actionpack 6.1.3.2 → 7.0.0.alpha2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +103 -387
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -3
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +7 -21
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +9 -8
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +3 -2
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/translation.rb +0 -2
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +3 -1
- data/lib/action_controller/metal/conditional_get.rb +38 -1
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +5 -13
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/http_authentication.rb +15 -15
- data/lib/action_controller/metal/instrumentation.rb +55 -52
- data/lib/action_controller/metal/live.rb +52 -3
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +10 -9
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/query_tags.rb +16 -0
- data/lib/action_controller/metal/redirecting.rb +50 -16
- data/lib/action_controller/metal/rendering.rb +7 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +64 -20
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +1 -3
- data/lib/action_controller/metal/strong_parameters.rb +24 -28
- data/lib/action_controller/metal/testing.rb +0 -2
- data/lib/action_controller/metal.rb +7 -10
- data/lib/action_controller/railtie.rb +42 -5
- data/lib/action_controller/test_case.rb +9 -2
- data/lib/action_controller.rb +2 -5
- data/lib/action_dispatch/http/cache.rb +18 -12
- data/lib/action_dispatch/http/content_security_policy.rb +39 -35
- data/lib/action_dispatch/http/filter_parameters.rb +5 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +13 -3
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +4 -4
- data/lib/action_dispatch/http/permissions_policy.rb +1 -1
- data/lib/action_dispatch/http/request.rb +10 -19
- data/lib/action_dispatch/http/response.rb +3 -3
- data/lib/action_dispatch/http/url.rb +9 -10
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +5 -12
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +7 -3
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/flash.rb +9 -11
- data/lib/action_dispatch/middleware/host_authorization.rb +9 -17
- data/lib/action_dispatch/middleware/remote_ip.rb +16 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +7 -9
- data/lib/action_dispatch/middleware/stack.rb +27 -9
- data/lib/action_dispatch/middleware/static.rb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +5 -14
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/mapper.rb +44 -72
- data/lib/action_dispatch/routing/redirection.rb +0 -2
- data/lib/action_dispatch/routing/route_set.rb +9 -6
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +1 -2
- data/lib/action_dispatch/routing.rb +2 -2
- data/lib/action_dispatch/system_test_case.rb +5 -5
- data/lib/action_dispatch/system_testing/driver.rb +24 -4
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +10 -6
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +12 -9
- data/lib/action_dispatch.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +21 -20
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 54388e4a1ef9b5042049784e3866619467e79e5c3944de4e7f46bc7b4484b9fc
|
4
|
+
data.tar.gz: c09a1504b3deaa3f14b5f169ca2a9df9c8d174ed4ba463e5f275f8ab6e803aa1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1057c5a7b53bd81075c061b0235ba399f04976fd58df7de676539911a258f5ad32ab26c0576a7b33ae34084e80b17a778c349f26b6a3e83797f14d729cba6c89
|
7
|
+
data.tar.gz: 443b33703639b2382762d5752c00d37e29f07ff258a5bd38f325e3d6e7ffe1e4755053695fcdbb56844b36bb3c06ac0bde558a5690b368ffa44efc5bc64ee39e
|
data/CHANGELOG.md
CHANGED
@@ -1,482 +1,198 @@
|
|
1
|
-
## Rails
|
2
|
-
|
3
|
-
* Prevent open redirects by correctly escaping the host allow list
|
4
|
-
CVE-2021-22903
|
5
|
-
|
6
|
-
* Prevent catastrophic backtracking during mime parsing
|
7
|
-
CVE-2021-22902
|
8
|
-
|
9
|
-
* Prevent regex DoS in HTTP token authentication
|
10
|
-
CVE-2021-22904
|
11
|
-
|
12
|
-
* Prevent string polymorphic route arguments.
|
13
|
-
|
14
|
-
`url_for` supports building polymorphic URLs via an array
|
15
|
-
of arguments (usually symbols and records). If a developer passes a
|
16
|
-
user input array, strings can result in unwanted route helper calls.
|
17
|
-
|
18
|
-
CVE-2021-22885
|
19
|
-
|
20
|
-
*Gannon McGibbon*
|
21
|
-
|
22
|
-
## Rails 6.1.3.1 (March 26, 2021) ##
|
1
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
23
2
|
|
24
3
|
* No changes.
|
25
4
|
|
26
5
|
|
27
|
-
## Rails
|
28
|
-
|
29
|
-
* Re-define routes when not set correctly via inheritance.
