*Rails 3.2.0 (unreleased)* * Make sure escape_js returns SafeBuffer string if it receives SafeBuffer string [Prem Sichanugrist] * Fix escape_js to work correctly with the new SafeBuffer restriction [Paul Gallagher] * Brought back alternative convention for namespaced models in i18n [thoefer] Now the key can be either "namespace.model" or "namespace/model" until further deprecation. * It is prohibited to perform a in-place SafeBuffer mutation [tenderlove] The old behavior of SafeBuffer allowed you to mutate string in place via method like `sub!`. These methods can add unsafe strings to a safe buffer, and the safe buffer will continue to be marked as safe. An example problem would be something like this: <%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %> In the above example, an untrusted string (`params[:xss]`) is added to the safe buffer returned by `link_to`, and the untrusted content is successfully sent to the client without being escaped. To prevent this from happening `sub!` and other similar methods will now raise an exception when they are called on a safe buffer. In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example: <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %> The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe. You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb * Refactor ActionController::TestCase cookies [Andrew White] Assigning cookies for test cases should now use cookies[], e.g: cookies[:email] = 'user@example.com' get :index assert_equal 'user@example.com', cookies[:email] To clear the cookies, use clear, e.g: cookies.clear get :index assert_nil cookies[:email] We now no longer write out HTTP_COOKIE and the cookie jar is persistent between requests so if you need to manipulate the environment for your test you need to do it before the cookie jar is created. *Rails 3.1.0 (unreleased)* * Added 'ActionView::Helpers::FormHelper.fields_for_with_index', similar to fields_for but allows to have access to the current iteration index [Jorge Bejar] * Warn if we cannot verify CSRF token authenticity [José Valim] * Allow AM/PM format in datetime selectors [Aditya Sanghi] * Only show dump of regular env methods on exception screen (not all the rack crap) [DHH] * auto_link has been removed with no replacement. If you still use auto_link please install the rails_autolink gem: http://github.com/tenderlove/rails_autolink [tenderlove] * Added streaming support, you can enable it with: [José Valim] class PostsController < ActionController::Base stream :only => :index end Please read the docs at `ActionController::Streaming` for more information. * Added `ActionDispatch::Request.ignore_accept_header` to ignore accept headers and only consider the format given as parameter [José Valim] * Created `ActionView::Renderer` and specified an API for `ActionView::Context`, check those objects for more information [José Valim] * Added `ActionController::ParamsWrapper` to wrap parameters into a nested hash, and will be turned on for JSON request in new applications by default [Prem Sichanugrist] This can be customized by setting `ActionController::Base.wrap_parameters` in `config/initializer/wrap_parameters.rb` * RJS has been extracted out to a gem. [fxn] * Implicit actions named not_implemented can be rendered. [Santiago Pastorino] * Wildcard route will always match the optional format segment by default. [Prem Sichanugrist] For example if you have this route: map '*pages' => 'pages#show' by requesting '/foo/bar.json', your `params[:pages]` will be equals to "foo/bar" with the request format of JSON. If you want the old 3.0.x behavior back, you could supply `:format => false` like this: map '*pages' => 'pages#show', :format => false * Added Base.http_basic_authenticate_with to do simple http basic authentication with a single class method call [DHH] class PostsController < ApplicationController USER_NAME, PASSWORD = "dhh", "secret" before_filter :authenticate, :except => [ :index ] def index render :text => "Everyone can see me!" end def edit render :text => "I'm only accessible if you know the password" end private def authenticate authenticate_or_request_with_http_basic do |user_name, password| user_name == USER_NAME && password == PASSWORD end end end ..can now be written as class PostsController < ApplicationController http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index def index render :text => "Everyone can see me!" end def edit render :text => "I'm only accessible if you know the password" end end * Allow you to add `force_ssl` into controller to force browser to transfer data via HTTPS protocol on that particular controller. You can also specify `:only` or `:except` to specific it to particular action. [DHH and Prem Sichanugrist] * Allow FormHelper#form_for to specify the :method as a direct option instead of through the :html hash [DHH] form_for(@post, remote: true, method: :delete) instead of form_for(@post, remote: true, html: { method: :delete }) * Make JavaScriptHelper#j() an alias for JavaScriptHelper#escape_javascript() -- note this then supersedes the Object#j() method that the JSON gem adds within templates using the JavaScriptHelper [DHH] * Sensitive query string parameters (specified in config.filter_parameters) will now be filtered out from the request paths in the log file. [Prem Sichanugrist, fxn] * URL parameters which return false for to_param now appear in the query string (previously they were removed) [Andrew White] * URL parameters which return nil for to_param are now removed from the query