From dc4429ca3b21005d0016fca78967c2ebbe9677c9 Mon Sep 17 00:00:00 2001 From: Derek Prior Date: Wed, 16 Dec 2015 09:41:47 -0500 Subject: Deprecate `redirect_to :back` Applications that use `redirect_to :back` can be forced to 500 by clients that do not send the HTTP `Referer` (sic) header. `redirect_back` requires the user to consider this possibility up front and avoids this trivially-caused application error. --- actionpack/lib/action_controller/metal/redirecting.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index 72ceb9a5bc..aeecb48f85 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -20,8 +20,6 @@ module ActionController # * String starting with protocol:// (like http://) or a protocol relative reference (like //) - Is passed straight through as the target for redirection. # * String not containing a protocol - The current protocol and host is prepended to the string. # * Proc - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+. - # * :back - Back to the page that issued the request. Useful for forms that are triggered from multiple places. - # Short-hand for redirect_to(request.env["HTTP_REFERER"]) # # === Examples: # @@ -30,7 +28,6 @@ module ActionController # redirect_to "http://www.rubyonrails.org" # redirect_to "/images/screenshot.jpg" # redirect_to articles_url - # redirect_to :back # redirect_to proc { edit_post_url(@post) } # # The redirection happens as a "302 Found" header unless otherwise specified using the :status option: @@ -61,10 +58,6 @@ module ActionController # redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id } # redirect_to({ action: 'atom' }, alert: "Something serious happened") # - # When using redirect_to :back, if there is no referrer, - # ActionController::RedirectBackError will be raised. You - # may specify some fallback behavior for this case by rescuing - # ActionController::RedirectBackError. def redirect_to(options = {}, response_status = {}) #:doc: raise ActionControllerError.new("Cannot redirect to nil!") unless options raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters) @@ -78,9 +71,6 @@ module ActionController # Redirects the browser to the page that issued the request if possible, # otherwise redirects to provided default fallback location. # - # This avoids the ActionController::RedirectBackError that can - # occur if the request has no associated HTTP_REFERER. - # # redirect_back fallback_location: { action: "show", id: 5 } # redirect_back fallback_location: post # redirect_back fallback_location: "http://www.rubyonrails.org" @@ -110,6 +100,12 @@ module ActionController when String request.protocol + request.host_with_port + options when :back + ActiveSupport::Deprecation.warn(<<-MESSAGE.squish) + `redirect_to :back` is deprecated and will be removed from Rails 5.1. + Please use `redirect_back(fallback_location: fallback_location)` where + `fallback_location` represents the location to use if the request has + no HTTP referer information. + MESSAGE request.headers["Referer"] or raise RedirectBackError when Proc _compute_redirect_to_location request, options.call -- cgit v1.2.3