| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|/
|
|
|
|
|
|
|
|
|
| |
This reverts commit e385e4678fc64be6e176c3bdac6641db9fe48d85.
While this option was undocumented it exists to make possible to pass
parameters to the route helpers that are reserved like `:domain`.
While `url_for(domain: 'foo.com')` would generate a URL in the `foo.com`
domain `url_for(params: { domain: 'foo.com' })` would generate a URL
with `?domain=foo.com`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Enable `Lint/UselessAssignment` cop to avoid unused variable warnings
Since we've addressed the warning "assigned but unused variable"
frequently.
370537de05092aeea552146b42042833212a1acc
3040446cece8e7a6d9e29219e636e13f180a1e03
5ed618e192e9788094bd92c51255dda1c4fd0eae
76ebafe594fc23abc3764acc7a3758ca473799e5
And also, I've found the unused args in c1b14ad which raises no warnings
by the cop, it shows the value of the cop.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since #30367, if `no-cache` includes Cache-Control headers, special keys
like `public`, `must-revalidate` are ignored.
But in my understanding, `public` still need in case of want to cache
authenticated pages.
The authenticated pages to be cacheable, but still authenticated for
every user, need to specify the `Cache-Control: public, no-cache`.
For keys other than `public`, I did not know the case where it was
necessary to use it in combination with `no-cache`, so I fixed that can
be used only for `public`.
Ref: https://www.mnot.net/cache_docs/#CACHE-CONTROL
Fixes #34780.
|
|
|
| |
If Basecamp is a Facebook-free business, then Rails should be Facebook-free framework.
|
|
|
|
| |
Ref: https://travis-ci.org/rails/rails/jobs/469956825#L1694
|
|
|
|
| |
These were unused since 11af089cee0a0e744e267d32becfe2c66a586d31 and e35b98e6f5c54330245645f2ed40d56c74538902.
|
|
|
|
|
|
|
|
|
|
| |
Currently we sometimes find a redundant begin block in code review
(e.g. https://github.com/rails/rails/pull/33604#discussion_r209784205).
I'd like to enable `Style/RedundantBegin` cop to avoid that, since
rescue/else/ensure are allowed inside do/end blocks in Ruby 2.5
(https://bugs.ruby-lang.org/issues/12906), so we'd probably meets with
that situation than before.
|
|
|
|
|
|
| |
since Ruby 2.5
https://bugs.ruby-lang.org/issues/14133
|
|
|
|
|
|
|
|
|
|
|
|
| |
This takes away the following log.
```
Error occurred while parsing request parameters.
Contents:
{:foo=>"heyo"}
```
Pass the correct value as JSON
|
|\
| |
| | |
Allow nil params on controller HTTP test methods
|
| | |
|
|/
|
|
|
| |
Just testing that `after_action` is invoked before
`prepend_after_action`.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
… by switching the initialzation of an appropriate response parser
in `ActionDispatch::TestResponse` from eagerly to lazily.
By doing so, the response parser can be correctly set for
`ActionController::TestCase`, which doesn't include
the content type header in the constructor but only sets it at
a later time.
Fixes #34676.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:
Rails.application.config.hosts = [
IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
IPAddr.new("::/0"), # All IPv6 addresses.
"localhost" # The localhost reserved domain.
]
In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:
Rails.application.config.hosts << "product.com"
The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << /.*\.product\.com/
A special case is supported that allows you to permit all sub-domains:
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << ".product.com"
|
|
|
|
|
|
| |
Parallel execution of `ForkingExecutor` is the same approach as
`Testing::Parallelization`. So do not need to have own code inside
Action Pack. Let's use an already existing feature.
|
|
|
|
|
| |
We are dealing with the rack env so it is better to specify it in the
tests.
|
|
|
|
|
| |
Raises an ArgumentError when multiple root routes are defined in the
same context instead of assigning nil names to subsequent roots.
|
|\
| |
| |
| | |
:only and :except are now chained for routing resource(s)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow chaining the :only and :except options for routing resource(s).
Previously, the following yielded routes for both show and destroy:
resource :account, :only => [:show, :destroy], :except => :destroy
This now yields only the show action. This chaining can be useful for
passing optional :except options to code that makes use of the :only
option (e.g. for a gem with its own routing methods).
|
| |
| |
| |
| | |
[Gannon McGibbon + Josh Cheek]
|
| |
| |
| |
| |
| |
| |
| |
| | |
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.
Fixes #34200.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
this method (#34210)
* Fix `ActionController::Parameters#each_value`
`each_value` should yield with "value" of the params instead of "value" as an array.
Related to #33979
* Add changelog entry about `ActionController::Parameters#each_value`.
