From a708f01ee2ab2337b97936b8574d3bf62f375870 Mon Sep 17 00:00:00 2001 From: Neil Stockbridge Date: Wed, 8 Aug 2012 15:10:33 +1200 Subject: Added a note for smtp_settings.enable_starttls_auto --- guides/source/action_mailer_basics.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/action_mailer_basics.textile b/guides/source/action_mailer_basics.textile index bb5cbcba14..35288a0a1e 100644 --- a/guides/source/action_mailer_basics.textile +++ b/guides/source/action_mailer_basics.textile @@ -451,7 +451,7 @@ The following configuration options are best made in one of the environment file |+template_root+|Determines the base from which template references will be made.| |+logger+|Generates information on the mailing run if available. Can be set to +nil+ for no logging. Compatible with both Ruby's own +Logger+ and +Log4r+ loggers.| -|+smtp_settings+|Allows detailed configuration for :smtp delivery method:| +|+smtp_settings+|Allows detailed configuration for :smtp delivery method:| |+sendmail_settings+|Allows you to override options for the :sendmail delivery method.| |+raise_delivery_errors+|Whether or not errors should be raised if the email fails to be delivered.| |+delivery_method+|Defines a delivery method. Possible values are :smtp (default), :sendmail, :file and :test.| -- cgit v1.2.3 From aa41bcd4d818eeb945ee7654593dc647fc9c33ed Mon Sep 17 00:00:00 2001 From: Almudena Garcia Date: Thu, 23 Aug 2012 23:46:16 +0200 Subject: Fix HTML validation errors --- guides/source/asset_pipeline.textile | 4 ++-- guides/source/engines.textile | 6 +++--- guides/source/form_helpers.textile | 2 +- guides/source/getting_started.textile | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'guides/source') diff --git a/guides/source/asset_pipeline.textile b/guides/source/asset_pipeline.textile index e385ec4f17..06df428cc3 100644 --- a/guides/source/asset_pipeline.textile +++ b/guides/source/asset_pipeline.textile @@ -70,11 +70,11 @@ The query string strategy has several disadvantages:
  1. - Not all caches will reliably cache content where the filename only differs by query parameters.
    + Not all caches will reliably cache content where the filename only differs by query parameters.
    "Steve Souders recommends":http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/, "...avoiding a querystring for cacheable resources". He found that in this case 5-20% of requests will not be cached. Query strings in particular do not work at all with some CDNs for cache invalidation.
  2. - The file name can change between nodes in multi-server environments.
    + The file name can change between nodes in multi-server environments.
    The default query string in Rails 2.x is based on the modification time of the files. When assets are deployed to a cluster, there is no guarantee that the timestamps will be the same, resulting in different values being used depending on which server handles the request.
  3. diff --git a/guides/source/engines.textile b/guides/source/engines.textile index de4bbb5656..fe8fcfbb3f 100644 --- a/guides/source/engines.textile +++ b/guides/source/engines.textile @@ -217,7 +217,7 @@ This helps prevent conflicts with any other engine or application that may have Finally, two files that are the assets for this resource are generated, +app/assets/javascripts/blorgh/posts.js+ and +app/assets/javascripts/blorgh/posts.css+. You'll see how to use these a little later. -By default, the scaffold styling is not applied to the engine as the engine's layout file, +app/views/blorgh/application.html.erb+ doesn't load it. To make this apply, insert this line into the ++ tag of this layout: +By default, the scaffold styling is not applied to the engine as the engine's layout file, +app/views/blorgh/application.html.erb+ doesn't load it. To make this apply, insert this line into the +<head>+ tag of this layout: <%= stylesheet_link_tag "scaffold" %> @@ -369,7 +369,7 @@ This partial will be responsible for rendering just the comment text, for now. C <%= comment_counter + 1 %>. <%= comment.text %> -The +comment_counter+ local variable is given to us by the +<%= render @post.comments %>+ call, as it will define this automatically and increment the counter as it iterates through each comment. It's used in this example to display a small number next to each comment when it's created. +The +comment_counter+ local variable is given to us by the +<%= render @post.comments %>+ call, as it will define this automatically and increment the counter as it iterates through each comment. It's used in this example to display a small number next to each comment when it's created. That completes the comment function of the blogging engine. Now it's time to use it within an application. @@ -536,7 +536,7 @@ Finally, the author's name should be displayed on the post's page. Add this code

