actionpack 4.2.11.1 → 5.2.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +279 -497
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -7
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +45 -49
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +78 -15
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +47 -31
- data/lib/abstract_controller/collector.rb +8 -11
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +25 -25
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +4 -2
- data/lib/abstract_controller/rendering.rb +42 -41
- data/lib/abstract_controller/translation.rb +10 -7
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +12 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/base.rb +27 -19
- data/lib/action_controller/caching.rb +14 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +10 -15
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +118 -44
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +27 -46
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +20 -13
- data/lib/action_controller/metal/exceptions.rb +8 -14
- data/lib/action_controller/metal/flash.rb +4 -3
- data/lib/action_controller/metal/force_ssl.rb +23 -21
- data/lib/action_controller/metal/head.rb +21 -19
- data/lib/action_controller/metal/helpers.rb +24 -14
- data/lib/action_controller/metal/http_authentication.rb +64 -57
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +19 -21
- data/lib/action_controller/metal/live.rb +90 -106
- data/lib/action_controller/metal/mime_responds.rb +33 -46
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +61 -53
- data/lib/action_controller/metal/redirecting.rb +49 -28
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +72 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +203 -92
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +12 -10
- data/lib/action_controller/metal/strong_parameters.rb +582 -165
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +98 -83
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +280 -411
- data/lib/action_controller.rb +29 -21
- data/lib/action_dispatch/http/cache.rb +93 -47
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +26 -20
- data/lib/action_dispatch/http/filter_redirect.rb +10 -11
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +56 -41
- data/lib/action_dispatch/http/mime_type.rb +134 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameter_filter.rb +25 -11
- data/lib/action_dispatch/http/parameters.rb +98 -39
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +200 -118
- data/lib/action_dispatch/http/response.rb +225 -110
- data/lib/action_dispatch/http/upload.rb +12 -6
- data/lib/action_dispatch/http/url.rb +110 -28
- data/lib/action_dispatch/journey/formatter.rb +55 -32
- data/lib/action_dispatch/journey/gtg/builder.rb +7 -5
- data/lib/action_dispatch/journey/gtg/simulator.rb +3 -9
- data/lib/action_dispatch/journey/gtg/transition_table.rb +17 -16
- data/lib/action_dispatch/journey/nfa/builder.rb +5 -3
- data/lib/action_dispatch/journey/nfa/dot.rb +13 -13
- data/lib/action_dispatch/journey/nfa/simulator.rb +3 -1
- data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -48
- data/lib/action_dispatch/journey/nodes/node.rb +18 -6
- data/lib/action_dispatch/journey/parser.rb +23 -22
- data/lib/action_dispatch/journey/parser.y +3 -2
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +50 -44
- data/lib/action_dispatch/journey/route.rb +106 -28
- data/lib/action_dispatch/journey/router/utils.rb +20 -11
- data/lib/action_dispatch/journey/router.rb +35 -23
- data/lib/action_dispatch/journey/routes.rb +18 -16
- data/lib/action_dispatch/journey/scanner.rb +18 -15
- data/lib/action_dispatch/journey/visitors.rb +99 -52
- data/lib/action_dispatch/journey.rb +7 -5
- data/lib/action_dispatch/middleware/callbacks.rb +1 -2
- data/lib/action_dispatch/middleware/cookies.rb +304 -193
- data/lib/action_dispatch/middleware/debug_exceptions.rb +152 -57
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +68 -69
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/public_exceptions.rb +27 -25
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +41 -31
- data/lib/action_dispatch/middleware/request_id.rb +17 -9
- data/lib/action_dispatch/middleware/session/abstract_store.rb +28 -26
- data/lib/action_dispatch/middleware/session/cache_store.rb +14 -9
- data/lib/action_dispatch/middleware/session/cookie_store.rb +62 -67
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +26 -22
- data/lib/action_dispatch/middleware/ssl.rb +114 -36
- data/lib/action_dispatch/middleware/stack.rb +31 -44
- data/lib/action_dispatch/middleware/static.rb +57 -50
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +2 -14
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -64
- data/lib/action_dispatch/railtie.rb +19 -11
- data/lib/action_dispatch/request/session.rb +99 -58
- data/lib/action_dispatch/request/utils.rb +67 -24
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +58 -67
- data/lib/action_dispatch/routing/mapper.rb +733 -447
- data/lib/action_dispatch/routing/polymorphic_routes.rb +161 -139
- data/lib/action_dispatch/routing/redirection.rb +36 -26
- data/lib/action_dispatch/routing/route_set.rb +321 -291
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +65 -25
- data/lib/action_dispatch/routing.rb +17 -18
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions/response.rb +45 -20
- data/lib/action_dispatch/testing/assertions/routing.rb +30 -26
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +347 -209
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +35 -7
- data/lib/action_dispatch.rb +26 -19
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +50 -38
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,680 +1,462 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
2
2
|
|
3
3
|
* No changes.