|
30
|
-
|
31
|
-
*John Hawthorn*
|
32
|
-
|
33
|
-
|
34
|
-
## Rails 6.1.2.1 (February 10, 2021) ##
|
35
|
-
|
36
|
-
* Prevent open redirect when allowed host starts with a dot
|
37
|
-
|
38
|
-
[CVE-2021-22881]
|
39
|
-
|
40
|
-
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
41
|
-
issue and the patch!
|
42
|
-
|
43
|
-
*Aaron Patterson*
|
44
|
-
|
45
|
-
|
46
|
-
## Rails 6.1.2 (February 09, 2021) ##
|
47
|
-
|
48
|
-
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
49
|
-
|
50
|
-
*Janko Marohnić*
|
51
|
-
|
52
|
-
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
53
|
-
|
54
|
-
*Eugene Kenny*
|
55
|
-
|
56
|
-
|
57
|
-
## Rails 6.1.1 (January 07, 2021) ##
|
58
|
-
|
59
|
-
* Fix nil translation key lookup in controllers/
|
60
|
-
|
61
|
-
*Jan Klimo*
|
62
|
-
|
63
|
-
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
64
|
-
|
65
|
-
*Alex Robbin*
|
66
|
-
|
67
|
-
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
68
|
-
|
69
|
-
*Alex Robbin*
|
70
|
-
|
71
|
-
|
72
|
-
## Rails 6.1.0 (December 09, 2020) ##
|
73
|
-
|
74
|
-
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
75
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
76
|
-
|
77
|
-
```ruby
|
78
|
-
Rails.application.config.permissions_policy do |p|
|
79
|
-
p.camera :none
|
80
|
-
p.gyroscope :none
|
81
|
-
p.microphone :none
|
82
|
-
p.usb :none
|
83
|
-
p.fullscreen :self
|
84
|
-
p.payment :self, "https://secure-example.com"
|
85
|
-
end
|
86
|
-
```
|
87
|
-
|
88
|
-
*Julien Grillot*
|
89
|
-
|
90
|
-
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
91
|
-
|
92
|
-
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
93
|
-
|
94
|
-
*Chris Bisnett*
|
95
|
-
|
96
|
-
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
97
|
-
the unique X-Request-Id header
|
98
|
-
|
99
|
-
*Arlston Fernandes*
|
100
|
-
|
101
|
-
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
102
|
-
|
103
|
-
*Rafael Mendonça França*
|
104
|
-
|
105
|
-
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
6
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
106
7
|
|
107
|
-
|
8
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
9
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
10
|
+
malformed JSON.
|
108
11
|
|
109
|
-
|
110
|
-
|
111
|
-
*Rafael Mendonça França*
|
12
|
+
Fixes #41145
|
112
13
|
|
113
|
-
*
|
14
|
+
*Aaron Lahey*
|
114
15
|
|
115
|
-
|
16
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
116
17
|
|
117
|
-
|
18
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
19
|
+
raise an error if the middleware isn't found.
|
118
20
|
|
119
|
-
*
|
21
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
120
22
|
|
121
|
-
|
122
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
23
|
+
* Raise error on unpermitted open redirects.
|
123
24
|
|
124
|
-
|
125
|
-
|
126
|
-
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
25
|
+
Add `allow_other_host` options to `redirect_to`.
|
26
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
127
27
|
|
128
28
|
*Gannon McGibbon*
|
129
29
|
|
130
|
-
*
|
131
|
-
|
132
|
-
*Alan Tan*, *Oz Ben-David*
|
133
|
-
|
134
|
-
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
135
|
-
a 308 redirection.
|
136
|
-
|
137
|
-
*Alan Tan*
|
138
|
-
|
139
|
-
* When multiple domains are specified for a cookie, a domain will now be
|
140
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
141
|
-
|
142
|
-
*Jonathan Hefner*
|
143
|
-
|
144
|
-
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
145
|
-
|
146
|
-
Adds to existing support for precompiled gzip (.gz) files.
|
147
|
-
Brotli files are preferred due to much better compression.
|
148
|
-
|
149
|
-
When the browser requests /some.js with `Accept-Encoding: br`,
|
150
|
-
we check for public/some.js.br and serve that file, if present, with
|
151
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
152
|
-
|
153
|
-
*Ryan Edward Hall*, *Jeremy Daer*
|
154
|
-
|
155
|
-
* Add raise_on_missing_translations support for controllers.
