aboutsummaryrefslogtreecommitdiffstats
path: root/railties/lib/rails/application/configuration.rb
Commit message (Collapse)AuthorAgeFilesLines
* Move SourceAnnotationExtractor under Rails modulePrem Sichanugrist2018-03-221-1/+1
| | | | This class should be under Rails module as it belongs to Rails.
* Don't enforce UTF-8 by defaultAndrew White2018-02-271-0/+3
| | | | | | With the disabling of TLS 1.0 by most major websites, continuing to run IE8 or lower becomes increasingly difficult so default to not enforcing UTF-8 encoding as it's not relevant to other browsers.
* Revert "Merge pull request #32075 from eileencodes/delete-default-configuration"eileencodes2018-02-221-1/+0
| | | | | | | | | | This reverts commit 16f279ebd474626577ced858e3626ac4535a33df, reversing changes made to 6c6a30a7c357ce1eafa093d77d2b08684fe50887. The config can be named anything, not just default (although all generated apps will be named default). We can't just delete configs that don't have a database because that will break three-tier configs. Oh well.
* Revert "Reject empty database yamls"eileencodes2018-02-221-1/+1
| | | | | | | | | | | | This reverts commit 0979713abe2e22083e1beca01a1d113408c9ab36. I originally wanted to delete the default config but found out it can be called anything which means the code would blow up in unexpected ways. I thought "cool ill just delete the configs without dbs" and realized that totally 100% breaks the three-tier config. So I'm reverting this and the other commit.
* Merge pull request #32018 from rails/add-nonce-support-to-cspAndrew White2018-02-221-37/+38
|\ | | | | Add support for automatic nonce generation for Rails UJS
| * Add support for automatic nonce generation for Rails UJSAndrew White2018-02-191-37/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
* | Reject empty database yamlseileencodes2018-02-221-1/+1
| | | | | | | | | | | | | | | | In #32075 I deleted the default configuration since that's what's generated with the Rails app. Since someone could change the default name instead delete any config that doesn't have a database so we can avoid peppering our Rails tasks with conditionals to deal with invalid database configs.
* | Merge pull request #32075 from eileencodes/delete-default-configurationEileen M. Uchitelle2018-02-211-0/+1
|\ \ | |/ |/| Delete default configuration
| * Delete default configurationeileencodes2018-02-211-0/+1
| | | | | | | | | | | | | | Because of this default configuration we're constantly checking if the database exists when looping through configurations. This is unnecessary and we should just delete it before we need to loop through configurations.
* | Don't accidentally create an empty CSPAndrew White2018-02-191-1/+5
|/ | | | | | Setting up the request environment was accidentally creating a CSP as a consequence of accessing the option - only set the instance variable if a block is passed.
* Do not update `load_defaults` version when running `app:update` (#31951)Yuji Yaginuma2018-02-131-1/+4
| | | | | Incompatible settings are included in the settings set by `load_defaults`. So, I think that target version should be updated by a user when becomes available, and should not be updated with `app:update`.
* Fix `RuntimeError: Unknown version "6.0"`Yuji Yaginuma2018-01-311-0/+3
|
* Use SHA-1 for non-sensitive digests by defaultEugene Kenny2018-01-081-0/+1
| | | | | | Instead of providing a configuration option to set the hash function, switch to SHA-1 for new apps and allow upgrading apps to opt in later via `new_framework_defaults_5_2.rb`.
* Raise an error only when `require_master_key` is specifiedyuuji.yaginuma2017-12-181-1/+3
| | | | | | | | | To prevent errors from being raise in environments where credentials is unnecessary. Context: https://github.com/rails/rails/issues/31283#issuecomment-348801489 Fixes #31283
* Make form_with_generates_ids default value to be falseRafael Mendonça França2017-11-271-4/+0
| | | | | This will keep the behavior of an application with the defaults of a 4.2 or 5.0 application behaving the same when upgrading to 5.2.
