| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
`authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In particular, the fact that ApplicationController is the only
one inheriting from AC::API is not a default. You could say at
most that generators generate them that way, but the creation
of controllers is something which is out of our control because
programmers write controllers by hand.
Instead, we can say that normally, conventionally, as in the
majority of Rails apps, that is the actually the case.
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- skip calling helper_method if it's not there: if we don't have helpers, we needn't define one.
- tests that an api controller can include and use ActionController::Cookies
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
- Added missing `"`.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[ci-skip]
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[ci skip]
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
Strong ETags are desirable when you're serving byte-for-byte identical
responses that support Range requests, like PDFs or videos (typically
done by reproxying the response from a backend storage service).
Also desirable when fronted by some CDNs that support strong ETags
only, like Akamai.
* No longer strips quotes (`"`) from ETag values before comparing them.
Quotes are significant, part of the ETag. A quoted ETag and an unquoted
one are not the same entity.
* Support `If-None-Match: *`. Rarely useful for GET requests; meant
to provide some optimistic concurrency control for PUT requests.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Related with 38d2bf5fd1f3e014f2397898d371c339baa627b1.
cc @tenderlove
|
| |/ / / /
|/| | | | |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
jeremy/implicit-render-raises-on-browser-GET-requests-only
Are you missing that template or did you omit it on purpose?
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
purpose?" heuristics
Narrows the "are you in a browser, viewing the page?" check to exclude
non-GET requests. Allows content-less APIs to use implicit responses
without having to set a fake request format.
This will need further attention. If you forget to redirect from a POST
to a GET, you'll get a 204 No Content response that browsers will
typically treat as… do nothing. It'll seem like the form just didn't
work and knowing where to start debugging is non-obvious.
On the flip side, redirecting from POST and others is the default, done
everywhere, so it's less likely to be removed or otherwise missed.
Alternatives are to do more explicit browser sniffing.
Ref #23827.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
indetical -> identical
[skip ci]
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ci skip]
This updates the 5.0 release notes guide to reflect changes that
happened after beta1 has been released.
I'll sync the other changelogs later today but I'll push this batch to
prevent against cumbersome merge conflicts.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.
Fixes #24222
|
| | | | |
| | | | |
| | | | |
| | | | | |
parameters documentation [skip ci]
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Right now referencing the constant `AbstractController::Rendering`
causes `ActionView::Base` to be loaded, and thus the load hooks for
action_view are run. If that load hook references any part of action
view that then references action controller (such as
`ActionView::TestCase`), the constant `AbstractController::Rendering`
will attempt to be autoloaded and blow up.
With this change, `ActionView::LoadPaths` no longer requires
`ActionView::Base` (which it had no reason to require). There was a
needed class from `AbstractController::Base` in the Rendering module,
which I've moved into its own file so we don't need to load
all of `AbstractController::Base` there.
This commit fixes
https://github.com/rails/rails-controller-testing/issues/21
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There was some subtle breakage caused by #18774, when we removed
`#original_exception` in favor of `#cause`. However, `#cause` is
automatically set by Ruby when raising an exception from a rescue block.
With this change, we will use whichever handler has the highest priority
(whichever call to `rescue_from` came last). In cases where the outer
has lower precidence than the cause, but the outer is what should be
handled, cause will need to be explicitly unset.
Fixes #23925
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | | |
Default rendering behavior if respond_to collector doesn't have a block.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When a `respond_to` collector doesn't have a response, then a
`:no_content` response should be rendered. This brings the default
rendering behavior introduced by
https://github.com/rails/rails/issues/19036 to controller methods
employing `respond_to`
|
| | | | | |
| | | | | |
| | | | | | |
The previous order made sense [when `match` was used twice to point to two different actions](https://github.com/rails/rails/commit/7305ef842b675bf965f063de681a96294577fb84). In this case the note was misleading as posting to `/posts/:id` would still route to `show` action.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
References https://github.com/rails/homepage/issues/46.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This method will only be added when used with Ruby 2.3.0 or greater.
This method has the same behavior as `Hash#dig`, except it will convert
hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Similar to 176fbfd6, this makes it possible for other test
frameworks to hook into Rails integration test facilities.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
Prevent not-intended loading of `ActionDispatch::IntegrationTest`
|
| | |_|/ / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
After 9d378747326d26cf1afdac4433ead22967af0984 `ActionDispatch::IntegrationTest`
class is loaded and defined in all Rails environments, not only test but also
production. This is not-intended loading of a class which is only used in
test environment.
To prevent not-intended loading, add `ActiveSupport.run_load_hooks` to
`ActionDispatch::IntegrationTest` with `action_dispatch_integration_test` name
and use it in `ActionMailer`.
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
clarify that helper_method makes both methods available in the view [ci skip]
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
It's probably obvious to most, but clarify that `:helper_method` will make both
of these methods available to the view.
|
| |_|/ / /
|/| | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Forgot to update the documentation on the line just above the one
I was changing in 4933132. Well done, Kasper :+1:
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.
Renaming to `exclude` matches this intent more closely.
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
Change 'a HTTP' to 'an HTTP' [ci skip]
|
| | | | | |
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Follow-up to #23980.
- Fix grammar: "be remove" -> "be removed".
- Wrap lines at 80 chars.
Lurvely ;-)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts changes made to integration tests in PR #23807.
The issue happens when using capybara with a driver that needs to start a
server in a separate thread like (poltergeist, selenium, etc).
Both threads the capybara server one and the test thread end running
syncronize over the interlock.
|
|\ \ \ \
| | | | |
| | | | | |
Fix typo in implicit_render
|
| | | | |
| | | | |
| | | | | |
When trying to make a request and the request doesn't have a suitable template, the new error messages are really helpful but there's a small (and I mean, VERY small) typo that has been bugging me for the last few days. This adds the space and restores order to the universe. :heart:
|
|/ / / / |
|
|\ \ \ \
| | | | |
| | | | | |
Remove load_paths file
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Deprecate :controller and :action path parameters
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|