|
156
|
-
|
157
|
-
This configuration determines whether an error should be raised for missing translations.
|
158
|
-
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
159
|
-
configuration also affects raising error for missing translations in views.
|
30
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
160
31
|
|
161
|
-
|
32
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
162
33
|
|
163
|
-
|
34
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
164
35
|
|
165
|
-
*
|
36
|
+
*Yusuke Iwaki*
|
166
37
|
|
167
|
-
*
|
168
|
-
without passing a block now returns an enumerator.
|
38
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
169
39
|
|
170
|
-
|
40
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
41
|
+
are not listed as actions on that controller.
|
171
42
|
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
You can change your existing code as follow:
|
176
|
-
|
177
|
-
```ruby
|
178
|
-
# Before
|
179
|
-
fixture_file_upload('files/dog.png')
|
180
|
-
|
181
|
-
# After
|
182
|
-
fixture_file_upload('dog.png')
|
183
|
-
```
|
184
|
-
|
185
|
-
*Edouard Chin*
|
186
|
-
|
187
|
-
* Remove deprecated `force_ssl` at the controller level.
|
188
|
-
|
189
|
-
*Rafael Mendonça França*
|
190
|
-
|
191
|
-
* The +helper+ class method for controllers loads helper modules specified as
|
192
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
43
|
+
class MyController < ApplicationController
|
44
|
+
add_flash_types :hype
|
45
|
+
end
|
193
46
|
|
194
|
-
|
195
|
-
always pass a module object:
|
47
|
+
MyController.action_methods.include?('hype') # => false
|
196
48
|
|
197
|
-
|
198
|
-
helper UtilsHelper
|
199
|
-
```
|
49
|
+
*Gavin Morrice*
|
200
50
|
|
201
|
-
|
202
|
-
is received, `helper` just manipulates and inflects the argument to obtain
|
203
|
-
that same module object.
|
51
|
+
* OpenSSL constants are now used for Digest computations.
|
204
52
|
|
205
|
-
*
|
53
|
+
*Dirkjan Bussink*
|
206
54
|
|
207
|
-
*
|
55
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
208
56
|
|
209
|
-
|
57
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
210
58
|
|
211
|
-
*
|
212
|
-
`Rails.application.config.force_ssl` is set to true.
|
59
|
+
*Tadas Sasnauskas*
|
213
60
|
|
214
|
-
|
61
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
62
|
+
present in `rescued_responses`.
|
215
63
|
|
216
|
-
|
64
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
65
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
66
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
67
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
217
68
|
|
218
|
-
|
219
|
-
them difficult to deal with. For example, the common practice of sending
|
220
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
221
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
69
|
+
*Alexander Azarov*, *Mike Dalessio*
|
222
70
|
|
223
|
-
|
224
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
225
|
-
for backwards compatibility.
|
71
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
226
72
|
|
227
|
-
*
|
73
|
+
*Kevin Sjöberg*
|
228
74
|
|
229
|
-
*
|
75
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
230
76
|
|
231
|
-
|
232
|
-
both old and new instances during deployment. Users may be served by a
|
233
|
-
new instance and then by an old instance.
|
77
|
+
*Dylan Thacker-Smith*
|
234
78
|
|
235
|
-
|
236
|
-
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
237
|
-
from `false` to `true`, users may lose their sessions if they access the
|
238
|
-
server during deployment.
|
79
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
239
80
|
|
240
|
-
|
241
|
-
deployment, ensuring compatibility on both old and new instances.
|
81
|
+
*Tadas Sasnauskas*
|
242
82
|
|
243
|
-
|
83
|
+
* Drop support for the `SERVER_ADDR` header.
|
244
84
|
|
245
|
-
|
85
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
246
86
|
|
247
|
-
|
248
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
87
|
+
*Ricardo Díaz*
|
249
88
|
|
250
|
-
|
89
|
+
* Set session options when initializing a basic session.
|
251
90
|
|
252
|
-
*
|
91
|
+
*Gannon McGibbon*
|
253
92
|
|
254
|
-
|
255
|
-
gem dalli to be updated as well.
|
93
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
256
94
|
|
257
|
-
|
95
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
258
96
|
|
259
|
-
*
|
97
|
+
*Jacopo Beschi*
|
260
98
|
|
261
|
-
|
262
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
263
|
-
from being correctly counted and reported.