string [Andrew White] * ActionDispatch::MiddlewareStack now uses composition over inheritance. It is no longer an array which means there may be methods missing that were not tested. * Add an :authenticity_token option to form_tag for custom handling or to omit the token (pass :authenticity_token => false). [Jakub Kuźma, Igor Wiedler] * HTML5 button_tag helper. [Rizwan Reza] * Template lookup now searches further up in the inheritance chain. [Artemave] * Brought back config.action_view.cache_template_loading, which allows to decide whether templates should be cached or not. [Piotr Sarnacki] * url_for and named url helpers now accept :subdomain and :domain as options, [Josh Kalderimis] * The redirect route method now also accepts a hash of options which will only change the parts of the url in question, or an object which responds to call, allowing for redirects to be reused (check the documentation for examples). [Josh Kalderimis] * Added config.action_controller.include_all_helpers. By default 'helper :all' is done in ActionController::Base, which includes all the helpers by default. Setting include_all_helpers to false will result in including only application_helper and helper corresponding to controller (like foo_helper for foo_controller). [Piotr Sarnacki] * Added a convenience idiom to generate HTML5 data-* attributes in tag helpers from a :data hash of options: tag("div", :data => {:name => 'Stephen', :city_state => %w(Chicago IL)}) # =>
Keys are dasherized. Values are JSON-encoded, except for strings and symbols. [Stephen Celis] * Deprecate old template handler API. The new API simply requires a template handler to respond to call. [José Valim] * :rhtml and :rxml were finally removed as template handlers. [José Valim] * Moved etag responsibility from ActionDispatch::Response to the middleware stack. [José Valim] * Rely on Rack::Session stores API for more compatibility across the Ruby world. This is backwards incompatible since Rack::Session expects #get_session to accept 4 arguments and requires #destroy_session instead of simply #destroy. [José Valim] * file_field automatically adds :multipart => true to the enclosing form. [Santiago Pastorino] * Renames csrf_meta_tag -> csrf_meta_tags, and aliases csrf_meta_tag for backwards compatibility. [fxn] * Add Rack::Cache to the default stack. Create a Rails store that delegates to the Rails cache, so by default, whatever caching layer you are using will be used for HTTP caching. Note that Rack::Cache will be used if you use #expires_in, #fresh_when or #stale with :public => true. Otherwise, the caching rules will apply to the browser only. [Yehuda Katz, Carl Lerche] *Rails 3.0.7 (April 18, 2011)* *No changes. *Rails 3.0.6 (April 5, 2011) * Fixed XSS vulnerability in `auto_link`. `auto_link` no longer marks input as html safe. Please make sure that calls to auto_link() are wrapped in a sanitize(), or a raw() depending on the type of input passed to auto_link(). For example: <%= sanitize(auto_link(some_user_input)) %> Thanks to Torben Schulz for reporting this. The fix can be found here: 61ee3449674c591747db95f9b3472c5c3bd9e84d * Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist] * Fixes an issue with number_to_human when converting values which are less than 1 but greater than -1 [Josh Kalderimis] * Sensitive query string parameters (specified in config.filter_parameters) will now be filtered out from the request paths in the log file. [Prem Sichanugrist, fxn] * URL parameters which return nil for to_param are now removed from the query string [Andrew White] * Don't allow i18n to change the minor version, version now set to ~> 0.5.0 [Santiago Pastorino] * Make TranslationHelper#translate use the :rescue_format option in I18n 0.5.0 [Sven Fuchs] * Fix regression: javascript_include_tag shouldn't raise if you register an expansion key with nil or [] value [Santiago Pastorino] * Fix Action caching bug where an action that has a non-cacheable response always renders a nil response body. It now correctly renders the response body. [Cheah Chu Yeow] *Rails 3.0.5 (February 26, 2011)* * No changes. *Rails 3.0.4 (February 8, 2011)* * No changes. *Rails 3.0.3 (November 16, 2010)* * When ActiveRecord::Base objects are sent to predicate methods, the id of the object should be sent to ARel, not the ActiveRecord::Base object. * :constraints routing should only do sanity checks against regular expressions. String arguments are OK. *Rails 3.0.2 (November 15, 2010)* * The helper number_to_currency accepts a new :negative_format option to be able to configure how to render negative amounts. [Don Wilson] *Rails 3.0.1 (October 15, 2010)* * No Changes, just a version bump. *Rails 3.0.0 (August 29, 2010)* * password_field renders with nil value by default making the use of passwords secure by default, if you want to render you should do for instance f.password_field(:password, :value => @user.password) [Santiago Pastorino] * Symbols and strings in routes should yield the same behavior. Note this may break existing apps that were using symbols with the new routes API. [José Valim] * Add clear_helpers as a way to clean up all helpers added to this controller, maintaining just the helper with the same name as the controller. [José Valim] * Support routing constraints in functional tests. [Andrew White] * Add a header that tells Internet Explorer (all versions) to use the best available standards support. [Yehuda Katz] * Allow stylesheet/javascript extensions to be changed through railties. [Josh Kalderimis] * link_to, button_to, and