|
4
4
|
|
5
5
|
|
6
|
-
## Rails
|
7
|
-
|
8
|
-
* No changes.
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 4.2.10 (September 27, 2017) ##
|
12
|
-
|
13
|
-
* Fix regression in behavior of `normalize_path`.
|
14
|
-
|
15
|
-
In Rails 5 there was a change to ensure the encoding of the original string
|
16
|
-
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
17
|
-
caused a regression.
|
18
|
-
|
19
|
-
*Eileen M. Uchitelle*
|
20
|
-
|
21
|
-
## Rails 4.2.9 (June 26, 2017) ##
|
22
|
-
|
23
|
-
* Use more specific check for :format in route path
|
24
|
-
|
25
|
-
The current check for whether to add an optional format to the path is very lax
|
26
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
27
|
-
|
28
|
-
``` ruby
|
29
|
-
resources :formats do
|
30
|
-
resources :items
|
31
|
-
end
|
32
|
-
```
|
33
|
-
|
34
|
-
Fix this by using a more restrictive regex pattern that looks for the patterns
|
35
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
36
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
37
|
-
|
38
|
-
``` ruby
|
39
|
-
get "/books(/:action(.:format))", controller: "books"
|
40
|
-
```
|
41
|
-
|
42
|
-
This probably isn't what's intended since it means that the default index action
|
43
|
-
route doesn't support a format but we have a test for it so we need to allow it.
|
44
|
-
|
45
|
-
Fixes #28517.
|
46
|
-
|
47
|
-
*Andrew White*
|
48
|
-
|
49
|
-
|
50
|
-
## Rails 4.2.8 (February 21, 2017) ##
|
51
|
-
|
52
|
-
* No changes.
|
53
|
-
|
54
|
-
|
55
|
-
## Rails 4.2.7 (July 12, 2016) ##
|
56
|
-
|
57
|
-
* No changes.
|
6
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
58
7
|
|
8
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
59
9
|
|
60
|
-
|
61
|
-
|
62
|
-
|
10
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
11
|
+
it was excluded when `no-cache` was included. This change preserves the
|
12
|
+
`public` value as is.
|
63
13
|
|
14
|
+
Fixes #34780.
|
64
15
|
|
65
|
-
|
16
|
+
*Yuji Yaginuma*
|
66
17
|
|
67
|
-
*
|
18
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
68
19
|
|
69
|
-
|
20
|
+
*Ryo Nakamura*
|
70
21
|
|
71
|
-
*Arthur Neves*
|
72
22
|
|
73
|
-
|
74
|
-
## Rails 4.2.5.1 (January 25, 2015) ##
|
23
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
75
24
|
|
76
25
|
* No changes.
|
77
26
|
|
78
27
|
|
79
|
-
## Rails
|
80
|
-
|
81
|
-
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
82
|
-
early in the `setup` chain.
|
83
|
-
|
84
|
-
*Yves Senn*
|
85
|
-
|
86
|
-
* Parse RSS/ATOM responses as XML, not HTML.
|
87
|
-
|
88
|
-
*Alexander Kaupanin*
|
89
|
-
|
90
|
-
* Fix regression in mounted engine named routes generation for app deployed to
|
91
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
92
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
93
|
-
|
94
|
-
Fixes #20920. Fixes #21459.
|
95
|
-
|
96
|
-
*Matthew Erhard*
|
97
|
-
|
98
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
99
|
-
|
100
|
-
*Bernerd Schaefer*
|
101
|
-
|
102
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
103
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
104
|
-
|
105
|
-
*Jeremy Friesen*
|
28
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
106
29
|
|
30
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
107
31
|
|
108
|
-
|
32
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
33
|
+
in system test `after_teardown`.