Follow up #33979
|
| |
| |
| |
| | |
ActiveSupport::ParameterFilter
|
| |
| |
| |
| |
| |
| |
| | |
Until #34050 can be resolved
This reverts commit 7f870a5ba2aa9177aa4a0e03a9d027928ba60e49, reversing
changes made to 6556898884d636c59baae008e42783b8d3e16440.
|
|\ \
| | |
| | |
| | | |
Don't handle params option in a special way in url_for helper
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since Rails 6.0 will support Ruby 2.4.1 or higher
`# frozen_string_literal: true` magic comment is enough to make string object frozen.
This magic comment is enabled by `Style/FrozenStringLiteralComment` cop.
* Exclude these files not to auto correct false positive `Regexp#freeze`
- 'actionpack/lib/action_dispatch/journey/router/utils.rb'
- 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb'
It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333
Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed.
* Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required
- 'actionpack/test/controller/test_case_test.rb'
- 'activemodel/test/cases/type/string_test.rb'
- 'activesupport/lib/active_support/core_ext/string/strip.rb'
- 'activesupport/test/core_ext/string_ext_test.rb'
- 'railties/test/generators/actions_test.rb'
|
|\ \ \
| | | |
| | | | |
Fix optionally scoped root route unscoped access
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This PR fixes an issue when the following situation occurs.
If you define a class like this
class MyConstraint
def call(*args)
# for some reason this is defined
end
def matches?(*args)
# checking the args
end
end
and try to use it as a constraint
get "/", to: "home#show", constraints: MyConstraint.new
if its `matches?` method returns `false` there will be an error for the
mapper will ask for the constraint arity, thinking it is a proc, lambda
or method.
This PR checks for the presence of the `arity` method on the constraint
calling it only if present, preventing the error while keeping the basic
behavior.
|
|\ \ \
| | | |
| | | | |
Added ActionController::Parameters.each_value methods
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* master:
Remove force parent loading when counter cache child is created/destroyed
Raise an error when loading all fixtures from nil fixture_path
Revert "Remove `counter_cache_target` which is no longer called"
Update counter cache in memory if parent target is existed
If association is a hash-like object preloading fails
Use the same option for create database statements between Raketask and travis.rb
Fix "warning: shadowing outer local variable - config"
Remove `counter_cache_target` which is no longer called
Fix more offences
Change the empty block style to have space inside of the block
Fix a content_for test description
Stringify database configurations
Improve error message when assign wrong attributes to model
|
| | | | | |
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This commit eagerly builds the route helper module after the routes have
been drawn and finalized. This allows us to cache the helper module but
not have to worry about people accessing the module while route
definition is "in-flight", and automatically deals with cache
invalidation as the module is regenerated anytime someone redraws the
routes.
The restriction this commit introduces is that the url helper module can
only be accessed *after* the routes are done being drawn.
Refs #24554 and #32892
|
|\ \ \ \
| |/ / /
|/| | | |
Remove deprecated catch-all route in the AV tests
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This commit removes a deprecated catch-all route in the AV tests. It
defines and includes the necessary routes for each test such that we
don't need the catch-all anymore.
This also helps push us toward #33970
|
|\ \ \ \
| | | | |
| | | | | |
Encode Content-Disposition filenames on send_data and send_file
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Remove private def
|
| | | | | | |
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`.
```ruby
# frozen_string_literal: true
require "bundler/inline"
gemfile(true) do
source "https://rubygems.org"
gem "benchmark-ips"
end
Benchmark.ips do |x|
x.report('+@') { +"" }
x.report('dup') { "".dup }
x.compare!
end
```
```
$ ruby -v benchmark.rb
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
Warming up --------------------------------------
+@ 282.289k i/100ms
dup 187.638k i/100ms
Calculating -------------------------------------
+@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s
dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s
Comparison:
+@: 6775299.3 i/s
dup: 3320400.7 i/s - 2.04x slower
```
|
|\ \ \ \ \
| |_|/ / /
|/| | | | |
Add missing test case for `redirect_to` when request includes a port.
|
| | | | | |
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Add CSP nonce to `style-src` directive
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For nonce, only `script-src` and` style-src` are meaningful in the
definition of Content Security Policy Level 2.
https://www.w3.org/TR/CSP2/#script-src-nonce-usage
https://www.w3.org/TR/CSP2/#style-src-nonce-usage
Therefore, I think that customization function not needs and it is enough
to enable both directives inside the framework.
Fixes #32920
|
| | | | | |
|
|\ \ \ \ \
| |_|/ / /
|/| | | | |
Conditionally use `helper_method` in Flash concern
|