tag/tag_options now rely on html_escape instead of escape_once. [fxn] * url_for returns always unescaped strings, and the :escape option is gone. [fxn] * Added accept-charset parameter and _snowman hidden field to force the contents of Rails POSTed forms to be in UTF-8 [Yehuda Katz] * Upgrade to Rack 1.2.1 [Jeremy Kemper] * Allow :path to be given to match/get/post/put/delete instead of :path_names in the new router [Carlos Antônio da Silva] * Added resources_path_names to the new router DSL [José Valim] * Allow options to be given to the namespace method in the new router [Carlos Antônio da Silva] * Deprecate :name_prefix in the new router DSL [José Valim] * Add shallow routes back to the new router [Diego Carrion, Andrew White] resources :posts do shallow do resources :comments end end You can now use comment_path for /comments/1 instead of post_comment_path for /posts/1/comments/1. * Add support for multi-subdomain session by setting cookie host in session cookie so you can share session between www.example.com, example.com and user.example.com. #4818 [Guillermo Álvarez] * Removed textilize, textilize_without_paragraph and markdown helpers. [Santiago Pastorino] * Remove middleware laziness [José Valim] * Make session stores rely on request.cookie_jar and change set_session semantics to return the cookie value instead of a boolean. [José Valim] * OAuth 2: HTTP Token Authorization support to complement Basic and Digest Authorization. [Rick Olson] * Fixed inconsistencies in form builder and view helpers #4432 [Neeraj Singh] * Both :xml and :json renderers now forwards the given options to the model, allowing you to invoke them as render :xml => @projects, :include => :tasks [José Valim, Yehuda Katz] * Renamed the field error CSS class from fieldWithErrors to field_with_errors for consistency. [Jeremy Kemper] * Add support for shorthand routes like /projects/status(.:format) #4423 [Diego Carrion] * Changed translate helper so that it doesn’t mark every translation as safe HTML. Only keys with a "_html" suffix and keys named "html" are considered to be safe HTML. All other translations are left untouched. [Craig Davey] * New option :as added to form_for allows to change the object name. The old <% form_for :client, @post %> becomes <% form_for @post, :as => :client %> [spastorino] * Removed verify method in controllers. [JV] It's now available as a plugin at http://github.com/rails/verification * Removed input, form, error_messages_for and error_message_on from views. [JV] It's now available as a plugin at http://github.com/rails/dynamic_form * Routes can be scoped by controller module. [Jeremy Kemper] # /session => Auth::SessionsController scope :module => 'auth' do resource :session end * Added #favicon_link_tag, it uses #image_path so in particular the favicon gets an asset ID [fxn] * Fixed that default locale templates should be used if the current locale template is missing [DHH] * Added all the new HTML5 form types as individual form tag methods (search, url, number, etc) #3646 [Stephen Celis] * Changed the object used in routing constraints to be an instance of ActionDispatch::Request rather than Rack::Request [YK] * Changed ActionDispatch::Request#method to return a String, to be compatible with Rack::Request. Added ActionDispatch::Request#method_symbol to return a symbol form of the request method. [YK] * Changed ActionDispatch::Request#method to return the original method and #request_method to return the overridden method in the case of methodoverride being used (this means that #method returns "HEAD" and #request_method returns "GET" in HEAD requests). This is for compatibility with Rack::Request [YK] * #concat is now deprecated in favor of using <%= %> helpers [YK] * Block helpers now return Strings, so you can use <%= form_for @foo do |f| %>. <% form_for do |f| %> still works with deprecation notices [YK] * Add a new #mount method on the router that does not anchor the PATH_INFO at the end [YK & CL] * Create a new LookupContext object that is responsible for performantly finding a template for a given pattern [JV] * Removed relative_url_for in favor of respecting SCRIPT_NAME [YK & CL] * Changed file streaming to use Rack::Sendfile middleware [YK] * ActionDispatch::Request#content_type returns a String to be compatible with Rack::Request. Use #content_mime_type for the Mime::Type instance [YK] * Updated Prototype to 1.6.1 and Scriptaculous to 1.8.3 [ML] * Change the preferred way that URL helpers are included into a class[YK & CL] # for all helpers including named routes include Rails.application.router.url_helpers # for just url_for include Rails.application.router.url_for * Fixed that PrototypeHelper#update_page should return html_safe [DHH] * Fixed that much of DateHelper wouldn't return html_safe? strings [DHH] * Fixed that fragment caching should return a cache hit as html_safe (or it would all just get escaped) [DHH] * Added that ActionController::Base now does helper :all instead of relying on the default ApplicationController in Rails to do it [DHH] * Added ActionDispatch::Request#authorization to access the http authentication header regardless of its proxy hiding [DHH] * Added :alert, :notice, and :flash as options to ActionController::Base#redirect_to that'll automatically set the proper flash before the redirection [DHH]. Examples: flash[:notice] = 'Post was created' redirect_to(@post) ...becomes: redirect_to(@post, :notice => 'Post was created') * Added ActionController::Base#notice/= and ActionController::Base#alert/= as