|
109
34
|
|
110
|
-
*
|
111
|
-
a block for generating a default value based off the key provided.
|
35
|
+
*Maxim Perepelitsa*
|
112
36
|
|
113
|
-
|
114
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
115
|
-
number of arguments (2 for 1)` when performing controller tests.
|
37
|
+
* Use request object for context if there's no controller
|
116
38
|
|
117
|
-
|
39
|
+
There is no controller instance when using a redirect route or a
|
40
|
+
mounted rack application so pass the request object as the context
|
41
|
+
when resolving dynamic CSP sources in this scenario.
|
118
42
|
|
119
|
-
|
43
|
+
Fixes #34200.
|
120
44
|
|
121
|
-
|
122
|
-
So some headers will be broken if there are some middlewares
|
123
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
124
|
-
|
125
|
-
*Fumiaki Matsushima*
|
126
|
-
|
127
|
-
|
128
|
-
## Rails 4.2.3 (June 25, 2015) ##
|
45
|
+
*Andrew White*
|
129
46
|
|
130
|
-
*
|
131
|
-
nesting multiple routes.
|
47
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
132
48
|
|
133
|
-
|
49
|
+
Previously if a dynamic source returned a symbol such as :self it
|
50
|
+
would be converted to a string implicity, e.g:
|
134
51
|
|
135
|
-
|
52
|
+
policy.default_src -> { :self }
|
136
53
|
|
137
|
-
|
138
|
-
even when it was a 304 status code.
|
54
|
+
would generate the header:
|
139
55
|
|
140
|
-
|
56
|
+
Content-Security-Policy: default-src self
|
141
57
|
|
142
|
-
|
58
|
+
and now it generates:
|
143
59
|
|
144
|
-
|
60
|
+
Content-Security-Policy: default-src 'self'
|
145
61
|
|
146
|
-
|
147
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
148
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
62
|
+
*Andrew White*
|
149
63
|
|
150
|
-
|
64
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
151
65
|
|
152
|
-
*
|
66
|
+
*Yoshiyuki Kinjo*
|
153
67
|
|
154
|
-
|
155
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
156
|
-
is set, it takes precedence.
|
68
|
+
* Call the `#redirect_to` block in controller context.
|
157
69
|
|
158
|
-
|
70
|
+
*Steven Peckins*
|
159
71
|
|
160
|
-
*Yasyf Mohamedali*
|
161
72
|
|
162
|
-
|
163
|
-
assigned.
|
73
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
164
74
|
|
165
|
-
|
75
|
+
* No changes.
|
166
76
|
|
167
|
-
*Jeremy Kemper*, *Yves Senn*
|
168
77
|
|
78
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
169
79
|
|
170
|
-
|
80
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
171
81
|
|
172
|
-
|
82
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
83
|
+
there are none.
|
173
84
|
|
85
|
+
So call like this will no longer append a `?null=` query param.
|
174
86
|
|
175
|
-
|
87
|
+
get foos_url, as: :json
|
176
88
|
|
177
|
-
*
|
178
|
-
the masked token.
|
89
|
+
*Alireza Bashiri*
|
179
90
|
|
180
|
-
|
91
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
92
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
93
|
+
parameters.
|
181
94
|
|
182
|
-
*
|
95
|
+
*Kevin Sjöberg*
|
183
96
|
|
184
|
-
|
185
|
-
request causing an incorrect behavior during the fall back to GET requests.
|
97
|
+
* Fix strong parameters `permit!` with nested arrays.
|
186
98
|
|
187
|
-
|
188
|
-
```
|
189
|
-
|
190
|
-
|
191
|
-
mount rack_app, at: '/'
|
192
|
-
end
|
193
|
-
head '/home'
|
194
|
-
assert_response :success
|
99
|
+
Given:
|
100
|
+
```
|
101
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
102
|
+
params.permit!
|
195
103
|
```
|
196
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
197
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
198
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
199
|
-
|
200
|
-
*Terence Sun*
|
201
|
-
|
202
|
-
* Preserve default format when generating URLs
|
203
|
-
|
204
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
205
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
206
|
-
the route definition.
|
207
|
-
|
208
|
-
Backport of #18627
|
209
|
-
|
210
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
211
|
-
|
212
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
213
|
-
the test response.