|
99
|
+
* Writing into a disabled session will now raise an error.
|
264
100
|
|
265
|
-
|
266
|
-
root session.
|
101
|
+
Previously when no session store was set, writing into the session would silently fail.
|
267
102
|
|
268
|
-
|
103
|
+
*Jean Boussier*
|
269
104
|
|
270
|
-
|
105
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
271
106
|
|
272
|
-
|
107
|
+
Fixes #42034.
|
273
108
|
|
274
|
-
|
275
|
-
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
109
|
+
*lfalcao*
|
276
110
|
|
277
|
-
|
111
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
278
112
|
|
279
|
-
|
113
|
+
*Jacob Herrington*
|
280
114
|
|
281
|
-
|
115
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
282
116
|
|
283
|
-
|
117
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
284
118
|
|
285
|
-
|
119
|
+
*Alex Smith*
|
286
120
|
|
287
|
-
|
121
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
122
|
+
know which controller action received unpermitted parameters.
|
288
123
|
|
289
|
-
*
|
124
|
+
*bbuchalter*
|
290
125
|
|
291
|
-
|
292
|
-
https://github.com/rails/routing_concerns was a better approach. Turned out
|
293
|
-
that this wasn't fully the case and loading external route files from the router
|
294
|
-
can be helpful for applications with a really large set of routes.
|
295
|
-
Without this feature, application needs to implement routes reloading
|
296
|
-
themselves and it's not straightforward.
|
126
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
297
127
|
|
298
128
|
```ruby
|
299
|
-
|
300
|
-
|
301
|
-
Rails.application.routes.draw do
|
302
|
-
draw(:admin)
|
303
|
-
end
|
304
|
-
|
305
|
-
# config/routes/admin.rb
|
129
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
130
|
+
stream.writeln "email_address,updated_at"
|
306
131
|
|
307
|
-
|
308
|
-
|
309
|
-
|
310
|
-
*Yehuda Katz*, *Edouard Chin*
|
311
|
-
|
312
|
-
* Fix system test driver option initialization for non-headless browsers.
|
313
|
-
|
314
|
-
*glaszig*
|
315
|
-
|
316
|
-
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
317
|
-
their payloads as `:request`.
|
318
|
-
|
319
|
-
*Austin Story*
|
320
|
-
|
321
|
-
* `respond_to#any` no longer returns a response's Content-Type based on the
|
322
|
-
request format but based on the block given.
|
323
|
-
|
324
|
-
Example:
|
325
|
-
|
326
|
-
```ruby
|
327
|
-
def my_action
|
328
|
-
respond_to do |format|
|
329
|
-
format.any { render(json: { foo: 'bar' }) }
|
330
|
-
end
|
132
|
+
@subscribers.find_each do |subscriber|
|
133
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
331
134
|
end
|
332
|
-
|
333
|
-
get('my_action.csv')
|
334
|
-
```
|
335
|
-
|
336
|
-
The previous behaviour was to respond with a `text/csv` Content-Type which
|
337
|
-
is inaccurate since a JSON response is being rendered.
|
338
|
-
|
339
|
-
Now it correctly returns a `application/json` Content-Type.
|
340
|
-
|
341
|
-
*Edouard Chin*
|
342
|
-
|
343
|
-
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
344
|
-
|
345
|
-
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
346
|
-
nested directory, causing issues with `tmp:clear`.
|
347
|
-
|
348
|
-
*Damir Zekic*
|
349
|
-
|
350
|
-
* Add `params.member?` to mimic Hash behavior.
|
351
|
-
|
352
|
-
*Younes Serraj*
|
353
|
-
|
354
|
-
* `process_action.action_controller` notifications now include the following in their payloads:
|
355
|
-
|
356
|
-
* `:request` - the `ActionDispatch::Request`
|
357
|
-
* `:response` - the `ActionDispatch::Response`
|
358
|
-
|
359
|
-
*George Claghorn*
|
360
|
-
|
361
|
-
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
362
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
363
|
-
from.
|
364
|
-
|
365
|
-
Fixes #37383.
|
366
|
-
|
367
|
-
*Norm Provost*
|
368
|
-
|
369
|
-
* `ActionController::Base.log_at` allows setting a different log level per request.