    -By outputting +@post.author+ using the +<%=+ tag the +to_s+ method will be called on the object. By default, this will look quite ugly: +By outputting +@post.author+ using the +<%=+ tag the +to_s+ method will be called on the object. By default, this will look quite ugly: # diff --git a/guides/source/form_helpers.textile b/guides/source/form_helpers.textile index 58338ce54b..f2d8755bf0 100644 --- a/guides/source/form_helpers.textile +++ b/guides/source/form_helpers.textile @@ -98,7 +98,7 @@ form_tag({:controller => "people", :action => "search"}, :method => "get", :clas h4. Helpers for Generating Form Elements -Rails provides a series of helpers for generating form elements such as checkboxes, text fields, and radio buttons. These basic helpers, with names ending in "_tag" (such as +text_field_tag+ and +check_box_tag+), generate just a single +<input>+ element. The first parameter to these is always the name of the input. When the form is submitted, the name will be passed along with the form data, and will make its way to the +params+ hash in the controller with the value entered by the user for that field. For example, if the form contains +<%= text_field_tag(:query) %>+, then you would be able to get the value of this field in the controller with +params[:query]+. +Rails provides a series of helpers for generating form elements such as checkboxes, text fields, and radio buttons. These basic helpers, with names ending in "_tag" (such as +text_field_tag+ and +check_box_tag+), generate just a single +<input>+ element. The first parameter to these is always the name of the input. When the form is submitted, the name will be passed along with the form data, and will make its way to the +params+ hash in the controller with the value entered by the user for that field. For example, if the form contains +<%= text_field_tag(:query) %>+, then you would be able to get the value of this field in the controller with +params[:query]+. When naming inputs, Rails uses certain conventions that make it possible to submit parameters with non-scalar values such as arrays or hashes, which will also be accessible in +params+. You can read more about them in "chapter 7 of this guide":#understanding-parameter-naming-conventions. For details on the precise usage of these helpers, please refer to the "API documentation":http://api.rubyonrails.org/classes/ActionView/Helpers/FormTagHelper.html. diff --git a/guides/source/getting_started.textile b/guides/source/getting_started.textile index 22da369a2a..226c3dce14 100644 --- a/guides/source/getting_started.textile +++ b/guides/source/getting_started.textile @@ -124,7 +124,7 @@ application. Most of the work in this tutorial will happen in the +app/+ folder, |config.ru|Rack configuration for Rack based servers used to start the application.| |db/|Contains your current database schema, as well as the database migrations.| |doc/|In-depth documentation for your application.| -|Gemfile
    Gemfile.lock|These files allow you to specify what gem dependencies are needed for your Rails application. These files are used by the Bundler gem. For more information about Bundler, see "the Bundler website":http://gembundler.com | +|Gemfile
    Gemfile.lock|These files allow you to specify what gem dependencies are needed for your Rails application. These files are used by the Bundler gem. For more information about Bundler, see "the Bundler website":http://gembundler.com | |lib/|Extended modules for your application.| |log/|Application log files.| |public/|The only folder seen to the world as-is. Contains the static files and compiled assets.| -- cgit v1.2.3 From 0c6890afe236df8c865f946c2525d8d7d4cfa7be Mon Sep 17 00:00:00 2001 From: Henrik N Date: Sat, 25 Aug 2012 16:41:25 +0200 Subject: Guide: improvements to "The Flash" section. Correct :error -> :alert, mention FlashHash class, mention that you're not limited to notices and alerts, clean up. --- guides/source/action_controller_overview.textile | 31 +++++++++++++++++------- 1 file changed, 22 insertions(+), 9 deletions(-) (limited to 'guides/source') diff --git a/guides/source/action_controller_overview.textile b/guides/source/action_controller_overview.textile index 3c828735ae..67c9044d91 100644 --- a/guides/source/action_controller_overview.textile +++ b/guides/source/action_controller_overview.textile @@ -278,26 +278,31 @@ To reset the entire session, use +reset_session+. h4. The Flash -The flash is a special part of the session which is cleared with each request. This means that values stored there will only be available in the next request, which is useful for storing error messages etc. It is accessed in much the same way as the session, like a hash. Let's use the act of logging out as an example. The controller can send a message which will be displayed to the user on the next request: +The flash is a special part of the session which is cleared with each request. This means that values stored there will only be available in the next request, which is useful for passing error messages etc. + +It is accessed in much the same way as the session, as a hash (it's a "FlashHash":http://api.rubyonrails.org/classes/ActionDispatch/Flash/FlashHash.html instance). + +Let's use the act of logging out as an example. The controller can send a message which will be displayed to the user on the next request: class LoginsController < ApplicationController def destroy session[:current_user_id] = nil - flash[:notice] = "You have successfully logged out" + flash[:notice] = "You have successfully logged out." redirect_to root_url end end -Note it is also possible to assign a flash message as part of the redirection. +Note that it is also possible to assign a flash message as part of the redirection. You can assign +:notice+, +:alert+ or the general purpose +:flash+: -redirect_to root_url, :notice => "You have successfully logged out" +redirect_to root_url, :notice => "You have successfully logged out." +redirect_to root_url, :alert => "You're stuck here!" +redirect_to root_url, :flash => { :referral_code => 1234 } - -The +destroy+ action redirects to the application's +root_url+, where the message will be displayed. Note that it's entirely up to the next action to decide what, if anything, it will do with what the previous action put in the flash. It's conventional to display eventual errors or notices from the flash in the application's layout: +The +destroy+ action redirects to the application's +root_url+, where the message will be displayed. Note that it's entirely up to the next action to decide what, if anything, it will do with what the previous action put in the flash. It's conventional to display any error alerts or notices from the flash in the application's layout: @@ -306,15 +311,23 @@ The +destroy+ action redirects to the application's +root_url+, where the messag <% if flash[:notice] %>

