aboutsummaryrefslogtreecommitdiffstats
path: root/railties
Commit message (Collapse)AuthorAgeFilesLines
* Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-106-1/+215
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* Merge pull request #36534 from y-yagi/fixes_35137Yuji Yaginuma2019-07-034-3/+40
|\ | | | | Add the ability to set the CSP nonce only to the specified directives
| * Add the ability to set the CSP nonce only to the specified directivesyuuji.yaginuma2019-06-224-3/+40
| | | | | | | | | | | | | | | | | | | | | | I changed to set CSP nonce to `style-src` directive in #32932. But this causes an issue when `unsafe-inline` is specified to `style-src` (If a nonce is present, a nonce takes precedence over `unsafe-inline`). So, I fixed to nonce directives configurable. By configure this, users can make CSP as before. Fixes #35137.
* | Make `bin/setup` test pass even if the database does not existyuuji.yaginuma2019-06-301-1/+1
| |
* | Merge pull request #36560 from eileencodes/warn-if-database-yml-cant-be-readEileen M. Uchitelle2019-06-271-0/+28
|\ \ | | | | | | Warn if we can't read the yaml to create database tasks
| * | Load initial database.yml once, and warn if we can't create taskseileencodes2019-06-271-0/+28
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For multiple databases we attempt to generate the tasks by reading the database.yml before the Rails application is booted. This means that we need to strip out ERB since it could be reading Rails configs. In some cases like https://github.com/rails/rails/issues/36540 the ERB is too complex and we can't overwrite with the DummyCompilier we used in https://github.com/rails/rails/pull/35497. For the complex causes we simply issue a warning that says we couldn't infer the database tasks from the database.yml. While working on this I decided to update the code to only load the database.yml once initially so that we avoid having to issue the same warning multiple times. Note that this had no performance impact in my testing and is merely for not having to save the error off somewhere. Also this feels cleaner. Note that this will not break running tasks that exist, it will just mean that tasks for multi-db like `db:create:other_db` will not be generated. If the database.yml is actually unreadable it will blow up during normal rake task calls. Fixes #36540
* / Replace the www.robotstxt.org URL with https one [ci skip]Tatsuya Hoshino2019-06-251-1/+1
|/ | | | The robots.txt site is moved permanently to https URL.
* Make `ActionDispatch::Response#content_type` behavior configurableyuuji.yaginuma2019-06-213-0/+31
| | | | | | | | | I changed return value of `ActionDispatch::Response#content_type` in #36034. But this change seems to an obstacle to upgrading. https://github.com/rails/rails/pull/36034#issuecomment-498795893 Therefore, I restored the behavior of `ActionDispatch::Response#content_type` to 5.2 and deprecated old behavior. Also, made it possible to control the behavior with the config.
* Merge pull request #36486 from benthorner/masterYuji Yaginuma2019-06-203-5/+31
|\ | | | | Allow using env var to specify pidfile
| * Allow using env var to specify pidfileBen Thorner2019-06-193-5/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously it was only possible to specify the location of the pidfile for the 'rails server' command with the '-P' flag. This adds support for specifying the pidfile using a PIDFILE env var, which can still be overridden by the '-P' flag and with the default pidfile path unchanged. The motivation for this feature comes from using Docker to run multiple instances of the same rails app. When developing a rails app with Docker, it's common to bind-mount the rails root directory in the running container, so that changes to files are shared between the container and the host. However, this doesn't work so well with the pidfile and it's necessary to (remember to) add a '-P' flag to the 'rails server' command line; being able to specify this flag using an env var would make developing with Rails+Docker a bit simpler.
* | Move SchemaMigration to migration_contexteileencodes2019-06-142-4/+5
|/ | | | | | | | | | | | | | | | | | | | | | | | | | This PR moves the `schema_migration` to `migration_context` so that we can access the `schema_migration` per connection. This does not change behavior of the SchemaMigration if you are using one database. This also does not change behavior of any public APIs. `Migrator` is private as is `MigrationContext` so we can change these as needed. We now need to pass a `schema_migration` to `Migrator` so that we can run migrations on the right connection outside the context of a rake task. The bugs this fixes were discovered while debugging the issues around the SchemaCache on initialization with multiple database. It was clear that `get_all_versions` wouldn't work without these changes outside the context of a rake task (because in the rake task we establish a connection and change AR::Base.connection to the db we're running on). Because the `SchemaCache` relies on the `SchemaMigration` information we need to make sure we store it per-connection rather than on ActiveRecord::Base. [Eileen M. Uchitelle & Aaron Patterson]
* Merge pull request #36472 from kamipo/empty_line_only_before_access_modifierRyuta Kamizono2019-06-1344-50/+0
|\ | | | | Enable `Layout/EmptyLinesAroundAccessModifier` cop
| * Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-1344-50/+0
| | | | | | | | | | | | | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* | Don't `drop_table` before schema cache testsRyuta Kamizono2019-06-131-1/+2
|/ | | | Since 5cab34449, `drop_table` clears schema cache.