|
214
|
-
|
215
|
-
*Jonas Baumann*
|
216
|
-
|
217
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
218
|
-
|
219
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
220
|
-
payload data is not available.
|
221
|
-
|
222
|
-
See:
|
223
|
-
* #14903
|
224
|
-
* https://github.com/roidrage/lograge/issues/37
|
225
|
-
|
226
|
-
*Dieter Komendera*, *Margus Pärt*
|
227
|
-
|
228
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
229
|
-
|
230
|
-
*Robin Dupret*
|
231
|
-
|
232
|
-
* Using `head` method returns empty response_body instead
|
233
|
-
of returning a single space " ".
|
234
|
-
|
235
|
-
The old behavior was added as a workaround for a bug in an early
|
236
|
-
version of Safari, where the HTTP headers are not returned correctly
|
237
|
-
if the response body has a 0-length. This is been fixed since and
|
238
|
-
the workaround is no longer necessary.
|
239
|
-
|
240
|
-
Fixes #18253.
|
241
|
-
|
242
|
-
*Prathamesh Sonpatki*
|
243
|
-
|
244
|
-
* Fix how polymorphic routes works with objects that implement `to_model`.
|
245
|
-
|
246
|
-
*Travis Grathwell*
|
247
|
-
|
248
|
-
* Fixed handling of positional url helper arguments when `format: false`.
|
249
|
-
|
250
|
-
Fixes #17819.
|
251
|
-
|
252
|
-
*Andrew White*, *Tatiana Soukiassian*
|
253
|
-
|
254
|
-
* Fixed usage of optional scopes in URL helpers.
|
255
|
-
|
256
|
-
*Alex Robbin*
|
257
|
-
|
258
|
-
|
259
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
260
|
-
|
261
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
262
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
263
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
264
|
-
object in Rails 5.0.
|
265
|
-
|
266
|
-
*Prem Sichanugrist*
|
267
|
-
|
268
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
269
|
-
prefix.
|
270
|
-
|
271
|
-
Fixes #17108.
|
272
|
-
|
273
|
-
*Guo Xiang Tan*
|
274
|
-
|
275
|
-
* Deprecate use of string keys in URL helpers.
|
276
|
-
|
277
|
-
Use symbols instead.
|
278
|
-
Fixes #16958.
|
279
|
-
|
280
|
-
*Byron Bischoff*, *Melanie Gilman*
|
281
|
-
|
282
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
283
|
-
|
284
|
-
In cases where this option is set to `true`, the option is redundant and can
|
285
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
286
|
-
used instead.
|
287
|
-
|
288
|
-
Fixes #17294.
|
289
|
-
|
290
|
-
*Dan Olson*, *Godfrey Chan*
|
291
|
-
|
292
|
-
* Improve Journey compliance to RFC 3986.
|
293
|
-
|
294
|
-
The scanner in Journey failed to recognize routes that use literals
|
295
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
296
|
-
authorized delimiters and route as expected.
|
297
|
-
|
298
|
-
Fixes #17212.
|
299
|
-
|
300
|
-
*Nicolas Cavigneaux*
|
301
|
-
|
302
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
303
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
304
|
-
|
305
|
-
status, headers, body = response
|
306
|
-
|
307
|
-
But it also means `response + response` works and `[response].flatten`
|
308
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
309
|
-
explicit conversion and splatting with `#to_a`:
|
310
|
-
|
311
|
-
status, header, body = *response
|
312
|
-
|
313
|
-
*Jeremy Kemper*
|
314
|
-
|
315
|
-
* Don't rescue `IPAddr::InvalidAddressError`.
|
316
|
-
|
317
|
-
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
318
|
-
and fails for JRuby in 1.9 mode.
|
319
|
-
|
320
|
-
*Peter Suschlik*
|
321
|
-
|
322
|
-
* Fix bug where the router would ignore any constraints added to redirect
|
323
|
-
routes.
|
324
|
-
|
325
|
-
Fixes #16605.
|
326
|
-
|
327
|
-
*Agis Anastasopoulos*
|
328
104
|
|
329
|
-
|
105
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
330
106
|
|
331
|
-
|
107
|
+
*Steve Hull*
|
332
108
|
|
333
|
-
|
334
|
-
|
109
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
110
|
+
`ActionController::TestCase` subclasses.