* Add DSL for configuring Content-Security-Policy headerAndrew White2017-11-271-33/+39
| | | | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
* Remove duplicated `form_with_generates_remote_forms` settingyuuji.yaginuma2017-11-261-1/+0
| | | | | When load `5.1` config, `form_with_generates_remote_forms` is set. https://github.com/rails/rails/blob/89a209f1abba5a2320d31c4898dea150c0abd0c0/railties/lib/rails/application/configuration.rb#L86
* Make form_with_generates_ids default in Rails 5.2Rafael Mendonça França2017-11-251-2/+7
| | | | | When the defaults being loaded are the 5.0 or 5.1 we disable generation of ids with form_with.
* Change `form_with` to generates ids by defaultnpezza932017-11-251-0/+1
| | | | | | | | | | When `form_with` was introduced we disabled the automatic generation of ids that was enabled in `form_for`. This usually is not an good idea since labels don't work when the input doesn't have an id and it made harder to test with Capybara. You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids` to `false.`
* [Railties] require_relative => requireAkira Matsuda2017-10-211-2/+2
| | | | This basically reverts 618268b4b9382f4bcf004a945fe2d85c0bd03e32
* Use tt in doc for railties [skip ci]Yoshiyuki Hirano2017-08-271-1/+1
|
* Adding frozen_string_literal pragma to Railties.Pat Allan2017-08-141-0/+2
|
* Change sqlite3 boolean serialization to use 1 and 0Lisa Ugray2017-07-111-0/+4
| | | | | | | | | | | | | | | | | | | | Abstract boolean serialization has been using 't' and 'f', with MySQL overriding that to use 1 and 0. This has the advantage that SQLite natively recognizes 1 and 0 as true and false, but does not natively recognize 't' and 'f'. This change in serialization requires a migration of stored boolean data for SQLite databases, so it's implemented behind a configuration flag whose default false value is deprecated. The flag itself can be deprecated in a future version of Rails. While loaded models will give the correct result for boolean columns without migrating old data, where() clauses will interact incorrectly with old data. While working in this area, also change the abstract adapter to use `"TRUE"` and `"FALSE"` as quoted values and `true` and `false` for unquoted. These are supported by PostreSQL, and MySQL remains overriden.
* Protect from forgery by defaultLisa Ugray2017-07-101-0/+4
| | | | | | | | Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
* [Railties] require => require_relativeAkira Matsuda2017-07-011-2/+2
|
* set message_encryptor default cipher to aes-256-gcmAssain2017-06-121-0/+4
| | | | - Introduce a method to select default cipher, and maintain backward compatibility
* AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-0/+4
| | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* Use recyclable cache keys (#29092)David Heinemeier Hansson2017-05-181-0/+8
|
* Added a shared section to config/database.yml that will be loaded for all ↵Pierre Schambacher2017-04-261-1/+8
| | | | environments
* Apply the log_level defaultRafael Mendonça França2017-03-271-7/+2
| | | | | | | | Since 4.2 the default log level in production is now debug. We removed the deprecation in c2e865849beadd99866e521a93d733da7d1b5255 but we don't reflected the default value. We are not appling it. Closes #28558
* Start Rails 5.2 developmentMatthew Draper2017-03-221-0/+3
|
* Correctly check whether key is defined in configurationyuuji.yaginuma2017-03-191-3/+3
| | | | | | | | | | | | | It can not check correctly with `defined?` ```ruby irb(main):001:0> Rails.application.config.active_record => {:maintain_test_schema=>true, :belongs_to_required_by_default=>true} irb(main):002:0> defined?(Rails.application.config.active_record) => nil ``` Follow up to #28469
* Track the version-compatible config settings inside railtiesMatthew Draper2017-03-181-0/+28
| | | | | | | | | | | | | | | | Instead of forcing new applications to carry an initializer that just switches things to what their default "should" be, we can handle it internally. The initializer is then only used by upgraders: it shows what the new default would be (commented out), while their upgraded application continues to operate as it did before. Under this model, a multiply-upgraded application could accumulate several new_framework_defaults_*.rb files, for each release series it has traversed. A given release series only needs to generate the latest, though, because we don't support `rails app:upgrade` while skipping releases.
