aboutsummaryrefslogtreecommitdiffstats
path: root/railties
Commit message (Collapse)AuthorAgeFilesLines
...
* | Revert "Reject empty database yamls"eileencodes2018-02-221-1/+1
|/ | | | | | | | | | | | This reverts commit 0979713abe2e22083e1beca01a1d113408c9ab36. I originally wanted to delete the default config but found out it can be called anything which means the code would blow up in unexpected ways. I thought "cool ill just delete the configs without dbs" and realized that totally 100% breaks the three-tier config. So I'm reverting this and the other commit.
* Merge pull request #32018 from rails/add-nonce-support-to-cspAndrew White2018-02-224-39/+45
|\ | | | | Add support for automatic nonce generation for Rails UJS
| * Add support for automatic nonce generation for Rails UJSAndrew White2018-02-194-39/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
* | Reject empty database yamlseileencodes2018-02-221-1/+1
| | | | | | | | | | | | | | | | In #32075 I deleted the default configuration since that's what's generated with the Rails app. Since someone could change the default name instead delete any config that doesn't have a database so we can avoid peppering our Rails tasks with conditionals to deal with invalid database configs.
* | Add cop for preferring 'Foo.method' over 'Foo::method'Andrew White2018-02-222-2/+2
| |
* | Do not add routes when actions are not specifiedYuji Yaginuma2018-02-222-0/+8
| | | | | | | | | | | | | | | | | | | | Since #30241, if namepsace is specified, routes will be generated even if there is no actions. However, it seems that this behavior is not intentionally added behavior. As with 5.1, routes should not be generated if actions are not specified. Fixes #32072.
* | Merge pull request #32075 from eileencodes/delete-default-configurationEileen M. Uchitelle2018-02-211-0/+1
|\ \ | | | | | | Delete default configuration
| * | Delete default configurationeileencodes2018-02-211-0/+1
| | | | | | | | | | | | | | | | | | | | | Because of this default configuration we're constantly checking if the database exists when looping through configurations. This is unnecessary and we should just delete it before we need to loop through configurations.
* | | Ensure that `mini_magick` is absent after `rails new` with ↵bogdanvlviv2018-02-201-8/+9
| |/ |/| | | | | | | | | | | | | | | | | `--skip-active-storage` Remove redundant assertions of an absence of `mini_magick` in `Gemfile` since `bin/rails app:update` does not update Gemfile. This assertions was added by 4a835aa3236eedb135ccf8b59ed3c03e040b8b01, after reviewing of https://github.com/rails/rails/pull/32049 i realized that assertions are redundant.
* | Remove trailing semi-colon from CSPAndrew White2018-02-191-6/+6
| | | | | | | | | | | | | | | | | | Although the spec[1] is defined in such a way that a trailing semi-colon is valid it also doesn't allow a semi-colon by itself to indicate an empty policy. Therefore it's easier (and valid) just to omit it rather than to detect whether the policy is empty or not. [1]: https://www.w3.org/TR/CSP2/#policy-syntax
* | Don't accidentally create an empty CSPAndrew White2018-02-192-3/+33
| | | | | | | | | | | | Setting up the request environment was accidentally creating a CSP as a consequence of accessing the option - only set the instance variable if a block is passed.
* | Revert "Merge pull request #32045 from eagletmt/skip-csp-header"Andrew White2018-02-191-1/+1
| | | | | | | | | | | | | | | | | | This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.
* | rubocop single space after assignmentDixit Patel2018-02-191-1/+1
| |
* | Add stimulus to list of supported options for --webpackGuillermo Iguaran2018-02-181-1/+1
| |
* | Fix test method nameGuillermo Iguaran2018-02-181-1/+1
| |
* | Don't generate empty app/views folder when --api and --skip-action-mailer ↵Guillermo Iguaran2018-02-182-2/+23
| | | | | | | | | | | | | | are used together The purpose of keeping app/views folder in API apps is that it's used for mailer views so doesn't makes sense to keep it when Action Mailer is skipped.
