| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
Remove deprecated catch-all route in the AV tests
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit removes a deprecated catch-all route in the AV tests. It
defines and includes the necessary routes for each test such that we
don't need the catch-all anymore.
This also helps push us toward #33970
|
| |\ \
| | |
| | | |
Encode Content-Disposition filenames on send_data and send_file
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Remove private def
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`.
```ruby
# frozen_string_literal: true
require "bundler/inline"
gemfile(true) do
source "https://rubygems.org"
gem "benchmark-ips"
end
Benchmark.ips do |x|
x.report('+@') { +"" }
x.report('dup') { "".dup }
x.compare!
end
```
```
$ ruby -v benchmark.rb
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
Warming up --------------------------------------
+@ 282.289k i/100ms
dup 187.638k i/100ms
Calculating -------------------------------------
+@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s
dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s
Comparison:
+@: 6775299.3 i/s
dup: 3320400.7 i/s - 2.04x slower
```
|
| |\ \ \
| |_|/
|/| | |
Add missing test case for `redirect_to` when request includes a port.
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
Add CSP nonce to `style-src` directive
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For nonce, only `script-src` and` style-src` are meaningful in the
definition of Content Security Policy Level 2.
https://www.w3.org/TR/CSP2/#script-src-nonce-usage
https://www.w3.org/TR/CSP2/#style-src-nonce-usage
Therefore, I think that customization function not needs and it is enough
to enable both directives inside the framework.
Fixes #32920
|
| | | | |
|
| |\ \ \
| |_|/
|/| | |
Conditionally use `helper_method` in Flash concern
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I was attempting to use the `flash` functionality in a `Metal`
controller. When including the `flash` concern I received the following
error:
NoMethodError: undefined method `helper_method'....
Either:
- `AbstractController::Helpers` should be a dependency of
`ActionController::Flash`
- `ActionController::Flash` should not require the existence of
`AbstractController::Helpers`.
Since my use case (set a flash and redirect) has no need for the helper
method and that is a common use case, making the dependency conditional
seemed the better option.
NOTE: This is similar to issue #21067 only the error is within Rails
itself while that issue had the error within Devise.
|
| |\ \ \
| | | |
| | | | |
Finish converting whitelist and blacklist references
|
| | | | | |
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Call block to #redirect_to in controller context
The documentation for ActionController::Redirecting states that a Proc
argument "will be executed in the controller's context." However,
unless #instance_eval is used (removed in 6b3ad0ca), that statement is
false for procs defined outside of the controller instance.
This commit restores the documented behavior.
Fixes #33731.
* Move test proc into a constant in another class
Per @rafaelfranca's suggestion.
[Steven Peckins + Rafael Mendonça França]
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
use BacktraceCleaner for ActiveRecord verbose logging
|
| | | | | |
|
| |/ / / |
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Purpose metadata prevents cookie values from being
copy-pasted and ensures that the cookie is used only
for its originally intended purpose.
The Purpose and Expiry metadata are embedded inside signed/encrypted
cookies and will not be readable on previous versions of Rails.
We can switch off purpose and expiry metadata embedded in
signed and encrypted cookies using
config.action_dispatch.use_cookies_with_metadata = false
if you want your cookies to be readable on older versions of Rails.
|
| |\ \
| | |
| | | |
Default content type for `head` is `text/html`
|
| | | |
| | |
| | |
| | | |
Otherwise Mime::NullType will be returned as the `Content-Type` header.
|
| |\ \ \
| | | |
| | | | |
Raises exception when respond_to called multiple times in incompatible way
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Nesting respond_to calls can lead to unexpected behavior, so it should be
avoided. Currently, the first respond_to format match sets the content-type
for the resulting response. But, if a nested respond_to occurs, it is possible
to match on a different format. For example:
respond_to do |outer_type|
outer_type.js do
respond_to do |inner_type|
inner_type.html { render body: "HTML" }
end
end
end
Browsers will often include */* in their Accept headers. In the above example,
such a request would result in the outer_type.js match setting the content-
type of the response to text/javascript, while the inner_type.html match will
cause the actual response to return "HTML".
This change tries to minimize potential breakage by only raising an exception
if the nested respond_to calls are in conflict with each other. So, something
like the following example would not raise an exception:
respond_to do |outer_type|
outer_type.js do
respond_to do |inner_type|
inner_type.js { render body: "JS" }
end
end
end
While the above is nested, it doesn't affect the content-type of the response.
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PR#32381 added Rubocop's comments to some tests files in order to
exclude `Performance/RedundantMerge`.
Turn off `Performance` cops for tests files via `Exclude`
in `.rubocop.yml`.
Context https://github.com/rails/rails/pull/32381#discussion_r205212331
|
| |\ \ \
| | | |
| | | | |
Turn on performance based cops
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Use attr_reader/attr_writer instead of methods
method is 12% slower
Use flat_map over map.flatten(1)
flatten is 66% slower
Use hash[]= instead of hash.merge! with single arguments
merge! is 166% slower
See https://github.com/rails/rails/pull/32337 for more conversation
|
| |/ / /
| | |
| | |
| | |
| | | |
http links will be redirected to the https version, but still better to
just directly link to the https version.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Add implicit to path conversion to uploaded file
Ruby has a few implicit conversion protocols (e.g. `to_hash`, `to_str`,
`to_path`, etc.). These are considered implicit conversion protocols
because in certain instances Ruby (MRI core objects) will check if an
argument responds to the appropriate protocol and automatically convert
it when it does; this is why you can provide a `Pathname` instance into
`File.read` without having to explicitly call `to_s`.