a convenience accessors in both the controller and the view for flash[:notice]/= and flash[:alert]/= [DHH] * Introduce grouped_collection_select helper. #1249 [Dan Codeape, Erik Ostrom] * Make sure javascript_include_tag/stylesheet_link_tag does not append ".js" or ".css" onto external urls. #1664 [Matthew Rudy Jacobs] * Ruby 1.9: fix Content-Length for multibyte send_data streaming. #2661 [Sava Chankov] * Ruby 1.9: ERB template encoding using a magic comment at the top of the file. [Jeremy Kemper] <%# encoding: utf-8 %> * Change integration test helpers to accept Rack environment instead of just HTTP Headers [Pratik Naik] Before : get '/path', {}, 'Accept' => 'text/javascript' After : get '/path', {}, 'HTTP_ACCEPT' => 'text/javascript' * Instead of checking Rails.env.test? in Failsafe middleware, check env["rails.raise_exceptions"] [Bryan Helmkamp] * Fixed that TestResponse.cookies was returning cookies unescaped #1867 [Doug McInnes] *2.3.2 [Final] (March 15, 2009)* * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #") [DHH] * Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp] * Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack] * Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger] * Form option helpers now support disabled option tags and the use of lambdas for selecting/disabling option tags from collections #837 [Tekin] * Added partial scoping to TranslationHelper#translate, so if you call translate(".foo") from the people/index.html.erb template, you'll actually be calling I18n.translate("people.index.foo") [DHH] * Fix a syntax error in current_page?() that was prevent matches against URL's with multiple query parameters #1385, #1868 [chris finne/Andrew White] * Added localized rescue template when I18n.locale is set (ex: public/404.da.html) #1835 [José Valim] * Make the form_for and fields_for helpers support the new Active Record nested update options. #1202 [Eloy Duran] <% form_for @person do |person_form| %> ... <% person_form.fields_for :projects do |project_fields| %> <% if project_fields.object.active? %> Name: <%= project_fields.text_field :name %> <% end %> <% end %> <% end %> * Added grouped_options_for_select helper method for wrapping option tags in optgroups. #977 [Jon Crawford] * Implement HTTP Digest authentication. #1230 [Gregg Kellogg, Pratik Naik] Example : class DummyDigestController < ActionController::Base USERS = { "lifo" => 'world' } before_filter :authenticate def index render :text => "Hello Secret" end private def authenticate authenticate_or_request_with_http_digest("Super Secret") do |username| # Return the user's password USERS[username] end end end * Improved i18n support for the number_to_human_size helper. Changes the storage_units translation data; update your translations accordingly. #1634 [Yaroslav Markin] storage_units: # %u is the storage unit, %n is the number (default: 2 MB) format: "%n %u" units: byte: one: "Byte" other: "Bytes" kb: "KB" mb: "MB" gb: "GB" tb: "TB" * Added :silence option to BenchmarkHelper#benchmark and turned log_level into a hash parameter and deprecated the old use [DHH] * Fixed the AssetTagHelper cache to use the computed asset host as part of the cache key instead of just assuming the its a string #1299 [DHH] * Make ActionController#render(string) work as a shortcut for render :file/:template/:action => string. [#1435] [Pratik Naik] Examples: # Instead of render(:action => 'other_action') render('other_action') # argument has no '/' render(:other_action) # Instead of render(:template => 'controller/action') render('controller/action') # argument must not begin with a '/', but contain a '/' # Instead of render(:file => '/Users/lifo/home.html.erb') render('/Users/lifo/home.html.erb') # argument must begin with a '/' * Add :prompt option to date/time select helpers. #561 [Sam Oliver] * Fixed that send_file shouldn't set an etag #1578 [Hongli Lai] * Allow users to opt out of the spoofing checks in Request#remote_ip. Useful for sites whose traffic regularly triggers false positives. [Darren Boyd] * Deprecated formatted_polymorphic_url. [Jeremy Kemper] * Added the option to declare an asset_host as an object that responds to call (see http://github.com/dhh/asset-hosting-with-minimum-ssl for an example) [David Heinemeier Hansson] * Added support for multiple routes.rb files (useful for plugin engines). This also means that draw will no longer clear the route set, you have to do that by hand (shouldn't make a difference to you unless you're doing some funky stuff) [David Heinemeier Hansson] * Dropped formatted_* routes in favor of just passing in :format as an option. This cuts resource routes generation in half #1359 [aaronbatalion] * Remove support for old double-encoded cookies from the cookie store. These values haven't been generated since before 2.1.0, and any users who have visited the app in the intervening 6 months will have had their cookie upgraded. [Michael Koziarski] * Allow helpers directory to be overridden via ActionController::Base.helpers_dir #1424 [Sam Pohlenz] * Remove deprecated ActionController::Base#assign_default_content_type_and_charset * Changed the default of ActionView#render to assume partials instead of files when not given an options hash [David Heinemeier Hansson]. Examples: # Instead of <%= render :partial => "account" %> <%= render "account" %> # Instead of <%= render :partial => "account", :locals => { :account => @buyer } %> <%= render "account", :account => @buyer %> # @account is an Account instance, so it uses the RecordIdentifier to