| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
This way we can get the relative_url_root from the application without
setting another global value
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- `secrets.secret_token` is now used in all places `config.secret_token` was
- `secrets.secret_token`, when not present in `config/secrets.yml`,
now falls back to the value of `config.secret_token`
- when `secrets.secret_token` is set, it over-writes
`config.secret_token` so they are the same (for backwards-compatibility)
- Update docs to reference app.secrets in all places
- Remove references to `config.secret_token`, `config.secret_key_base`
- Warn that missing secret_key_base is deprecated
- Add tests for secret_token, key_generator, and message_verifier
- the legacy key generator is used with the message verifier when
secrets.secret_key_base is blank and secret_token is set
- app.key_generator raises when neither secrets.secret_key_base nor
secret_token are set
- app.env_config raises when neither secrets.secret_key_base nor
secret_token are set
- Add changelog
Run focused tests via
ruby -w -Itest test/application/configuration_test.rb -n '/secret_|key_/'
|
| | |
|
| |
|
|
|
| |
more agnostic Rails.application syntax. This means tests will be more
portable, and won't rely on the existence of a particular subclass.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
notices, and make the behaviors independent of the environment names.
* In Rails 2.3 apps being upgraded, you will need to add the deprecation
configuration to each of your environments. Failing to do so will
result in the same behavior as Rails 2.3, but with an outputted warning
to provide information on how to set up the setting.
* New Rails 3 applications generate the setting
* The notification style will send deprecation notices using
ActiveSupport::Notifications. Third-party tools can listen in to
these notifications to provide a streamlined view of the
deprecation notices occurring in your app.
* The payload in the notification is the deprecation warning itself
as well as the callstack from the point that triggered the
notification.
|
| |
|
|
| |
configuration in request.env. This is another step forward removing global configuration.
|
| |
|
|
| |
ActionController::Base.session_store= in favor of a config.session_store method (which takes params) and a config.cookie_secret variable, which is used in various secret scenarios. The old AC::Base options will continue to work with deprecation warnings.
|
| | |
|
| |
|