|
335
111
|
|
336
|
-
*
|
112
|
+
*Eugene Kenny*
|
337
113
|
|
338
|
-
*
|
114
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
339
115
|
|
340
|
-
|
341
|
-
HEAD routes. If no match is found, we will then map the HEAD request to
|
342
|
-
GET routes.
|
116
|
+
Fixes #32597.
|
343
117
|
|
344
|
-
*
|
118
|
+
*Andrey Novikov*, *Andrew White*
|
345
119
|
|
346
|
-
*
|
347
|
-
of gzipped assets on disk. By default a gzip asset will be served if
|
348
|
-
the client supports gzip and a compressed file is on disk.
|
120
|
+
* Only disable GPUs for headless Chrome on Windows.
|
349
121
|
|
350
|
-
|
122
|
+
It is not necessary anymore for Linux and macOS machines.
|
351
123
|
|
352
|
-
|
353
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
354
|
-
that is not available on `ActionController::Parameters` you should consider
|
355
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
124
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
356
125
|
|
357
|
-
*
|
126
|
+
*Stefan Wrobel*
|
358
127
|
|
359
|
-
*
|
360
|
-
keys removed. This change is to reflect on a security concern where some
|
361
|
-
method performed on an `ActionController::Parameters` may yield a `Hash`
|
362
|
-
object which does not maintain `permitted?` status. If you would like to
|
363
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
364
|
-
before calling `#to_h`.
|
128
|
+
* Fix system tests transactions not closed between examples.
|
365
129
|
|
366
|
-
|
367
|
-
name: 'Senjougahara Hitagi',
|
368
|
-
oddity: 'Heavy stone crab'
|
369
|
-
})
|
370
|
-
params.to_h
|
371
|
-
# => {}
|
130
|
+
*Sergey Tarasov*
|
372
131
|
|
373
|
-
unsafe_params = params.dup.permit!
|
374
|
-
unsafe_params.to_h
|
375
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
376
132
|
|
377
|
-
|
378
|
-
safe_params.to_h
|
379
|
-
# => {"name"=>"Senjougahara Hitagi"}
|
133
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
380
134
|
|
381
|
-
|
382
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
383
|
-
in the next minor release.
|
135
|
+
* Check exclude before flagging cookies as secure.
|
384
136
|
|
385
|
-
*
|
137
|
+
*Catherine Khuu*
|
386
138
|
|
387
|
-
*
|
139
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
388
140
|
|
389
|
-
|
141
|
+
This allows a controller action to enable the policy individually
|
142
|
+
for a controller and/or specific actions.
|
390
143
|
|
391
|
-
*
|
392
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
393
|
-
cookies by defining the `#as_json` hook on such objects.
|
144
|
+
*Andrew White*
|
394
145
|
|
395
|
-
|
146
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
396
147
|
|
397
|
-
|
148
|
+
class LegacyPagesController < ApplicationController
|
149
|
+
content_security_policy false, only: :index
|
150
|
+
end
|
398
151
|
|
399
|
-
*
|
400
|
-
digest. The default remains the same - 'SHA1'.
|
152
|
+
*Andrew White*
|
401
153
|
|
402
|
-
|
154
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
155
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
403
156
|
|
404
|
-
*
|
405
|
-
the `responders` gem.
|
157
|
+
*Igor Kasyanchuk*
|
406
158
|
|
407
|
-
|
159
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
160
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
408
161
|
|
409
|
-
*
|
162
|
+
*Grant Bourque*
|
410
163
|
|
411
|
-
|
412
|
-
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
413
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
414
|
-
This makes it easy to HTTP-cache many more of your actions.
|
164
|
+
* Add support for automatic nonce generation for Rails UJS.
|
415
165
|
|
416
|
-
|
417
|
-
|
166
|
+
Because the UJS library creates a script tag to process responses it
|
167
|
+
normally requires the script-src attribute of the content security
|
168
|
+
policy to include 'unsafe-inline'.
|
418
169
|
|
419
|
-
|
170
|
+
To work around this we generate a per-request nonce value that is
|
171
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
172
|
+
embeds its token in a meta tag. The UJS library can then read the
|
173
|
+
nonce value and set it on the dynamically generated script tag to
|
174
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
420
175
|
|
421
|
-
|
176
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
177
|
+
user generated content in someway then it may be possible to exploit
|
178
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
179
|
+
however an improvement on a blanket permission for inline scripts.