* | Clean up reporter replacement a bit.Kasper Timm Hansen2018-02-182-29/+29
| | | | | | | | | | | | | | | | | | | | | | | | * Don't use :: for class methods, we don't do that elsewhere. * Don't install a needless method on minitest. Prefer assigning the reporter anyway as that's what minitest does internally. * Don't bother opting out when the reporter ain't a Minitest::CompositeReporter. It's hardcoded: https://github.com/seattlerb/minitest/blob/005a3ba42c07d04797e2d00ac2c53e3be127c12f/lib/minitest.rb#L125 And overrides have to create delegate reporters: https://github.com/kern/minitest-reporters/blob/1018b1b42f34b01d4de179c8aad2fa06771fe9b0/lib/minitest/minitest_reporter_plugin.rb#L72
* | Skip generating empty CSP header when no policy is configuredKohei Suzuki2018-02-181-1/+1
| | | | | | | | | | | | | | | | `Rails.application.config.content_security_policy` is configured with no policies by default. In this case, Content-Security-Policy header should not be generated instead of generating the header with no directives. Firefox also warns "Content Security Policy: Couldn't process unknown directive ''".
* | Rails 6 requires Ruby 2.4.1+Jeremy Daer2018-02-174-5/+11
| | | | | | | | | | | | Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug. References #32028
* | Clean up and consolidate .gitignoresbogdanvlviv2018-02-171-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Global ignores at toplevel .gitignore * Component-specific ignores in each toplevel directory * Remove `actionview/test/tmp/.keep` for JRuby ``` rm actionview/test/tmp/ -fr cd actionview/ bundle exec jruby -Itest test/template/digestor_test.rb ``` Related to #11743, #30392. Closes #29978.
* | Multipart file uploads are very rare in API only apps so don't include ↵Guillermo Iguaran2018-02-172-3/+3
| | | | | | | | Rack::TemfileReaper in default middleware stack for API only apps
* | Rails 6 requires Ruby 2.3+Jeremy Daer2018-02-173-14/+5
| |
* | Merge pull request #32002 from y-yagi/fix_set_serializerRafael França2018-02-171-0/+12
|\ \ | | | | | | Fix custome serializer setting
| * | Fix custome serializer settingYuji Yaginuma2018-02-161-0/+12
| |/ | | | | | | | | | | | | | | The serializer should be set up in `after_initialize` so that it work properly even if the user specifies serializer with initializers. Also, since `custom_serializers` is `Array`, it needs to be flattened before setting the value.
* | Fix changelog entry [ci skip]Rafael Mendonça França2018-02-161-1/+7
| |
* | Merge pull request #31901 from Kevinrob/patch-1Rafael França2018-02-163-4/+51
|\ \ | | | | | | Use SuppressedSummaryReporter and Rails::TestUnitReporter only if needed
| * | Add SuppressedSummaryReporter and TestUnitReporter only if necessaryKevin Robatel2018-02-153-4/+51
| |/
* | Remove needless requiring 'active_support/core_ext/string/strip'Yoshiyuki Hirano2018-02-171-1/+0
| |
* | Remove needless printyuuji.yaginuma2018-02-171-1/+0
| | | | | | | | It seems to debug print.
* | Remove usage of strip_heredoc in the framework in favor of <<~Rafael Mendonça França2018-02-1615-46/+42
| | | | | | | | | | Some places we can't remove because Ruby still don't have a method equivalent to strip_heredoc to be called in an already existent string.
* | Remove support to Ruby 2.2Rafael Mendonça França2018-02-161-1/+1
| | | | | | | | Rails 6 will only support Ruby >= 2.3.
* | Add test parallelization to Railseileencodes2018-02-155-5/+97
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provides both a forked process and threaded parallelization options. To use add `parallelize` to your test suite. Takes a `workers` argument that controls how many times the process is forked. For each process a new database will be created suffixed with the worker number; test-database-0 and test-database-1 respectively. If `ENV["PARALLEL_WORKERS"]` is set the workers argument will be ignored and the environment variable will be used instead. This is useful for CI environments, or other environments where you may need more workers than you do for local testing. If the number of workers is set to `1` or fewer, the tests will not be parallelized. The default parallelization method is to fork processes. If you'd like to use threads instead you can pass `with: :threads` to the `parallelize` method. Note the threaded parallelization does not create multiple database and will not work with system tests at this time. parallelize(workers: 2, with: :threads) The threaded parallelization uses Minitest's parallel exector directly. The processes paralleliztion uses a Ruby Drb server. For parallelization via threads a setup hook and cleanup hook are provided. ``` class ActiveSupport::TestCase parallelize_setup do |worker| # setup databases end parallelize_teardown do |worker| # cleanup database end parallelize(workers: 2) end ``` [Eileen M. Uchitelle, Aaron Patterson]
* Don't overwrite config/master.key even on --forceclaudiob2018-02-122-2/+5
| | | | | | | | | | | | See https://github.com/rails/rails/pull/31957#issuecomment-364817423 The purpose of `--force` is not to have any prompt whether a file should be kept or overwritten. In general, all existing files should be overwritten. However, `config/master.key` is special because it is git-ignored, and overwriting it will cause the app not to run (since there won't be a way to decrypt the credentials). As a result, it's probably better to keep the existing config/master.key.