replace # <%= render :partial => "accounts/account", :locals => { :account => @account } %> <%= render(@account) %> # @posts is an array of Post instances, so it uses the RecordIdentifier to replace # <%= render :partial => "posts/post", :collection => @posts %> <%= render(@posts) %> * Remove deprecated render_component. Please use the plugin from http://github.com/rails/render_component/tree/master [Pratik Naik] * Fixed RedCloth and BlueCloth shouldn't preload. Instead just assume that they're available if you want to use textilize and markdown and let autoload require them [David Heinemeier Hansson] *2.2.2 (November 21st, 2008)* * I18n: translate number_to_human_size. Add storage_units: [Bytes, KB, MB, GB, TB] to your translations. #1448 [Yaroslav Markin] * Restore backwards compatible functionality for setting relative_url_root. Include deprecation * Switched the CSRF module to use the request content type to decide if the request is forgeable. #1145 [Jeff Cohen] * Added :only and :except to map.resources to let people cut down on the number of redundant routes in an application. Typically only useful for huge routesets. #1215 [Tom Stuart] map.resources :products, :only => :show do |product| product.resources :images, :except => :destroy end * Added render :js for people who want to render inline JavaScript replies without using RJS [David Heinemeier Hansson] * Fixed that polymorphic_url should compact given array #1317 [hiroshi] * Fixed the sanitize helper to avoid double escaping already properly escaped entities #683 [antonmos/Ryan McGeary] * Fixed that FormTagHelper generated illegal html if name contained square brackets #1238 [Vladimir Dobriakov] * Fix regression bug that made date_select and datetime_select raise a Null Pointer Exception when a nil date/datetime was passed and only month and year were displayed #1289 [Bernardo Padua/Tor Erik] * Simplified the logging format for parameters (don't include controller, action, and format as duplicates) [David Heinemeier Hansson] * Remove the logging of the Session ID when the session store is CookieStore [David Heinemeier Hansson] * Fixed regex in redirect_to to fully support URI schemes #1247 [Seth Fitzsimmons] * Fixed bug with asset timestamping when using relative_url_root #1265 [Joe Goldwasser] *2.2.0 [RC1] (October 24th, 2008)* * Fix incorrect closing CDATA delimiter and that HTML::Node.parse would blow up on unclosed CDATA sections [packagethief] * Added stale? and fresh_when methods to provide a layer of abstraction above request.fresh? and friends [David Heinemeier Hansson]. Example: class ArticlesController < ApplicationController def show_with_respond_to_block @article = Article.find(params[:id]) # If the request sends headers that differs from the options provided to stale?, then # the request is indeed stale and the respond_to block is triggered (and the options # to the stale? call is set on the response). # # If the request headers match, then the request is fresh and the respond_to block is # not triggered. Instead the default render will occur, which will check the last-modified # and etag headers and conclude that it only needs to send a "304 Not Modified" instead # of rendering the template. if stale?(:last_modified => @article.published_at.utc, :etag => @article) respond_to do |wants| # normal response processing end end end def show_with_implied_render @article = Article.find(params[:id]) # Sets the response headers and checks them against the request, if the request is stale # (i.e. no match of either etag or last-modified), then the default render of the template happens. # If the request is fresh, then the default render will return a "304 Not Modified" # instead of rendering the template. fresh_when(:last_modified => @article.published_at.utc, :etag => @article) end end * Added inline builder yield to atom_feed_helper tags where appropriate [Sam Ruby]. Example: entry.summary :type => 'xhtml' do |xhtml| xhtml.p pluralize(order.line_items.count, "line item") xhtml.p "Shipped to #{order.address}" xhtml.p "Paid by #{order.pay_type}" end * Make PrototypeHelper#submit_to_remote a wrapper around PrototypeHelper#button_to_remote. [Tarmo Tänav] * Set HttpOnly for the cookie session store's cookie. #1046 * Added FormTagHelper#image_submit_tag confirm option #784 [Alastair Brunton] * Fixed FormTagHelper#submit_tag with :disable_with option wouldn't submit the button's value when was clicked #633 [Jose Fernandez] * Stopped logging template compiles as it only clogs up the log [David Heinemeier Hansson] * Changed the X-Runtime header to report in milliseconds [David Heinemeier Hansson] * Changed BenchmarkHelper#benchmark to report in milliseconds [David Heinemeier Hansson] * Changed logging format to be millisecond based and skip misleading stats [David Heinemeier Hansson]. Went from: Completed in 0.10000 (4 reqs/sec) | Rendering: 0.04000 (40%) | DB: 0.00400 (4%) | 200 OK [http://example.com] ...to: Completed in 100ms (View: 40, DB: 4) | 200 OK [http://example.com] * Add support for shallow nesting of routes. #838 [S. Brent Faulkner] Example : map.resources :users, :shallow => true do |user| user.resources :posts end - GET /users/1/posts (maps to PostsController#index action as usual) named route "user_posts" is added as usual. - GET /posts/2 (maps to PostsController#show action as if it were not nested) Additionally, named route "post" is added too. * Added button_to_remote helper. #3641 [Donald Piret, Tarmo Tänav] * Deprecate render_component. Please use render_component plugin from