    <%= flash[:notice] %>

    <% end %> - <% if flash[:error] %> -

    <%= flash[:error] %>

    + <% if flash[:alert] %> +

    <%= flash[:alert] %>

    <% end %>     -This way, if an action sets an error or a notice message, the layout will display it automatically. +This way, if an action sets a notice or an alert message, the layout will display it automatically. + +You can pass anything that the session can store; you're not limited to notices and alerts: + + +<% if flash[:just_signed_up] %> +

    Welcome to our site!

    +<% end %> +     If you want a flash value to be carried over to another request, use the +keep+ method: -- cgit v1.2.3 From 52b3c7d70636536371f5ed5f8e255aa1d6bce1e9 Mon Sep 17 00:00:00 2001 From: Deepak Kannan Date: Mon, 27 Aug 2012 15:32:14 +0530 Subject: Minor update for usage of git command after running, git add . do not need -a option to git commit --- guides/source/rails_application_templates.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/rails_application_templates.textile b/guides/source/rails_application_templates.textile index f50ced3307..d6a2465d1e 100644 --- a/guides/source/rails_application_templates.textile +++ b/guides/source/rails_application_templates.textile @@ -38,7 +38,7 @@ rake("db:migrate") git :init git :add => "." -git :commit => "-a -m 'Initial commit'" +git :commit => "-m 'Initial commit'" The following sections outlines the primary methods provided by the API: -- cgit v1.2.3 From 4587e47bb9a5d73a70bef6de1da88b363fe00d99 Mon Sep 17 00:00:00 2001 From: Deepak Kannan Date: Mon, 27 Aug 2012 15:35:19 +0530 Subject: Update guides/source/rails_application_templates.textile think that a quoted string will be better as it will automatically escape double-quotes as well --- guides/source/rails_application_templates.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/rails_application_templates.textile b/guides/source/rails_application_templates.textile index d6a2465d1e..2fa40bc4cc 100644 --- a/guides/source/rails_application_templates.textile +++ b/guides/source/rails_application_templates.textile @@ -38,7 +38,7 @@ rake("db:migrate") git :init git :add => "." -git :commit => "-m 'Initial commit'" +git :commit => %Q{ -m 'Initial commit' } The following sections outlines the primary methods provided by the API: -- cgit v1.2.3 From dad633c0f1888ce527a43d8bc782cfc9af440afa Mon Sep 17 00:00:00 2001 From: Egor Homakov Date: Mon, 27 Aug 2012 16:32:54 +0300 Subject: default headers init --- guides/source/security.textile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'guides/source') diff --git a/guides/source/security.textile b/guides/source/security.textile index 49e5da6bb7..0a9911cedc 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1021,6 +1021,29 @@ Content-Type: text/html Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ +h3. Default Headers + +Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in config/application.rb. + +config.action_dispatch.default_headers = { + 'Header-Name' => 'Header-Value', + 'X-Frame-Options' => 'DENY' +} + +Here is the list of common headers: +* X-Frame-Options +_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. +* X-XSS-Protection +_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) +* X-Content-Type-Options +_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file. +* X-Content-Security-Policy +"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html +* Access-Control-Allow-Origin +Used to control which sites are allowed to bypass same origin policies and send cross-origin requests. +* Strict-Transport-Security +"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + h3. Additional Resources The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here: -- cgit v1.2.3 From cb8bcdd9f155348bf8b0e543ddd89a855ec99984 Mon Sep 17 00:00:00 2001 From: Jim Jones Date: Mon, 27 Aug 2012 21:04:42 -0700 Subject: Added clairifications for default security headers. --- guides/source/security.textile | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/security.textile b/guides/source/security.textile index 0a9911cedc..f3c3ab9d87 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim. h3. Default Headers -Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in config/application.rb. +Every HTTP response from your Rails application receives the following default security headers. + + +config.action_dispatch.default_headers = { + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' +} + + +You can configure default headers in config/application.rb. + config.action_dispatch.default_headers = { 'Header-Name' => 'Header-Value', 'X-Frame-Options' => 'DENY' } + +Or you can remove them. + + +config.action_dispatch.default_headers.clear + + Here is the list of common headers: * X-Frame-Options _'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. -- cgit v1.2.3 From fe309b5223972efbbbb25eb3b318e139cae06c95 Mon Sep 17 00:00:00 2001 From: Nathaniel Madura Date: Wed, 29 Aug 2012 13:13:58 -0400 Subject: added a touch more information to the apache configuration instructions In the text there is a section about how to serve the assets with far-future headers. The snippet that is proposed doesn't work on Ubuntu 11 (probably others) as mod_expires is not enabled out-of-the-box. I noted this, and gave an example of how to load mod_expires with a2enmod. --- guides/source/asset_pipeline.textile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'guides/source') diff --git a/guides/source/asset_pipeline.textile b/guides/source/asset_pipeline.textile index 06df428cc3..9c641db964 100644 --- a/guides/source/asset_pipeline.textile +++ b/guides/source/asset_pipeline.textile @@ -473,6 +473,9 @@ Precompiled assets exist on the filesystem and are served directly by your web s For Apache: +# the following requires mod_expires +# on Ubuntu issue: +# sudo a2enmod expires # Use of ETag is discouraged when Last-Modified is present Header unset ETag -- cgit v1.2.3 From f049d3347751686f43ebeae0aac426010293a55b Mon Sep 17 00:00:00 2001 From: "Aldo \"xoen\" Giambelluca" Date: Thu, 30 Aug 2012 18:19:27 +0200 Subject: Removed spaces between name and asterisks in example CHANGELOG entry [ci skip] --- guides/source/contributing_to_ruby_on_rails.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/contributing_to_ruby_on_rails.textile b/guides/source/contributing_to_ruby_on_rails.textile index 4bb4e3b546..427733fe03 100644 --- a/guides/source/contributing_to_ruby_on_rails.textile +++ b/guides/source/contributing_to_ruby_on_rails.textile @@ -385,7 +385,7 @@ A CHANGELOG entry should summarize what was changed and should end with author's You can continue after the code example and you can attach issue number. GH#1234 - * Your Name * + *Your Name* Your name can be added directly after the last word if you don't provide any code examples or don't need multiple paragraphs. Otherwise, it's best to make as a new paragraph. -- cgit v1.2.3 From 94301b9e0f55c777da011d063dfee5372551e08e Mon Sep 17 00:00:00 2001 From: Kevin Musiorski Date: Thu, 30 Aug 2012 16:35:17 -0500 Subject: in section 4.1 acts_as_yaffle_test was incorrectly failing due to assertion incorrectly using symbol instead of string --- guides/source/plugins.textile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'guides/source') diff --git a/guides/source/plugins.textile b/guides/source/plugins.textile index fbd317f0c2..50ea6b166a 100644 --- a/guides/source/plugins.textile +++ b/guides/source/plugins.textile @@ -174,11 +174,11 @@ require 'test_helper' class ActsAsYaffleTest < Test::Unit::TestCase def test_a_hickwalls_yaffle_text_field_should_be_last_squawk - assert_equal :last_squawk, Hickwall.yaffle_text_field + assert_equal "last_squawk", Hickwall.yaffle_text_field end def test_a_wickwalls_yaffle_text_field_should_be_last_tweet - assert_equal :last_tweet, Wickwall.yaffle_text_field + assert_equal "last_tweet", Wickwall.yaffle_text_field end end -- cgit v1.2.3 From 030af5e9243a57c2e8bda523ca23fb7d6f5575ed Mon Sep 17 00:00:00 2001 From: "Aldo \"xoen\" Giambelluca" Date: Fri, 31 Aug 2012 08:45:14 +0200 Subject: In example about params naming conventions use params[:person] [ci skip] The example is about a Person model, say that "params[:model] would usually be a hash of all the attributes for the person to create" could be confusing. I changed to params[:person] since the example is about a Person creation. --- guides/source/form_helpers.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/form_helpers.textile b/guides/source/form_helpers.textile index f2d8755bf0..d507a04c1b 100644 --- a/guides/source/form_helpers.textile +++ b/guides/source/form_helpers.textile @@ -654,7 +654,7 @@ If +f+ is an instance of FormBuilder then this will render the +form+ partial, s h3. Understanding Parameter Naming Conventions As you've seen in the previous sections, values from forms can be at the top level of the +params+ hash or nested in another hash. For example in a standard +create+ -action for a Person model, +params[:model]+ would usually be a hash of all the attributes for the person to create. The +params+ hash can also contain arrays, arrays of hashes and so on. +action for a Person model, +params[:person]+ would usually be a hash of all the attributes for the person to create. The +params+ hash can also contain arrays, arrays of hashes and so on. Fundamentally HTML forms don't know about any sort of structured data, all they generate is name–value pairs, where pairs are just plain strings. The arrays and hashes you see in your application are the result of some parameter naming conventions that Rails uses. -- cgit v1.2.3 From 29fe1260d04d9eade40da5e3e3000d16093daa13 Mon Sep 17 00:00:00 2001 From: Pratik Naik Date: Fri, 31 Aug 2012 11:15:24 -0700 Subject: Fix my bio --- guides/source/credits.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source') diff --git a/guides/source/credits.html.erb b/guides/source/credits.html.erb index 04deec6a11..e25168d58d 100644 --- a/guides/source/credits.html.erb +++ b/guides/source/credits.html.erb @@ -64,7 +64,7 @@ Oscar Del Ben is a software engineer at Wi <% end %> <%= author('Pratik Naik', 'lifo') do %> - Pratik Naik is a Ruby on Rails consultant with ActionRails and also a member of the Rails core team. He maintains a blog at has_many :bugs, :through => :rails and has an active twitter account. + Pratik Naik is a Ruby on Rails developer at 37signals and also a member of the Rails core team. He maintains a blog at has_many :bugs, :through => :rails and has a semi-active twitter account. <% end %> <%= author('Emilio Tagua', 'miloops') do %> -- cgit v1.2.3 From 831b814a8778aad0d038aab550b7d405d4a69d37 Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Sat, 1 Sep 2012 23:49:55 +0530 Subject: copy edits [ci skip] --- guides/source/asset_pipeline.textile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'guides/source') diff --git a/guides/source/asset_pipeline.textile b/guides/source/asset_pipeline.textile index 9c641db964..2a15e95282 100644 --- a/guides/source/asset_pipeline.textile +++ b/guides/source/asset_pipeline.textile @@ -473,9 +473,7 @@ Precompiled assets exist on the filesystem and are served directly by your web s For Apache: -# the following requires mod_expires -# on Ubuntu issue: -# sudo a2enmod expires +# The Expires* directives requires the Apache module +mod_expires+ to be enabled. # Use of ETag is discouraged when Last-Modified is present Header unset ETag -- cgit v1.2.3