* Do not update `load_defaults` version when running `app:update` (#31951)Yuji Yaginuma2018-02-134-2/+26
| | | | | Incompatible settings are included in the settings set by `load_defaults`. So, I think that target version should be updated by a user when becomes available, and should not be updated with `app:update`.
* Respect --force option for config/master.keyclaudiob2018-02-112-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is similar to #30700 which ensures the `--quiet` option of `rails new` is respected by the `MasterKeyGenerator` (missing from #30067). Before this commit, running `rails new app --force` would still prompt the user what to do with the conflict in `config/master.key`: ``` … identical config/locales/en.yml conflict config/master.key Overwrite /Users/claudiob/Desktop/pizza/config/master.key? (enter "h" for help) [Ynaqdh] ``` After this commit, `config/master.key` is overwritten: ``` … identical config/locales/en.yml force config/master.key append .gitignore ``` The newly added test generates an app and then generates it again with `--force`. Without this commit, the test would just wait forever for user input.
* Merge pull request #31949 from rails/remove-moveClaudio B2018-02-091-2/+0
|\ | | | | Remove warning from 4 years ago [ci skip]
| * Remove warning from 4 years ago [ci skip]claudiob2018-02-091-2/+0
| | | | | | | | | | `config/initializers/assets.rb` has been a part of Rails apps since Rails 4.2 (30b56084). This comment is probably unnecessary by now.
* | Use heredoc with credentials templateYoshiyuki Hirano2018-02-092-4/+16
|/ | | | | * Use heredoc with credentials template. * Fix indentation for aws config
* Do not add master key when `RAILS_MASTER_KEY` env specified (#31922)Yuji Yaginuma2018-02-084-2/+27
| | | Fixes #31917
* Add nodoc to `CredentialsGenerator` and `MasterKeyGenerator` [ci skip]yuuji.yaginuma2018-02-032-2/+2
| | | | These classes are internally used only.
* Removed "private" generators from command list.Wojciech Wnętrzak2018-02-023-18/+5
| | | | | | | | | | | | | | | | | | | | Appropriate way to handle encrypted command is by `bin/rails credentials` and `bin/rails encrypted` It was displayed on `bin/rails generate` command: ``` Please choose a generator below. Rails: application_record assets channel controller encrypted_file encryption_key_file generator ... ```
* Fix `RuntimeError: Unknown version "6.0"`Yuji Yaginuma2018-01-311-0/+3
|
* Start Rails 6.0 development!!!Rafael Mendonça França2018-01-302-165/+4
| | | | :tada::tada::tada:
* Merge pull request #31830 from rafaelfranca/disable-csp-by-defaultRafael França2018-01-301-10/+10
|\ | | | | Disable CSP by default
| * Disable CSP by defaultRafael Mendonça França2018-01-301-10/+10
| | | | | | | | | | | | | | | | Before this patch, to be able to use webpacker and webconsole we were defining an used default in the script-src policy. White we don't implement the automatic nonce approach defined in https://github.com/rails/rails/issues/31689 it is better to not have any default configuration in Rails 5.2.
* | Add Rack::TempfileReaper to tests and docsGeorge Claghorn2018-01-301-2/+4
| |
* | Add Rack::TempfileReaper to the default middleware stackGeorge Claghorn2018-01-301-0/+1
|/
* Merge pull request #31769 from justjake/patch-2Matthew Draper2018-01-301-1/+1
|\ | | | | | | yarnpkg: correct exec syntax
| * yarnpkg: correct exec syntaxJake Teton-Landis2018-01-231-1/+2
| | | | | | Previous change didn’t expand this array of arguments
* | Remove extra whitespaceDaniel Colson2018-01-252-7/+7
| |
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 03:52:19 +0000