http://github.com/rails/render_component/tree/master [Pratik Naik] * Routes may be restricted to lists of HTTP methods instead of a single method or :any. #407 [Brennan Dunn, Gaius Centus Novus] map.resource :posts, :collection => { :search => [:get, :post] } map.session 'session', :requirements => { :method => [:get, :post, :delete] } * Deprecated implicit local assignments when rendering partials [Josh Peek] * Introduce current_cycle helper method to return the current value without bumping the cycle. #417 [Ken Collins] * Allow polymorphic_url helper to take url options. #880 [Tarmo Tänav] * Switched integration test runner to use Rack processor instead of CGI [Josh Peek] * Made AbstractRequest.if_modified_sense return nil if the header could not be parsed [Jamis Buck] * Added back ActionController::Base.allow_concurrency flag [Josh Peek] * AbstractRequest.relative_url_root is no longer automatically configured by a HTTP header. It can now be set in your configuration environment with config.action_controller.relative_url_root [Josh Peek] * Update Prototype to 1.6.0.2 #599 [Patrick Joyce] * Conditional GET utility methods. [Jeremy Kemper] response.last_modified = @post.updated_at response.etag = [:admin, @post, current_user] if request.fresh?(response) head :not_modified else # render ... end * All 2xx requests are considered successful [Josh Peek] * Fixed that AssetTagHelper#compute_public_path shouldn't cache the asset_host along with the source or per-request proc's won't run [David Heinemeier Hansson] * Removed config.action_view.cache_template_loading, use config.cache_classes instead [Josh Peek] * Get buffer for fragment cache from template's @output_buffer [Josh Peek] * Set config.action_view.warn_cache_misses = true to receive a warning if you perform an action that results in an expensive disk operation that could be cached [Josh Peek] * Refactor template preloading. New abstractions include Renderable mixins and a refactored Template class [Josh Peek] * Changed ActionView::TemplateHandler#render API method signature to render(template, local_assigns = {}) [Josh Peek] * Changed PrototypeHelper#submit_to_remote to PrototypeHelper#button_to_remote to stay consistent with link_to_remote (submit_to_remote still works as an alias) #8994 [clemens] * Add :recursive option to javascript_include_tag and stylesheet_link_tag to be used along with :all. #480 [Damian Janowski] * Allow users to disable the use of the Accept header [Michael Koziarski] The accept header is poorly implemented by browsers and causes strange errors when used on public sites where crawlers make requests too. You can use formatted urls (e.g. /people/1.xml) to support API clients in a much simpler way. To disable the header you need to set: config.action_controller.use_accept_header = false * Do not stat template files in production mode before rendering. You will no longer be able to modify templates in production mode without restarting the server [Josh Peek] * Deprecated TemplateHandler line offset [Josh Peek] * Allow caches_action to accept cache store options. #416. [José Valim]. Example: caches_action :index, :redirected, :if => Proc.new { |c| !c.request.format.json? }, :expires_in => 1.hour * Remove define_javascript_functions, javascript_include_tag and friends are far superior. [Michael Koziarski] * Deprecate :use_full_path render option. The supplying the option no longer has an effect [Josh Peek] * Add :as option to render a collection of partials with a custom local variable name. #509 [Simon Jefford, Pratik Naik] render :partial => 'other_people', :collection => @people, :as => :person This will let you access objects of @people as 'person' local variable inside 'other_people' partial template. * time_zone_select: support for regexp matching of priority zones. Resolves #195 [Ernie Miller] * Made ActionView::Base#render_file private [Josh Peek] * Refactor and simplify the implementation of assert_redirected_to. Arguments are now normalised relative to the controller being tested, not the root of the application. [Michael Koziarski] This could cause some erroneous test failures if you were redirecting between controllers in different namespaces and wrote your assertions relative to the root of the application. * Remove follow_redirect from controller functional tests. If you want to follow redirects you can use integration tests. The functional test version was only useful if you were using redirect_to :id=>... * Fix polymorphic_url with singleton resources. #461 [Tammer Saleh] * Replaced TemplateFinder abstraction with ViewLoadPaths [Josh Peek] * Added block-call style to link_to [Sam Stephenson/David Heinemeier Hansson]. Example: <% link_to(@profile) do %> <%= @profile.name %> -- Check it out!! <% end %> * Performance: integration test benchmarking and profiling. [Jeremy Kemper] * Make caching more aware of mime types. Ensure request format is not considered while expiring cache. [Jonathan del Strother] * Drop ActionController::Base.allow_concurrency flag [Josh Peek] * More efficient concat and capture helpers. Remove ActionView::Base.erb_variable. [Jeremy Kemper] * Added page.reload functionality. Resolves #277. [Sean Huber] * Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR doesn't match (not just if they're both present) [Mark Imbriaco, Bradford Folkens] * Allow caches_action to accept a layout option [José Valim] * Added Rack processor [Ezra Zygmuntowicz, Josh Peek] *2.1.0 (May 31st, 2008)* * InstanceTag#default_time_from_options overflows to DateTime [Geoff