|
422
180
|
|
423
|
-
|
181
|
+
It is also possible to use the nonce within your own script tags by
|
182
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
424
183
|
|
425
|
-
|
184
|
+
<%= javascript_tag nonce: true do %>
|
185
|
+
alert('Hello, World!');
|
186
|
+
<% end %>
|
426
187
|
|
427
|
-
|
428
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
188
|
+
Fixes #31689.
|
429
189
|
|
430
|
-
*
|
190
|
+
*Andrew White*
|
431
191
|
|
432
|
-
*
|
192
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
433
193
|
|
434
|
-
|
194
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
435
195
|
|
436
|
-
|
437
|
-
|
196
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
197
|
+
def index
|
198
|
+
params.each do |name|
|
199
|
+
puts name
|
200
|
+
end
|
201
|
+
end
|
438
202
|
|
439
|
-
|
203
|
+
# Prints
|
204
|
+
# param
|
205
|
+
# param_two
|
440
206
|
|
441
|
-
|
442
|
-
loopback address.
|
207
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
443
208
|
|
444
|
-
|
209
|
+
To fix the code above simply change as per example below:
|
445
210
|
|
446
|
-
|
447
|
-
|
211
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
212
|
+
def index
|
213
|
+
params.each do |name, value|
|
214
|
+
puts name
|
215
|
+
end
|
216
|
+
end
|
448
217
|
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
available to any custom exceptions_app. The original `PATH_INFO` is now
|
453
|
-
stashed in `env["action_dispatch.original_path"]`.
|
218
|
+
# Prints
|
219
|
+
# param
|
220
|
+
# param_two
|
454
221
|
|
455
|
-
*
|
222
|
+
*Dominic Cleal*
|
456
223
|
|
457
|
-
*
|
458
|
-
overflow.
|
224
|
+
* Add `Referrer-Policy` header to default headers set.
|
459
225
|
|
460
|
-
*
|
226
|
+
*Guillermo Iguaran*
|
461
227
|
|
462
|
-
*
|
463
|
-
|
228
|
+
* Changed the system tests to set Puma as default server only when the
|
229
|
+
user haven't specified manually another server.
|
464
230
|
|
465
|
-
|
466
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
467
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
468
|
-
longer necessary.
|
231
|
+
*Guillermo Iguaran*
|
469
232
|
|
470
|
-
|
233
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
234
|
+
default headers set.
|
471
235
|
|
472
|
-
|
236
|
+
*Guillermo Iguaran*
|
473
237
|
|
474
|
-
|
238
|
+
* Add headless firefox support to System Tests.
|
475
239
|
|
476
|
-
*
|
477
|
-
("Rosetta Flash").
|
240
|
+
*bogdanvlviv*
|
478
241
|
|
479
|
-
|
242
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
480
243
|
|
481
|
-
|
482
|
-
the
|
483
|
-
|
484
|
-
|
244
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
245
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
246
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
247
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
248
|
+
path, it dumps binary into the terminal.
|
485
249
|
|
486
|
-
|
250
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
487
251
|
|
488
|
-
*
|
252
|
+
*Eileen M. Uchitelle*
|
489
253
|
|
490
|
-
*
|
254
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
491
255
|
|
492
|
-
|
256
|
+
*Guillermo Iguaran*
|
493
257
|
|
494
|
-
|
258
|
+
* Fix optimized url helpers when using relative url root.
|
495
259
|
|
496
|
-
|
497
|
-
when rendering through a `respond_to` block.
|
260
|
+
Fixes #31220.
|
498
261
|
|
499
|
-
|
262
|
+
*Andrew White*
|
500
263
|
|
501
|
-
|
264
|
+
* Add DSL for configuring Content-Security-Policy header.