* Convert the db:abort_if_pending_migrations task to be multi-DB awareMark Lee2019-06-101-0/+26
|
* Remove redundant blank line at the bottom of the generated controller testyuuji.yaginuma2019-06-071-1/+1
|
* Merge pull request #36416 from freeletics/fix-db-prepareEileen M. Uchitelle2019-06-052-12/+50
|\ | | | | Fixed db:prepare task for multiple databases.
| * Fixed db:prepare task for multiple databases.Wojciech Wnętrzak2019-06-052-12/+50
| | | | | | | | | | When one database existed already, but not the other, during setup of missing one, existing database was wiped out.
* | Merge pull request #36394 from eileencodes/treat-application-record-as-primaryEileen M. Uchitelle2019-06-051-3/+3
|\ \ | |/ |/| Treat ActiveRecord::Base and ApplicationRecord as "primary"
| * Treat ActiveRecord::Base and ApplicationRecord as "primary"eileencodes2019-06-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When someone has a multi-db application their `ApplicationRecord` will look like: ```ruby class ApplicationRecord < ActiveRecord::Base self.abstract_class = true connects_to database: { writing: :primary, reading: :replica } end ``` This will cause us to open 2 connections to ActiveRecord::Base's database when we actually only want 1. This is because Rails sees `ApplicationRecord` and thinks it's a new connection, not the existing `ActiveRecord::Base` connection because the `connection_specification_name` is different. This PR changes `ApplicationRecord` classes to consider themselves the same as the "primary" connection. Fixes #36382
* | Extract default log file open operation to methodyuuji.yaginuma2019-06-053-10/+21
| | | | | | | | | | | | This allows customize a default log file(e.g. `reopen`) by an application. Fixes #32211.
* | Fix rubocop violationyuuji.yaginuma2019-06-051-2/+1
|/
* Merge pull request #36395 from cpruitt/6-0-stableEileen M. Uchitelle2019-06-041-3/+9
| | | Do not clear deprecated initializer dependencies if using classic autoloader
* Fail parallel tests if workers exit earlyJohn Hawthorn2019-05-301-0/+18
| | | | | | | | | | | | | | | | Previously, if a test worker exited early, the in-flight test it was supposed to run wasn't reported as a failure. If all workers exited immediately, this would be reported as ex. Finished in 1.708349s, 39.2192 runs/s, 79.0237 assertions/s. 67 runs, 135 assertions, 0 failures, 0 errors, 2 skips This commit validates that all workers finish running tests by ensuring that the queue is empty after they exit. This works because we signal the workers to exit by pushing nil onto the queue, so that there should be a number of items left in the queue matching potentially missed tests.
* Bring `after_bundle` back to API document [ci skip]yuuji.yaginuma2019-05-291-1/+6
| | | | | At class level `:nodoc:` all elements are prevented. Instead, use `:stopdoc:` / `:startdoc:` to make `after_bundle` appear.
* Skip needless spaces from generated app layout.Kasper Timm Hansen2019-05-261-1/+1
|
* Bump Gemfile entry jbuilder versionAnton Rieder2019-05-231-1/+1
| | | | | | | | | | jbuilder 2.6.4 is the first version that relaxes the version constraint to allow Rails 6. I also did some more tests in #25183, although not with 2.6.4 explicitly. To simplify the version requirement, I went for 2.7. https://github.com/rails/jbuilder/blob/v2.6.4/jbuilder.gemspec https://github.com/rails/rails/issues/25183#issuecomment-494342406
* Fix: DummyCompiler embeds invalid YAML contentVishal Telangre2019-05-152-8/+19
| | | | | | Fixes https://github.com/rails/rails/issues/36285. Follow up of https://github.com/rails/rails/pull/36237.