* Revert "Revert "Add encrypted secrets""Kasper Timm Hansen2017-02-231-2/+4
|
* Revert "Add encrypted secrets" (#28127)David Heinemeier Hansson2017-02-231-4/+2
|
* Add encrypted secrets (#28038)Kasper Timm Hansen2017-02-231-2/+4
|
* Merge pull request #27652 from y-yagi/remove_unused_requireRafael França2017-01-111-2/+0
|\ | | | | remove unused requires
| * remove unused requiresyuuji.yaginuma2017-01-121-2/+0
| | | | | | | | Related to 0129ca2eeb6d5b2ea8c6e6be38eeb770fe45f1fa, f7782812f7e727178e4a743aa2874c078b722eef, f9ed83321ac1d1902578a0aacdfe55d3db754219
* | Current default Rails app encoding "utf-8" looks more like a W3C charset ↵Akira Matsuda2017-01-111-1/+1
|/ | | | than a ruby encoding
* `self.` is not needed when calling its own instance methodAkira Matsuda2017-01-051-1/+1
| | | | Actually, private methods cannot be called with `self.`, so it's not just redundant, it's a bad habit in Ruby
* Remove deprecated config.serve_static_filesRafael Mendonça França2017-01-031-19/+0
|
* Remove deprecated `config.static_cache_control`Rafael Mendonça França2017-01-031-12/+1
|
* applies new string literal convention in railties/libXavier Noria2016-08-061-7/+7
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Suppress warningsyui-knk2016-07-311-0/+1
| | | | | | | This commit suppressed `warning: instance variable @session_store not initialized`. e5a6f7ee9e951dbe0e4e9ea2c0743b4dfb135c57 introduced these warnings.
* Merge pull request #25438 from prathamesh-sonpatki/rm-session-store-initializerRafael Mendonça França2016-07-201-11/+17
|\ | | | | | | Setup default session store internally, no longer through an initializer
| * Setup default session store internally, no longer through an application ↵Prathamesh Sonpatki2016-07-171-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | initializer - By default the session store will be set to cookie store with application name as session key. - Older apps are not affected as they will have the session store initializer generated by Rails in older versions, and Rails will not overwrite the session store if it is already set or disabled. - But new apps will not have the initializer, instead the session store will be set to cookie store by default. - Based on comment by DHH here - https://github.com/rails/rails/issues/25181#issuecomment-222312764.
| * Refactor the existing session_store to use keyword args and raise early when ↵Prathamesh Sonpatki2016-07-171-9/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | set to activerecord session store - Use keyword args as it is possible to use them now. - The error message for activerecord-session_store gem was added in 1807384. - But it was added for a code path which gets called when we try to **access** the session store, not when we **set** it. - So the test expecting the exception started failing because now the session store is set via railtie again **after** setting it first with :active_record_store in the test. - As the error is not raised while setting the store to :active_record_store, the store gets overwritten by railtie and when we access it via `session_store` while building the default middleware stack, the exception is not raised. - This commit moves the code for raising the exception to the path where we try to set the store.
| * Introduce a new method for checking whether session_store is set by user or ↵Prathamesh Sonpatki2016-07-171-0/+4
|/ | | | | | | | | | | by Rails - We need to ability to check whether the session store it is set or not so that we can set it ourselves in an internal initializer. - We can't rely on return value of `config.session_store` as it can return `nil` when set to `disabled` and we will accidentally override it and set to default cookie store. - So introduced new method which just tells us whether it is set or not.
* implement respond_to_missing? to match method_missingDavid Feldman2016-07-051-0/+4
|
* Initialize the configuration with a valueRafael Mendonça França2016-06-221-1/+2
| | | | | | | This will fix the failures fixed by 41488adbb89a09fa96188486f8414842ff28c848 and keep this new option that is semi-private outside of the generated configurations
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-22 13:31:14 +0000