|
370
|
-
|
371
|
-
```ruby
|
372
|
-
# Use the debug level if a particular cookie is set.
|
373
|
-
class ApplicationController < ActionController::Base
|
374
|
-
log_at :debug, if: -> { cookies[:debug] }
|
375
135
|
end
|
376
136
|
```
|
377
137
|
|
378
|
-
*
|
379
|
-
|
380
|
-
* Allow system test screen shots to be taken more than once in
|
381
|
-
a test by prefixing the file name with an incrementing counter.
|
382
|
-
|
383
|
-
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
384
|
-
enable saving of HTML during a screenshot in addition to the image.
|
385
|
-
This uses the same image name, with the extension replaced with `.html`
|
386
|
-
|
387
|
-
*Tom Fakes*
|
388
|
-
|
389
|
-
* Add `Vary: Accept` header when using `Accept` header for response.
|
138
|
+
*DHH*
|
390
139
|
|
391
|
-
|
392
|
-
header to determine what to return. And if we don't add `Vary`
|
393
|
-
in the response header, browsers might accidentally cache different
|
394
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
395
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
396
|
-
in these types of requests. For more detailed problem description, please read:
|
140
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
397
141
|
|
398
|
-
|
142
|
+
*DHH*
|
399
143
|
|
400
|
-
|
144
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
401
145
|
|
402
|
-
|
146
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
147
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
403
148
|
|
404
|
-
|
405
|
-
a 307 redirection.
|
149
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
406
150
|
|
407
|
-
|
408
|
-
|
409
|
-
* System tests require Capybara 3.26 or newer.
|
410
|
-
|
411
|
-
*George Claghorn*
|
412
|
-
|
413
|
-
* Reduced log noise handling ActionController::RoutingErrors.
|
414
|
-
|
415
|
-
*Alberto Fernández-Capel*
|
416
|
-
|
417
|
-
* Add DSL for configuring HTTP Feature Policy.
|
418
|
-
|
419
|
-
This new DSL provides a way to configure an HTTP Feature Policy at a
|
420
|
-
global or per-controller level. Full details of HTTP Feature Policy
|
421
|
-
specification and guidelines can be found at MDN:
|
422
|
-
|
423
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
424
|
-
|
425
|
-
Example global policy:
|
151
|
+
Before:
|
426
152
|
|
427
153
|
```ruby
|
428
|
-
|
429
|
-
|
430
|
-
f.gyroscope :none
|
431
|
-
f.microphone :none
|
432
|
-
f.usb :none
|
433
|
-
f.fullscreen :self
|
434
|
-
f.payment :self, "https://secure.example.com"
|
435
|
-
end
|
154
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
155
|
+
request.content_type #=> "text/csv"
|
436
156
|
```
|
437
157
|
|
438
|
-
|
158
|
+
After:
|
439
159
|
|
440
160
|
```ruby
|
441
|
-
|
442
|
-
|
443
|
-
|
444
|
-
end
|
445
|
-
end
|
161
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
162
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
163
|
+
request.media_type #=> "text/csv"
|
446
164
|
```
|
447
165
|
|
448
|
-
*
|
166
|
+
*Rafael Mendonça França*
|
449
167
|
|
450
|
-
*
|
168
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
451
169
|
|
452
|
-
|
170
|
+
*Rafael Mendonça França*
|
453
171
|
|
454
|
-
|
172
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
455
173
|
|
456
|
-
*
|
174
|
+
*Janko Marohnić*
|
457
175
|
|
458
|
-
|
459
|
-
take parameters the scope was lost when using path helpers. This commit
|
460
|
-
ensures scope is kept both when the route takes parameters or when it
|
461
|
-
doesn't.
|
176
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
462
177
|
|
463
|
-
|
178
|
+
*ojab*
|
464
179
|
|
465
|
-
|
180
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
466
181
|
|
467
|
-
*
|
182
|
+
*Alex Robbin*
|
468
183
|
|
469
|
-
|
184
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
185
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
186
|
+
with a single value or an enumerable.
|
470
187
|
|
471
|
-
|
472
|
-
an enumerator for the parameters instead of the underlying hash.
|
188
|
+
Fixes #40772.
|
473
189
|
|
474
|
-
*
|
190
|
+
*Christian Sutter*
|
475
191
|
|
476
|
-
*
|
477
|
-
|
192
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
193
|
+
The old method name is retained without explicit deprecation.
|
478
194
|
|
479
|
-
*
|
195
|
+
*DHH*
|
480
196
|
|
481
197
|
|
482
|
-
Please check [6-
|
198
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|