aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #14945 from tomkadwill/form_authenticity_param_refactorRafael Mendonça França2014-05-061-5/+26
|\ | | | | Moved 'params[request_forgery_protection_token]' into its own method and...
| * Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-5/+26
| | | | | | | | improved tests.
* | Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-061-1/+16
|/ | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130 Conflicts: actionpack/lib/abstract_controller/base.rb
* Use assert_raisesRafael Mendonça França2014-05-041-3/+1
|
* Merge pull request #11166 from xavier/callable_constraint_verificationRafael Mendonça França2014-05-041-0/+15
|\ | | | | | | | | | | | | Callable route constraint verification Conflicts: actionpack/CHANGELOG.md
| * Verify that route constraints respond to the expected messages instead of ↵Xavier Defrang2013-06-281-0/+15
| | | | | | | | silently failing to enforce the constraint
* | Remove tests method for test cases when controller can be inferred.Guo Xiang2014-05-035-21/+1
| |
* | Merge pull request #12651 from cespare/ipv6-remote-ip-fixesRafael Mendonça França2014-05-011-1/+4
|\ \ | | | | | | | | | | | | | | | | | | Make remote_ip detection properly handle private IPv6 addresses Conflicts: actionpack/CHANGELOG.md
| * | Make remote_ip detection properly handle private IPv6 addressesCaleb Spare2013-10-261-1/+4
| | | | | | | | | | | | Fixes #12638.
* | | Fixed an issue with migrating legacy json cookies.Godfrey Chan2014-04-231-0/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming cookies are marshal-encoded. This is not the case when `secret_token` is used in conjunction with the `:json` or `:hybrid` serializer. In those case, when upgrading to use `secret_key_base`, this would cause a `TypeError: incompatible marshal file format` and a 500 error for the user. Fixes #14774. *Godfrey Chan*
* | | Make URL escaping more consistentAndrew White2014-04-203-4/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers 2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters 3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation 4. Use `escape_segment` rather than `escape_path` in URL generation For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g. *foo) then we use `escape_path` as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a `:controller` segment is used in the path then this uses `escape_path` as the controller may be namespaced. Fixes #14629, #14636 and #14070.
* | | Always escape string passed to url helper.edogawaconan2014-04-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Makes it clear that anything passed with the helper must not be percent encoded. Fixes previous behavior which tricks people into believing passing non-percent-encoded will generate a proper percent-encoded path while in reality it doesn't ('%' isn't escaped). The intention is nice but the heuristic is broken.
* | | Remove wrapper div for inputs in button_toRafael Mendonça França2014-04-171-1/+1
| | | | | | | | | | | | Related with cbb917455f306cf5818644b162f22be09f77d4b2
* | | Update Request forgery tests to remove input wrappign divRafael Mendonça França2014-04-171-5/+5
| | | | | | | | | | | | This was changed at cbb917455f306cf5818644b162f22be09f77d4b2
* | | Change the method descriptionRafael Mendonça França2014-04-171-1/+1
| | |
* | | Merge pull request #14755 from timlinquist/to_io_http_uploadRafael Mendonça França2014-04-171-0/+6
|\ \ \ | | | | | | | | | | | | Use common to_io so users can access the underlying IO object
| * | | Provide interface for accessing underlying IO objectTim Linquist2014-04-151-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | In some cases users may need to work with/manipulate more of the Tempfile api than provided by Upload. Allow users to get at the underlying io via the common to_io method of IO/IO-like objects
* | | | Merge pull request #14745 from razum2um/plain-text-diagnosticsRafael Mendonça França2014-04-151-1/+2
|\ \ \ \ | | | | | | | | | | Display diagnostics in text format for xhr request
| * | | | Display diagnostics in text format for xhr requestVlad Bokov2014-04-141-1/+2
| | | | |
* | | | | Merge pull request #14728 from stomar/assertion-msgYves Senn2014-04-151-11/+13
|\ \ \ \ \ | |_|/ / / |/| | | | Remove surplus period from assertion messages
| * | | | Refine tests for assert_select failure messagesMarcus Stollsteimer2014-04-141-11/+13
| |/ / /
* / / / Return null type format when format is not knowRafael Mendonça França2014-04-141-0/+5
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When requesting a controller with the following code with a unknown format: def my_action respond_to do |format| format.json { head :ok } format.any { render text: 'Default response' } end end we should render the default response instead of raising ActionController::UnknownFormat Fixes #14462 Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/mime/respond_with_test.rb Conflicts: actionpack/CHANGELOG.md
* | | Add a failing test for a URL helper that was broken by a6b9ea2.James Coglan2014-04-101-0/+18
| | |
* | | Avoid URI parsingAndriel Nuernberg2014-04-091-0/+7
| | | | | | | | | | | | | | | This parsing is unecessary once the Request object already has the needed information.
* | | Remove unused `subclass_controller_with_flash_type_bar` var from flash test.Vipul A M2014-04-071-2/+2
| | |
* | | Fix setup of adding _flash_types test.Guo Xiang Tan2014-04-061-6/+15
| | | | | | | | | | | | | | | | | | | | | Adding flash types to a controller within any of the tests will result in a global state change of the controller under test. This patch will prevent state leaks and allow us to run the test in random order.