|
502
265
|
|
503
|
-
|
504
|
-
|
505
|
-
|
266
|
+
The DSL allows you to configure a global Content-Security-Policy
|
267
|
+
header and then override within a controller. For more information
|
268
|
+
about the Content-Security-Policy header see MDN:
|
506
269
|
|
507
|
-
|
270
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
508
271
|
|
509
|
-
|
272
|
+
Example global policy:
|
510
273
|
|
511
|
-
|
274
|
+
# config/initializers/content_security_policy.rb
|
275
|
+
Rails.application.config.content_security_policy do |p|
|
276
|
+
p.default_src :self, :https
|
277
|
+
p.font_src :self, :https, :data
|
278
|
+
p.img_src :self, :https, :data
|
279
|
+
p.object_src :none
|
280
|
+
p.script_src :self, :https
|
281
|
+
p.style_src :self, :https, :unsafe_inline
|
282
|
+
end
|
512
283
|
|
513
|
-
|
284
|
+
Example controller overrides:
|
514
285
|
|
515
|
-
|
286
|
+
# Override policy inline
|
287
|
+
class PostsController < ApplicationController
|
288
|
+
content_security_policy do |p|
|
289
|
+
p.upgrade_insecure_requests true
|
290
|
+
end
|
291
|
+
end
|
516
292
|
|
517
|
-
|
293
|
+
# Using literal values
|
294
|
+
class PostsController < ApplicationController
|
295
|
+
content_security_policy do |p|
|
296
|
+
p.base_uri "https://www.example.com"
|
297
|
+
end
|
298
|
+
end
|
518
299
|
|
519
|
-
|
300
|
+
# Using mixed static and dynamic values
|
301
|
+
class PostsController < ApplicationController
|
302
|
+
content_security_policy do |p|
|
303
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
304
|
+
end
|
305
|
+
end
|
520
306
|
|
521
|
-
|
522
|
-
|
307
|
+
Allows you to also only report content violations for migrating
|
308
|
+
legacy content using the `content_security_policy_report_only`
|
309
|
+
configuration attribute, e.g;
|
523
310
|
|
524
|
-
|
311
|
+
# config/initializers/content_security_policy.rb
|
312
|
+
Rails.application.config.content_security_policy_report_only = true
|
525
313
|
|
526
|
-
|
314
|
+
# controller override
|
315
|
+
class PostsController < ApplicationController
|
316
|
+
content_security_policy_report_only only: :index
|
317
|
+
end
|
527
318
|
|
528
|
-
|
529
|
-
|
319
|
+
Note that this feature does not validate the header for performance
|
320
|
+
reasons since the header is calculated at runtime.
|
530
321
|
|
531
|
-
*
|
322
|
+
*Andrew White*
|
532
323
|
|
533
|
-
*
|
534
|
-
application. Use of a symbol should be replaced with `action: symbol`.
|
535
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
324
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
536
325
|
|
537
|
-
*
|
326
|
+
*Yuichiro Kaneko*
|
538
327
|
|
539
|
-
*
|
540
|
-
a trailing slash after `.:format`
|
328
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
541
329
|
|
542
|
-
*
|
330
|
+
*Rafael Mendonça França*
|
543
331
|
|
544
|
-
*
|
545
|
-
performance reasons. One consequence of this is that the leading slash
|
546
|
-
is now required in integration test `process` helpers, whereas previously
|
547
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
548
|
-
of the implementation and was never an intentional feature.
|
332
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
549
333
|
|
550
|
-
|
334
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
335
|
+
different host. `allow_other_host` is `true` by default.
|
551
336
|
|
552
|
-
*
|
553
|
-
called 'status' in a controller.
|
337
|
+
*Tim Masliuchenko*
|
554
338
|
|
555
|
-
|
339
|
+
* Add headless chrome support to System Tests.
|
556
340
|
|
557
|
-
*
|
341
|
+
*Yuji Yaginuma*
|
558
342
|
|
559
|
-
* Add
|
343
|
+
* Add ability to enable Early Hints for HTTP/2
|
560
344
|
|
561
|
-
|
345
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
562
346
|
|
563
|
-
|
347
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
564
348
|
|
565
|
-
|
566
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
567
|
-
e.g. the fragment cache hit rates for each controller action.
|
349
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
568
350
|
|
569
|
-
|
351
|
+
* Simplify cookies middleware with key rotation support
|
570
352
|
|
571
|
-
|
353
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
354
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
355
|
+
signed cookies. This also helps simplify support for legacy cookie
|
356
|
+
security.
|
572
357
|
|
573
|
-
|
358
|
+
*Michael J Coyne*
|
574
359
|
|
575
|
-
|
360
|
+
* Use Capybara registered `:puma` server config.