Buesing] * Fixed that forgery protection can be used without session tracking (Peter Jones) [#139] * Added session(:on) to turn session management back on in a controller subclass if the superclass turned it off (Peter Jones) [#136] * Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [Rick Olson] * InstanceTag#default_time_from_options with hash args uses Time.current as default; respects hash settings when time falls in system local spring DST gap [Geoff Buesing] * select_date defaults to Time.zone.today when config.time_zone is set [Geoff Buesing] * Fixed that TextHelper#text_field would corrypt when raw HTML was used as the value (mchenryc, Kevin Glowacz) [#80] * Added ActionController::TestCase#rescue_action_in_public! to control whether the action under test should use the regular rescue_action path instead of simply raising the exception inline (great for error testing) [David Heinemeier Hansson] * Reduce number of instance variables being copied from controller to view. [Pratik Naik] * select_datetime and select_time default to Time.zone.now when config.time_zone is set [Geoff Buesing] * datetime_select defaults to Time.zone.now when config.time_zone is set [Geoff Buesing] * Remove ActionController::Base#view_controller_internals flag. [Pratik Naik] * Add conditional options to caches_page method. [Paul Horsfall] * Move missing template logic to ActionView. [Pratik Naik] * Introduce ActionView::InlineTemplate class. [Pratik Naik] * Automatically parse posted JSON content for Mime::JSON requests. [Rick Olson] POST /posts {"post": {"title": "Breaking News"}} def create @post = Post.create params[:post] # ... end * add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [Rick Olson] * Provide a helper proxy to access helper methods from outside views. Closes #10839 [Josh Peek] e.g. ApplicationController.helpers.simple_format(text) * Improve documentation. [Xavier Noria, leethal, jerome] * Ensure RJS redirect_to doesn't html-escapes string argument. Closes #8546 [Josh Peek, eventualbuddha, Pratik Naik] * Support render :partial => collection of heterogeneous elements. #11491 [Zach Dennis] * Avoid remote_ip spoofing. [Brian Candler] * Added support for regexp flags like ignoring case in the :requirements part of routes declarations #11421 [NeilW] * Fixed that ActionController::Base#read_multipart would fail if boundary was exactly 10240 bytes #10886 [ariejan] * Fixed HTML::Tokenizer (used in sanitize helper) didn't handle unclosed CDATA tags #10071 [esad, packagethief] * Improve documentation. [Ryan Bigg, Jan De Poorter, Cheah Chu Yeow, Xavier Shay, Jack Danger Canty, Emilio Tagua, Xavier Noria, Sunny Ripert] * Fixed that FormHelper#radio_button would produce invalid ids #11298 [harlancrystal] * Added :confirm option to submit_tag #11415 [Emilio Tagua] * Fixed NumberHelper#number_with_precision to properly round in a way that works equally on Mac, Windows, Linux (closes #11409, #8275, #10090, #8027) [zhangyuanyi] * Allow the #simple_format text_helper to take an html_options hash for each paragraph. #2448 [François Beausoleil, Chris O'Sullivan] * Fix regression from filter refactoring where re-adding a skipped filter resulted in it being called twice. [Rick Olson] * Refactor filters to use Active Support callbacks. #11235 [Josh Peek] * Fixed that polymorphic routes would modify the input array #11363 [thomas.lee] * Added :format option to NumberHelper#number_to_currency to enable better localization support #11149 [lylo] * Fixed that TextHelper#excerpt would include one character too many #11268 [Irfy] * Fix more obscure nested parameter hash parsing bug. #10797 [thomas.lee] * Added ActionView::Helpers::register_javascript/stylesheet_expansion to make it easier for plugin developers to inject multiple assets. #10350 [lotswholetime] * Fix nested parameter hash parsing bug. #10797 [thomas.lee] * Allow using named routes in ActionController::TestCase before any request has been made. Closes #11273 [Eloy Duran] * Fixed that sweepers defined by cache_sweeper will be added regardless of the perform_caching setting. Instead, control whether the sweeper should be run with the perform_caching setting. This makes testing easier when you want to turn perform_caching on/off [David Heinemeier Hansson] * Make MimeResponds::Responder#any work without explicit types. Closes #11140 [jaw6] * Better error message for type conflicts when parsing params. Closes #7962 [spicycode, matt] * Remove unused ActionController::Base.template_class. Closes #10787 [Pratik Naik] * Moved template handlers related code from ActionView::Base to ActionView::Template. [Pratik Naik] * Tests for div_for and content_tag_for helpers. Closes #11223 [Chris O'Sullivan] * Allow file uploads in Integration Tests. Closes #11091 [RubyRedRick] * Refactor partial rendering into a PartialTemplate class. [Pratik Naik] * Added that requests with JavaScript as the priority mime type in the accept header and no format extension in the parameters will be treated as though their format was :js when it comes to determining which template to render. This makes it possible for JS requests to automatically render action.js.rjs files without an explicit respond_to block [David Heinemeier Hansson] * Tests for distance_of_time_in_words with TimeWithZone instances. Closes #10914 [Ernesto Jimenez] * Remove support for multivalued (e.g., '&'-delimited) cookies. [Jamis Buck] * Fix problem with render :partial collections, records, and locals. #11057 [lotswholetime] * Added support for naming concrete classes in sweeper