* Merge pull request #36237 from eileencodes/fix-erb-in-database-yaml-againEileen M. Uchitelle2019-05-142-1/+22
|\ | | | | Fix database loading when ERB is single line ternary
| * Fix database loading when ERB is single line ternaryeileencodes2019-05-102-1/+22
| | | | | | | | | | | | | | | | | | | | | | | | *sigh* this seems like the never ending bug. I don't love or even like this fix but it does _work_. Rafael suggested using `dummy_key: dummy_value` but unfortunately that doesn't work. So we're left with checking whethere there might be ternary type things in the content and then assuming that we want to replace the line with a key value pair. Technically fixes https://github.com/rails/rails/issues/36088
* | Add ActionDispatch::SystemTestCase#fill_in_rich_text_areaGeorge Claghorn2019-05-131-1/+1
| |
* | adds a blank line [ci skip]Xavier Noria2019-05-131-0/+1
| |
* | warn about non-eager loaded dirs in zeitwerk:checkXavier Noria2019-05-131-19/+53
| |
* | Update the sqlite db yaml template to match others and mention proper ↵Vipul A M2019-05-122-2/+2
| | | | | | | | supported version
* | Merge branch 'migration-timestamp-fix'Gannon McGibbon2019-05-101-0/+15
|\ \ | | | | | | | | | Closes #28707.
| * | Add class option timestamps to migration generatorMichael Duchemin2019-02-091-0/+15
| | | | | | | | | | | | Fixes GH#28706. Now rails g migration create_users and rails g model User have the same behavior for timestamps since they implement the same migration template. The expected behavior is that this create table migration will create the table with timestamps unless you pass --no-timestamps or --skip-timestamps to the generator. The expected migration should match what you get when you use the model generator. Using the migration generator, which doesn't have a class_option for timestamps would cause them to not be added to the migration file. Now the migration behavior of the migration generator, create_table only, is aligned with the migration behavior of the model generator. Also modified relevant example of ActiveRecord Migrations Guide.
* | | Merge pull request #36225 from ↵Yuji Yaginuma2019-05-091-1/+1
|\ \ \ | | | | | | | | | | | | | | | | deivid-rodriguez/workaround_sass_rails_requirement Use a better requirement for sass-rails 6 prereleases
| * | | Use a better requirement for sass-rails 6 prereleasesDavid Rodríguez2019-05-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the behavior I naively expect for the operator when used with a single digit, but it's definitely an edge case for it, and it doesn't seem to work as expected for including prereleases. Using >= works fine and make the intention more clear anyways.
* | | | Fix indentation of the config.eager_load nil warningSharang Dashputre2019-05-091-1/+1
|/ / /
* | / Fix indentation for config.eager_load nil warning messageAbhay Nikam2019-05-081-5/+5
| |/ |/|
* | Merge pull request #36196 from st0012/fix-29947Eileen M. Uchitelle2019-05-071-0/+16
| | | | | | | | | | | | | | Hide malformed parameters from error page Accidentally merged this to 6-0-stable so forward porting it to master here instead.
* | Make generated test work even when using virtual attributesyuuji.yaginuma2019-05-056-7/+56
| | | | | | | | | | | | | | | | | | The virtual attributes(`attachment` and `rich_text`) can't set value with `fill_in`. So avoid using it. Once #35885 is merged, will be modified to use it. Also, add checking attachment attached or not for avoiding `DelegationError` when attachment didn't attach.
* | Fix rubocop offencesRyuta Kamizono2019-04-301-1/+1
| |
* | new config to opt-out from adding app directories to $LOAD_PATHXavier Noria2019-04-283-6/+38
| |
* | Fallback to spawn instead of fork in jruby (#36111)Guilherme Mansur2019-04-261-8/+12
| | | | | | | | | | | | | | | | * Fallback to spawn instead of fork in jruby This commit: b342db6 introduced a `fork` fork when running the railties tests since this is not supported in jruby we fallback to using spawn. Fixes: https://github.com/rails/rails/issues/35900
* | Bump bootsnap to a version with disables iseq_cache for Ruby 2.5Prathamesh Sonpatki2019-04-261-1/+1
| | | | | | | | - Refs https://github.com/Shopify/bootsnap/pull/257
* | Start Rails 6.1 developmentRafael Mendonça França2019-04-243-403/+5
| |
* | Merge pull request #36067 from st0012/update-generator-for-api-appRafael França2019-04-233-0/+11
|\ \ | | | | | | Remove action_controller.perform_caching from api app's configs
| * | Remove action_controller.perform_caching from api app's configsst00122019-04-243-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As suggested in https://github.com/rails/rails/issues/35602#issuecomment-485833483, because we don't provide view caching and doesn't include `ActionController::Caching` for api apps, we should also avoid generating ```ruby config.action_controller.perform_caching = true ``` for those api apps. So it won't confuse people. **But because `perform_caching` will be `true` if not set, the behavior of the app would still be the same without these configs.**
* | | Merge pull request #35852 from larouxn/resurrectionRafael França2019-04-232-0/+9
|\ \ \ | |/ / |/| | Resurrect external JS/CS generation