```ruby
a_file_path = 'some/path/file.ext'
File.write a_file_path, 'String Path Content'
File.read a_file_path
a_pathname = Pathname(a_file_path)
File.write core_file, 'Pathname Content'
File.read a_file_path
core_file = File.new(a_pathname)
File.write core_file, 'File Content'
File.read core_file
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Tempfile Content'
File.read tmp_file
```
So how does an uploaded file work in such cases?
```ruby
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Uploaded Content'
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
File.read uploaded_file
```
It fails with a `TypeError`:
no implicit conversion of ActionDispatch::Http::UploadedFile into String
In order to make an uploaded file work it must be explicitly converted
to a file path using `path`.
```ruby
File.read uploaded_file.path
```
This requires any code that expects path/file like objects to either
special case an uploaded file, re-implement the path conversion protocol
to use `path`, or forces the developer to explicitly cast uploaded files
to paths. This last option can sometimes be difficult to do when such
calls are deep within the inner workings of libraries.
Since an uploaded file already has a path it makes sense to implement
the implicit "path" conversion protocol (just like `File` and
`Tempfile`). This change allows uploaded file content to be treated more
closely to regular file content, without requiring any special case
handling or explicit conversion for common file utilities.
* Note uploaded file path delegation in CHANGELOG
|
| |\ \ \
| | | |
| | | | |
Show nested exceptions on the debug view
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When a `get` method called with `as: :json` and `params: nil` or
`params: false` (explicitly or implicitly)
`RequestEncoder#encode_params` converts it into a `null` or `false`
value which includes a unexpected `null=` or `false` query string into
request URL. From now on `RequestEncoder#encode_params` checks whether
`params` is nil or not otherwise returns.
Move down `nil` conversion guard
Update CHANGELOG.md
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
e4e1b62 broke `to_param` handling:
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- There was an issue inside controller tests where order params were not respected, the reason
was because we were calling `Hash#to_query` which sorts the results lexicographically.
1e4e1b62 fixed that issue by not using `to_query` but instead a utility function provided by rack.
- However with the fix came another issue where it's now no longer possible to do this
```
post :foo, params: { user: User.first }
# Prior to the patch the controller will receive { "user" => "1" }
# Whereas now you get { "user": "#<User: ...>" }
```
The fix in this PR is to modify `Hash#to_query` to sort only when it
doesn't contain an array structure that looks something like "bar[]"
Ref https://github.com/rails/rails/pull/33341#issuecomment-404039396
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
We sometimes ask "✂️ extra blank lines" to a contributor in reviews like
https://github.com/rails/rails/pull/33337#discussion_r201509738.
It is preferable to deal automatically without depending on manpower.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Allow get arguments for follow_redirect
Now all arguments passed to `follow_redirect!` are passed to the
underlying `get` method. This for example allows to set custom headers
for the redirection request to the server.
This is especially useful for setting headers that may, outside of the
testing environment, be set automatically on every request, i.e. by a
web application firewall.
* Allow get arguments for follow_redirect
[Remo Fritzsche + Rafael Mendonça França]
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Convert hashes into parameters
Ensure `ActionController::Parameters#transform_values` and
`ActionController::Parameters#transform_values!` converts hashes into
parameters.
* fixup! Convert hashes into parameters
[Rafael Mendonça França + Kevin Sjöberg]
|
| |\ \ \
| | | |
| | | | |
Add support for more HTTP cache controls
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
From <https://tools.ietf.org/html/rfc5861>:
> The stale-if-error HTTP Cache-Control extension allows a cache to
> return a stale response when an error -- e.g., a 500 Internal Server
> Error, a network segment, or DNS failure -- is encountered, rather
> than returning a "hard" error. This improves availability.
>
> The stale-while-revalidate HTTP Cache-Control extension allows a
> cache to immediately return a stale response while it revalidates it
> in the background, thereby hiding latency (both in the network and on
> the server) from clients.
These are useful, fully standardized parts of the HTTP protocol with
widespread support among CDN vendors. Supporting them will make it
easier to utilize reverse proxies and CDNs from Rails.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Journey's scanner tokenizes the `|` (:OR) operator when scanning route
urls such as `"/:foo|*bar"`. However, the current scanner test does not
have any test cases for the `|` operator. This commit adds a test case
for this particular token.
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
https://codeclimate.com/github/rails/rails/issues
`bundle exec rubocop -a`
Related to e4e1b62007fe40c4277ebc30067837a91bf25967
|
| | | |
| | |
| | |
| | |
| | | |
Modifies the routes simulator to allow for empty RouteSets, which are
created when secondary Engines are loaded.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`to_query` sorts parameters before encoding them. This causes a round
tripping issue as noted here:
https://github.com/rails/rails/issues/23997#issuecomment-328297933
https://github.com/rails/rails/issues/10529#issuecomment-328298109
https://github.com/rails/rails/pull/30558
Unfortunately, that method is being used to generate cache keys, so its
results need to be stable:
https://github.com/rails/rails/commit/10dec0e65e1f4d87f411b4361045eba86b121be9
However, the test harness is only using `to_query` to encode parameters
before sending them to the controller so the "cache key" usecase doesn't
apply here.
This commit adds a test that demonstrates the round trip problems and
changes the serialization strategy to use Rack for encoding the
parameters rather than `to_query`.
|
| | |/
|/| |
|
| | |
| |
| |
| | |
Follow up of #32605.
|
| | |
| |
| |
| |
| |
| |
| | |
Specification: https://w3c.github.io/webappsec-csp/#directive-prefetch-src
This directive can already be used as an experimental feature in Chrome.
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
|
