| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
In #18721 we removed the discard key from the session hash used to flash
messages and that broke compatibility with Rails 4 applications because they
try to map in the discarded flash messages and it returns nil.
Fixes #24726.
|
|\
| |
| | |
BoomerAPI is not used anywhere, so removed it!
|
| |
| |
| |
| |
| | |
- It was originally added in 83b4e9073f0852afc065 and partially
removed in 05d89410bf97d0778e7.
|
|\ \
| |/
|/|
| |
| |
| |
| | |
rthbound/dont-call-each-when-calling-body-on-response
Dont call each when calling body on response to fix #23964
Fixes #23964
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Adds #each_chunk to ActionDispatch::Response. it's a method which
will be called by ActionDispatch::Response#each.
- Make Response#each a proper method instead of delegating to @stream
- In Live, instead of overriding #each, override #each_chunk.
- `#each` should just spit out @str_body if it's already set
- Adds #test_set_header_after_read_body_during_action
to prove this fixes #23964
- Adds #test_each_isnt_called_if_str_body_is_written to
ensure #each_chunk is not called when @str_body is available
- Call `@response.sent!` in AC::TestCase's #perform so a test response
acts a bit more like a real response. Makes test that call `#assert_stream_closed`
pass again.
- Additionally assert `#committed?` in `#assert_stream_closed`
- Make test that was calling @response.stream.each pass again by
calling @response.each instead.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is a common pattern in the Rails community that when people want to
:xa
use any kind of helper that is defined inside app/helpers they includes
the helper module inside the controller like:
module UserHelper
def my_user_helper
# ...
end
end
class UsersController < ApplicationController
include UserHelper
def index
render inline: my_user_helper
end
end
This has problem because the helper can't access anything that is
defined in the view level context class.
Also all public methods of the helper become available in the controller
what can lead to undesirable methods being routed and behaving as
actions.
Also if you helper depends on other helpers or even Action View helpers
you need to include each one of these dependencies in your controller
otherwise your helper is not going to work.
We already have a helpers proxy at controller class level but that proxy
doesn't have access to the instance variables defined in the
controller.
With this new instance level helper proxy users can reuse helpers in the
controller without having to include the modules and with access to
instance variables defined in the controller.
class UsersController < ApplicationController
def index
render inline: helpers.my_user_helper
end
end
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There were a lot of protected instance variables in
AbsctractController::Rendering that were related to Action Controller
and Action View.
Moving to ActionController::Base's protected instance list we make it
closer to where they are really defined.
|
|\ \
| | |
| | | |
Ensure compatibility between ActionDispatch::Request::Session and Rack
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adding the `each` method is required for ensuring compatibility between
Rails, and other Rack frameworks (like Sinatra, etc.), that are mounted
within Rails, and wish to use its session tooling. Prior to this, there
was an inconsistency between ActionDispatch::Request::Session and
Rack::Session::Cookie, due to the absence of the `each` method. This
should hopefully fix that error. :)
For a full integration test with Sinatra and a standalone Rack
application, you can check out the gist for that here: https://gist.github.com/maclover7/08cd95b0bfe259465314311941326470.
Solves #15843.
|
| | |
| | |
| | |
| | | |
[ci skip]
|
|\ \ \
| |/ /
|/| | |
Fix actionpack typos [ci skip]
|
| | | |
|
|\ \ \
| | | |
| | | | |
Fix actionpack typos [ci skip]
|
| |/ / |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Last August (2015), @tenderlove worked to remove all `@env[]` and `@env[]=`, in
favor of using `set_header`, `get_header`, etc. (Here's an [example
commit](https://github.com/rails/rails/commit/f16a33b68efc3dc57cfafa27651b9a765e363fbf)).
This PR should remove the last uses of these methods, and fully convert
them to the newly standardized API.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I always appreciate having a bit more information as to why something is
now an error. We can use this error to tell people why what they were
previously doing is insecure and give them hints on how to fix it.
Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
|
|\ \ \
| | | |
| | | |
| | | | |
Discart the schema and host information when building the per-form token
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.
To fix this we use the same information to generate the token and check
it.
Fix #24257
|
|\ \ \
| | | |
| | | |
| | | | |
Refactor handling of :action default in routing
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The longstanding convention in Rails is that if the :action parameter
is missing or nil then it defaults to 'index'. Up until Rails 5.0.0.beta1
this was handled slightly differently than other routing defaults by
deleting it from the route options and adding it to the recall parameters.
With the recent focus of removing unnecessary duplications this has
exposed a problem in this strategy - we are now mutating the request's
path parameters and causing problems for later url generation. This will
typically affect url_for rather a named url helper since the latter
explicitly pass :controller, :action, etc.
The fix is to add a default for :action in the route class if the path
contains an :action segment and no default is passed. This change also
revealed an issue with the parameterized part expiry in that it doesn't
follow a right to left order - as soon as a dynamic segment is required
then all other segments become required.
Fixes #23019.
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
prathamesh-sonpatki/deprecate-request_via_redirect
Deprecate `request_via_redirect` method.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- Followup of https://github.com/rails/rails/issues/18693.
- I think we missed deprecating `request_via_redirect` in that pull
request.
- Originally requested by DHH here
https://github.com/rails/rails/issues/18333.
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Actionpack documentation typos [ci skip]
|
| | |/ /
| |/| | |
|
|\ \ \ \
| | | | |
| | | | | |
Actioncable and Actionpack documentation typos [ci skip]
|
| |/ / / |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, users were trying to modify a frozen Hash. Includes a
regression test :)
Fixes #22975
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | | |
samphilipd/sam/do_not_clobber_options_in_route_definitions
Do not destructively mutate passed options hash in route definitions
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Fixes #24030
An example scope might be specified as such:
```ruby
HTML = { constraints: { format: :html } }.freeze
scope HTML do
get 'x'
end
```
This currently raises an error because the mapper attempts to
destructively modify the passed options hash. This is dangerous because
this options hash might even be shared with other scopes.
We should instead always instantiate a new object instead of modifying
the passed options.
|
| | | |
| | | |
| | | | |
Add missing period after sentence.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This brings the behavior more inline with other similar cases, such as
receiving a hash when an array of scalars was expected. Prior to this
commit, the key would be present, but the value would be `nil`
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | | |
extension synonyms yml and yaml
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Encourage best practice in the HTTP Token authentication example code
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
`authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In particular, the fact that ApplicationController is the only
one inheriting from AC::API is not a default. You could say at
most that generators generate them that way, but the creation
of controllers is something which is out of our control because
programmers write controllers by hand.
Instead, we can say that normally, conventionally, as in the
majority of Rails apps, that is the actually the case.
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- skip calling helper_method if it's not there: if we don't have helpers, we needn't define one.
- tests that an api controller can include and use ActionController::Cookies
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
- Added missing `"`.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[ci-skip]
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[ci skip]
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
Strong ETags are desirable when you're serving byte-for-byte identical
responses that support Range requests, like PDFs or videos (typically
done by reproxying the response from a backend storage service).
Also desirable when fronted by some CDNs that support strong ETags
only, like Akamai.
* No longer strips quotes (`"`) from ETag values before comparing them.
Quotes are significant, part of the ETag. A quoted ETag and an unquoted
one are not the same entity.
* Support `If-None-Match: *`. Rarely useful for GET requests; meant
to provide some optimistic concurrency control for PUT requests.
|
| | | | | | |
|