_action do
if request.user_agent =~ /iPad/
request.variant = :tablet
end
end
end
This is modeled loosely on custom mime types, but it's specifically not
intended to be used together. If you're going to make a custom mime type,
you don't need a variant. Variants are for variations on a single mime
types.
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* master-sec:
Deep Munge the parameters for GET and POST
Stop using i18n's built in HTML error handling.
Ensure simple_format escapes its html attributes
Escape the unit value provided to number_to_currency
Only use valid mime type symbols as cache keys
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This PR fixes #13064 regression bug introduced by the #8085
Now in _process_format when the format is a Mime::NullType nothing is written in self.content_type.
In this way the method Response#assign_default_content_type_and_charset can
write the the default mime_type.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
Add regression test for IpSpoofAttackError issue
Closes #10780
|
| | | | |
| | | |
| | | |
| | | | |
See #10780
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A path redirect may contain any and all parts of a url which have different
escaping rules for each part. This commit tries to escape each part correctly
by splitting the string into three chunks - path (which may also include a host),
query and fragment; then it applies the correct escape pattern to each part.
Whilst using `URI.parse` would be better, unfortunately the possible presence
of %{name} parameters in the path redirect string prevents us from using it so
we have to use a regular expression instead.
Fixes #13110.
|
| | | | | |
|
| | | | | |
|
| | |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | | |
This commit makes it really easy to debug errors due to typos like
"assert_response :succezz".
|
| | |/
|/|
| |
| |
| |
| | |
Previous behaviour was MRI-dependent, now we're making sure the message
is correctly shown: something that can be relyied upon across every
Ruby implementation.
|
| | |
| |
| |
| |
| |
| | |
Broken by
6701b4cf41f6f3d9cfc6a93715acbf852d1e468e
|
| | |
| |
| |
| | |
This commit fixes formatting issue for `rake routes` task, when a section is shorter than a header.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This test is broken from quite a while & is expected to remain broken as
encoding issues are hardest to fix in JRuby. so lets skip this test for
now
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
JSON.{dump,generate} offered by the JSON gem is not compatiable with
Rails at the moment and can cause a lot of subtle bugs when passed
certain data structures. This changed all direct usage of the JSON gem
in internal Rails code to always go through AS::JSON.{decode,encode}.
We also shouldn't be implementing `to_json` most of the time, and
these occurances are replaced with an equivilent `as_json`
implementation to avoid problems down the road.
See [1] for all the juicy details.
[1]: intridea/multi_json#138 (comment)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
sebasoga/change_strong_parameters_require_behaviour"
This reverts commit c2b5a8e61ba0f35015e6ac949a5c8fce2042a1f2, reversing
changes made to 1918b12c0429caec2a6134ac5e5b42ade103fe90.
See: https://github.com/rails/rails/pull/9660#issuecomment-27627493
|
| |\ \
| | |
| | |
| | |
| | | |
sebasoga/change_strong_parameters_require_behaviour
Change ActionController::Parameters#require behavior when value is empty
|
| | | |
| | |
| | |
| | |
| | | |
When the value for the required key is empty an ActionController::ParameterMissing is raised which gets caught by ActionController::Base and turned into a 400 Bad Request reply with a message in the body saying the key is missing, which is misleading.
With these changes, ActionController::EmptyParameter will be raised which ActionController::Base will catch and turn into a 400 Bad Request reply with a message in the body saying the key value is empty.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mention it in the changelog and add a test checking for regressions.
Hash#fetch isn't adding the defaultly returned value.
However, in the session, saving it is the behavior we should expect.
See discussion in #12692
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After this fix application config become available when calling helper outisde of view
config/application.rb
#...
config.asset_host = 'http://mycdn.com'
#...
Somewhere else
ActionController::Base.helpers.asset_path('fallback.png')
# => http://mycdn.com/assets/fallback.png
|
| | | | |
|