declarations [David Heinemeier Hansson] * Remove ERB trim variables from trace template in case ActionView::Base.erb_trim_mode is changed in the application. #10098 [Tim Pope, Chris Kampmeier] * Fix typo in form_helper documentation. #10650 [Xavier Shay, Chris Kampmeier] * Fix bug with setting Request#format= after the getter has cached the value. #10889 [cch1] * Correct inconsistencies in RequestForgeryProtection docs. #11032 [Mislav Marohnić] * Introduce a Template class to ActionView. #11024 [Pratik Naik] * Introduce the :index option for form_for and fields_for to simplify multi-model forms (see http://railscasts.com/episodes/75). #9883 [rmm5t] * Introduce map.resources :cards, :as => 'tarjetas' to use a custom resource name in the URL: cards_path == '/tarjetas'. #10578 [blj] * TestSession supports indifferent access. #7372 [tamc, Arsen7, mhackett, julik, jean.helou] * Make assert_routing aware of the HTTP method used. #8039 [mpalmer] e.g. assert_routing({ :method => 'put', :path => '/product/321' }, { :controller => "product", :action => "update", :id => "321" }) * Make map.root accept a single symbol as an argument to declare an alias. #10818 [bscofield] e.g. map.dashboard '/dashboard', :controller=>'dashboard' map.root :dashboard * Handle corner case with image_tag when passed 'messed up' image names. #9018 [Duncan Beevers, mpalmer] * Add label_tag helper for generating elements. #10802 [DefV] * Introduce TemplateFinder to handle view paths and lookups. #10800 [Pratik Naik] * Performance: optimize route recognition. Large speedup for apps with many resource routes. #10835 [oleganza] * Make render :partial recognise form builders and use the _form partial. #10814 [Damian Janowski] * Allow users to declare other namespaces when using the atom feed helpers. #10304 [david.calavera] * Introduce send_file :x_sendfile => true to send an X-Sendfile response header. [Jeremy Kemper] * Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used #10739 [Jeremy Evans] * Provide nicer access to HTTP Headers. Instead of request.env["HTTP_REFERRER"] you can now use request.headers["Referrer"]. [Michael Koziarski] * UrlWriter respects relative_url_root. #10748 [Cheah Chu Yeow] * The asset_host block takes the controller request as an optional second argument. Example: use a single asset host for SSL requests. #10549 [Cheah Chu Yeow, Peter B, Tom Taylor] * Support render :text => nil. #6684 [tjennings, PotatoSalad, Cheah Chu Yeow] * assert_response failures include the exception message. #10688 [Seth Rasmussen] * All fragment cache keys are now by default prefixed with the "views/" namespace [David Heinemeier Hansson] * Moved the caching stores from ActionController::Caching::Fragments::* to ActiveSupport::Cache::*. If you're explicitly referring to a store, like ActionController::Caching::Fragments::MemoryStore, you need to update that reference with ActiveSupport::Cache::MemoryStore [David Heinemeier Hansson] * Deprecated ActionController::Base.fragment_cache_store for ActionController::Base.cache_store [David Heinemeier Hansson] * Made fragment caching in views work for rjs and builder as well #6642 [Dee Zsombor] * Fixed rendering of partials with layout when done from site layout #9209 [antramm] * Fix atom_feed_helper to comply with the atom spec. Closes #10672 [Xavier Shay] * The tags created do not contain a date (http://feedvalidator.org/docs/error/InvalidTAG.html) * IDs are not guaranteed unique * A default self link was not provided, contrary to the documentation * NOTE: This changes tags for existing atom entries, but at least they validate now. * Correct indentation in tests. Closes #10671 [Luca Guidi] * Fix that auto_link looks for ='s in url paths (Amazon urls have them). Closes #10640 [Brad Greenlee] * Ensure that test case setup is run even if overridden. #10382 [Josh Peek] * Fix HTML Sanitizer to allow trailing spaces in CSS style attributes. Closes #10566 [wesley.moxam] * Add :default option to time_zone_select. #10590 [Matt Aimonetti] *2.0.2* (December 16th, 2007) * Added delete_via_redirect and put_via_redirect to integration testing #10497 [philodespotos] * Allow headers['Accept'] to be set by hand when calling xml_http_request #10461 [BMorearty] * Added OPTIONS to list of default accepted HTTP methods #10449 [holoway] * Added option to pass proc to ActionController::Base.asset_host for maximum configurability #10521 [Cheah Chu Yeow]. Example: ActionController::Base.asset_host = Proc.new { |source| if source.starts_with?('/images') "http://images.example.com" else "http://assets.example.com" end } * Fixed that ActionView#file_exists? would be incorrect if @first_render is set #10569 [dbussink] * Added that Array#to_param calls to_param on all it's elements #10473 [brandon] * Ensure asset cache directories are automatically created. #10337 [Josh Peek, Cheah Chu Yeow] * render :xml and :json preserve custom content types. #10388 [jmettraux, Cheah Chu Yeow] * Refactor Action View template handlers. #10437, #10455 [Josh Peek] * Fix DoubleRenderError message and leave out mention of returning false from filters. Closes #10380 [Frederick Cheung] * Clean up some cruft around ActionController::Base#head. Closes #10417 [ssoroka] *2.0.1* (December 7th, 2007) * Fixed send_file/binary_content for testing #8044 [tolsen] * When a NonInferrableControllerError is raised, make the proposed fix clearer in the error message. Closes #10199 [Jack Danger Canty] * Update Prototype to 1.6.0.1. [sam] * Update script.aculo.us to 1.8.0.1. [madrobby] * Add 'disabled' attribute to