| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
notices, and make the behaviors independent of the environment names.
* In Rails 2.3 apps being upgraded, you will need to add the deprecation
configuration to each of your environments. Failing to do so will
result in the same behavior as Rails 2.3, but with an outputted warning
to provide information on how to set up the setting.
* New Rails 3 applications generate the setting
* The notification style will send deprecation notices using
ActiveSupport::Notifications. Third-party tools can listen in to
these notifications to provide a streamlined view of the
deprecation notices occurring in your app.
* The payload in the notification is the deprecation warning itself
as well as the callstack from the point that triggered the
notification.
|
|
|
|
| |
configuration in request.env. This is another step forward removing global configuration.
|
|
|
|
| |
ActionController::Base.session_store= in favor of a config.session_store method (which takes params) and a config.cookie_secret variable, which is used in various secret scenarios. The old AC::Base options will continue to work with deprecation warnings.
|
| |
|
|
|