|
576
361
|
|
577
|
-
|
578
|
-
and
|
362
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
363
|
+
connection sharing and open request detection work correctly by default.
|
579
364
|
|
580
|
-
|
365
|
+
*Thomas Walpole*
|
581
366
|
|
582
|
-
|
367
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
583
368
|
|
584
|
-
|
585
|
-
|
586
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
587
|
-
when setting up the routes.
|
369
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
370
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
588
371
|
|
589
|
-
|
372
|
+
Pull Request: #30121
|
590
373
|
|
591
|
-
*
|
592
|
-
purposes of remote IP detection. Also handle uppercase private IPv6
|
593
|
-
addresses.
|
374
|
+
*Assain Jaleel*
|
594
375
|
|
595
|
-
|
376
|
+
* Enforce signed/encrypted cookie expiry server side.
|
596
377
|
|
597
|
-
|
378
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
598
379
|
|
599
|
-
|
380
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
381
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
382
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
600
383
|
|
601
|
-
|
602
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
603
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
384
|
+
Pull Request: #30121
|
604
385
|
|
605
|
-
|
606
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
386
|
+
*Assain Jaleel*
|
607
387
|
|
608
|
-
|
388
|
+
* Make `take_failed_screenshot` work within engine.
|
609
389
|
|
610
|
-
|
390
|
+
Fixes #30405.
|
611
391
|
|
612
|
-
*
|
392
|
+
*Yuji Yaginuma*
|
613
393
|
|
614
|
-
|
615
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
616
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
617
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
394
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
618
395
|
|
619
|
-
|
620
|
-
|
621
|
-
|
622
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
396
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
397
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
398
|
+
use the response helpers provided by `Rack::Response`.
|
623
399
|
|
624
|
-
|
400
|
+
*Trevor Wistaff*
|
625
401
|
|
626
|
-
|
402
|
+
* Protect from forgery by default
|
627
403
|
|
628
|
-
|
629
|
-
`
|
404
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
405
|
+
add it to `ActionController::Base` depending on
|
406
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
407
|
+
defaults to false to support older versions which have removed it from their
|
408
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
630
409
|
|
631
|
-
*
|
410
|
+
*Lisa Ugray*
|
632
411
|
|
633
|
-
*
|
634
|
-
format block.
|
412
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
635
413
|
|
636
|
-
|
414
|
+
*Kir Shatrov*
|
637
415
|
|
638
|
-
|
416
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
639
417
|
|
640
|
-
|
418
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
419
|
+
`driven_by` will register the driver and set additional options passed via
|
420
|
+
the `:options` parameter.
|
641
421
|
|
642
|
-
|
422
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
643
423
|
|
644
|
-
*
|
424
|
+
*Mario Chavez*
|
645
425
|
|
646
|
-
|
426
|
+
* AEAD encrypted cookies and sessions with GCM.
|
647
427
|
|
648
|
-
|
428
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
429
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
430
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
431
|
+
this new mode is enabled via the
|
432
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
649
433
|
|
650
|
-
*
|
434
|
+
*Michael J Coyne*
|
651
435
|
|
652
|
-
|
436
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
653
437
|
|
654
|
-
|
655
|
-
|
438
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
439
|
+
^template path ^template tree digest ^class ^id
|
656
440
|
|
657
|
-
|
441
|
+
*DHH*
|
658
442
|
|
659
|
-
|
443
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
444
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
445
|
+
to support it.
|
660
446
|
|
661
|
-
*
|
662
|
-
we need to check if we're not inside a nested scope before copying the :path
|
663
|
-
and :as options to their shallow equivalents.
|
447
|
+
*DHH*
|
664
448
|
|
665
|
-
|
449
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
666
450
|
|
667
|
-
|
451
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
452
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
453
|
+
may not exist in a certain implementation.
|
668
454
|
|
669
|
-
|
670
|
-
`log_warning_on_csrf_failure` configuration setting in
|
671
|
-
`ActionController::RequestForgeryProtection`.
|
455
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
672
456
|
|
673
|
-
|
457
|
+
Fixes #27013.
|
674
458
|
|
675
|
-
*
|
676
|
-
`default_url_options` methods.
|
459
|
+
*Julian Nadeau*
|
677
460
|
|
678
|
-
*Tony Wooster*
|
679
461
|
|
680
|
-
Please check [
|
462
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|