* | | Append link to bad code to backtrace when exception is SyntaxErrorBoris Kuznetsov2014-03-271-0/+35
| | |
* | | Update test helper to use latest Digestor APIDavid Heinemeier Hansson2014-03-211-8/+8
| | |
* | | Cleaning and adding tests for SessionAttila Domokos2014-03-191-7/+34
| | | | | | | | | Adding tests for Session `destroy`, `update` and `delete` methods. No changes for code under test.
* | | Merge pull request #14090 from ↵Aaron Patterson2014-03-171-0/+19
|\ \ \ | | | | | | | | | | | | | | | | Fortisque/kevin/stream_error_in_main_thread_if_not_committed re-raise error if error occurs before committing in streaming
| * | | re-raise error if error occurs before committing in streamingKevin Casey2014-03-141-0/+19
| | | | | | | | | | | | | | | | update the tests, using an if-else
* | | | Add an explicit require for 4ece124396669d3580e7f229ab407a0d4882727a rather ↵Jeremy Kemper2014-03-161-0/+1
| | | | | | | | | | | | | | | | than assume SecureRandom is available
* | | | Avoid concurrent test collision on the same memcache server by namespacing keysJeremy Kemper2014-03-161-1/+1
| | | |
* | | | Use nested_scope? not shallow? to determine whether to copy optionsAndrew White2014-03-161-0/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The method `shallow?` returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents. Fixes #14388.
* | | | Merge pull request #14329 from pch/digestor-lookup-fixRafael Mendonça França2014-03-142-0/+24
|\ \ \ \ | |/ / / |/| | | | | | | Ensure LookupContext in Digestor selects correct variant
| * | | Don't pass variant in params, it's ignoredŁukasz Strzałkowski2014-03-131-1/+1
| | | | | | | | | | | | | | | | We're setting variant above, in request object directly
| * | | Ensure LookupContext in Digestor selects correct variantPiotr Chmolowski2014-03-092-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Related to: #14242 #14243 14293 Variants passed to LookupContext#find() seem to be ignored, so I've used the setter instead: `finder.variants = [ variant ]`. I've also added some more test cases for variants. Hopefully this time passing tests will mean it actually works.
* | | | use the body proxy to freeze headersAaron Patterson2014-03-122-4/+16
| | | | | | | | | | | | | | | | | | | | | | | | avoid freezing the headers until the web server has actually read data from the body proxy. Once the webserver has read data, then we should throw an error if someone tries to set a header
* | | | only write the jar if the response isn't committedAaron Patterson2014-03-122-0/+14
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when streaming responses, we need to make sure the cookie jar is written to the headers before returning up the stack. This commit introduces a new method on the response object that writes the cookie jar to the headers as the response is committed. The middleware and test framework will not write the cookie headers if the response has already been committed. fixes #14352
* | | Copy shallow options from normal options when using scopeAndrew White2014-03-081-0/+48
| | | | | | | | | | | | | | | | | | If the options :shallow_prefix and :shallow_path are not set in the scope options then copy them from the normal :as and :path options if they are set.
* | | Pull namespace defaults out of the options hashAndrew White2014-03-081-0/+130
| | | | | | | | | | | | | | | | | | | | | If a developer has specified either :path or :as in the options hash then these should be used as the defaults for :shallow_path and :shallow_prefix. Fixes #14241.
* | | Only use shallow nested scope when depth is > 1Andrew White2014-03-081-0/+60
| | | | | | | | | | | | | | | | | | | | | | | | By tracking the depth of resource nesting we can push the need for nested shallow scoping to only those routes that are nested more than one deep. This allows us to keep the fix for #12498 and fix the regression in #14224. Fixes #14224.
* | | Merge pull request #14280 from joho/make_csrf_failure_logging_optionalSantiago Pastorino2014-03-081-0/+16
|\ \ \ | | | | | | | | Make CSRF failure logging optional/configurable.
| * | | Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-0/+16
| | | | | | | | | | | | | | | | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* | | | Do note remove `Content-Type` when `render :body`Prem Sichanugrist2014-03-052-25/+12
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `render :body` should just not set the `Content-Type` header. By removing the header, it breaks the compatibility with other parts. After this commit, `render :body` will returns `text/html` content type, sets by default from `ActionDispatch::Response`, and it will preserve the overridden content type if you override it. Fixes #14197, #14238 This partially reverts commit 3047376870d4a7adc7ff15c3cb4852e073c8f1da.
* | | Variants in ActionView::DigestorPiotr Chmolowski2014-03-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Take variants into account when calculating template digests in ActionView::Digest. Digestor#digest now takes a hash as an argument to support variants and allow more flexibility in the future. Old-style arguments have been deprecated. Fixes #14242
* | | Refactor tests from BaseRackTest into BaseRequestTestZachary Scott2014-03-012-370/+386
| | |
* | | make sure we wait for the threads to shut down before asserting closureAaron Patterson2014-02-281-0/+1
| | |
* | | use built-in exception handling in live controllersAaron Patterson2014-02-281-15/+17
| | | | | | | | | | | | | | | | | | when an exception happens in an action before the response has been committed, then we should re-raise the exception in the main thread. This lets us reuse the existing exception handling.
* | | live controllers should have live responsesAaron Patterson2014-02-281-13/+2
| | | | | | | | | | | | | | | | | | detect the type of controller we're testing and return the right type of response based on that controller. This allows us to stop doing the weird sleep thing.