actionpack 7.0.8 → 7.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +320 -387
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -2
- data/lib/abstract_controller/base.rb +19 -10
- data/lib/abstract_controller/caching/fragments.rb +2 -0
- data/lib/abstract_controller/callbacks.rb +31 -6
- data/lib/abstract_controller/deprecator.rb +7 -0
- data/lib/abstract_controller/helpers.rb +61 -18
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -16
- data/lib/abstract_controller/rendering.rb +3 -3
- data/lib/abstract_controller/translation.rb +1 -5
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +6 -0
- data/lib/action_controller/api.rb +5 -3
- data/lib/action_controller/base.rb +3 -17
- data/lib/action_controller/caching.rb +2 -0
- data/lib/action_controller/deprecator.rb +7 -0
- data/lib/action_controller/form_builder.rb +2 -0
- data/lib/action_controller/log_subscriber.rb +16 -4
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +2 -0
- data/lib/action_controller/metal/default_headers.rb +2 -0
- data/lib/action_controller/metal/etag_with_flash.rb +2 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
- data/lib/action_controller/metal/exceptions.rb +8 -0
- data/lib/action_controller/metal/head.rb +8 -6
- data/lib/action_controller/metal/helpers.rb +3 -14
- data/lib/action_controller/metal/http_authentication.rb +11 -4
- data/lib/action_controller/metal/implicit_render.rb +5 -3
- data/lib/action_controller/metal/instrumentation.rb +8 -1
- data/lib/action_controller/metal/live.rb +24 -0
- data/lib/action_controller/metal/mime_responds.rb +2 -2
- data/lib/action_controller/metal/params_wrapper.rb +3 -1
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +2 -2
- data/lib/action_controller/metal/rendering.rb +0 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +138 -50
- data/lib/action_controller/metal/rescue.rb +2 -0
- data/lib/action_controller/metal/streaming.rb +70 -30
- data/lib/action_controller/metal/strong_parameters.rb +89 -50
- data/lib/action_controller/metal/url_for.rb +7 -0
- data/lib/action_controller/metal.rb +79 -21
- data/lib/action_controller/railtie.rb +22 -9
- data/lib/action_controller/renderer.rb +98 -65
- data/lib/action_controller/test_case.rb +15 -5
- data/lib/action_controller.rb +8 -1
- data/lib/action_dispatch/constants.rb +32 -0
- data/lib/action_dispatch/deprecator.rb +7 -0
- data/lib/action_dispatch/http/cache.rb +1 -3
- data/lib/action_dispatch/http/content_security_policy.rb +9 -8
- data/lib/action_dispatch/http/filter_parameters.rb +11 -5
- data/lib/action_dispatch/http/headers.rb +2 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +21 -21
- data/lib/action_dispatch/http/mime_type.rb +35 -12
- data/lib/action_dispatch/http/mime_types.rb +3 -1
- data/lib/action_dispatch/http/parameters.rb +1 -1
- data/lib/action_dispatch/http/permissions_policy.rb +39 -17
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +48 -14
- data/lib/action_dispatch/http/response.rb +78 -59
- data/lib/action_dispatch/http/upload.rb +2 -0
- data/lib/action_dispatch/journey/formatter.rb +8 -2
- data/lib/action_dispatch/journey/path/pattern.rb +14 -14
- data/lib/action_dispatch/journey/route.rb +3 -2
- data/lib/action_dispatch/journey/router.rb +5 -4
- data/lib/action_dispatch/journey/routes.rb +2 -2
- data/lib/action_dispatch/log_subscriber.rb +23 -0
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -6
- data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -0
- data/lib/action_dispatch/middleware/cookies.rb +81 -98
- data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -25
- data/lib/action_dispatch/middleware/debug_locks.rb +4 -1
- data/lib/action_dispatch/middleware/debug_view.rb +7 -2
- data/lib/action_dispatch/middleware/exception_wrapper.rb +181 -27
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +7 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +6 -3
- data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
- data/lib/action_dispatch/middleware/reloader.rb +7 -5
- data/lib/action_dispatch/middleware/remote_ip.rb +17 -16
- data/lib/action_dispatch/middleware/request_id.rb +2 -0
- data/lib/action_dispatch/middleware/server_timing.rb +4 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +5 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
- data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -5
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +19 -15
- data/lib/action_dispatch/middleware/ssl.rb +18 -6
- data/lib/action_dispatch/middleware/stack.rb +7 -2
- data/lib/action_dispatch/middleware/static.rb +12 -8
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +7 -7
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +17 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +16 -12
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +46 -37
- data/lib/action_dispatch/railtie.rb +14 -4
- data/lib/action_dispatch/request/session.rb +16 -6
- data/lib/action_dispatch/request/utils.rb +8 -3
- data/lib/action_dispatch/routing/inspector.rb +54 -6
- data/lib/action_dispatch/routing/mapper.rb +26 -14
- data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
- data/lib/action_dispatch/routing/redirection.rb +15 -6
- data/lib/action_dispatch/routing/route_set.rb +52 -22
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +5 -1
- data/lib/action_dispatch/routing.rb +4 -4
- data/lib/action_dispatch/system_test_case.rb +3 -3
- data/lib/action_dispatch/system_testing/browser.rb +5 -6
- data/lib/action_dispatch/system_testing/driver.rb +13 -21
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +27 -16
- data/lib/action_dispatch/testing/assertions/response.rb +13 -6
- data/lib/action_dispatch/testing/assertions/routing.rb +67 -28
- data/lib/action_dispatch/testing/assertions.rb +3 -1
- data/lib/action_dispatch/testing/integration.rb +27 -17
- data/lib/action_dispatch/testing/request_encoder.rb +4 -1
- data/lib/action_dispatch/testing/test_process.rb +4 -3
- data/lib/action_dispatch/testing/test_request.rb +1 -1
- data/lib/action_dispatch/testing/test_response.rb +23 -9
- data/lib/action_dispatch.rb +37 -4
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_pack.rb +1 -1
- metadata +51 -29
data/CHANGELOG.md
CHANGED
@@ -1,591 +1,524 @@
|
|
1
|
-
## Rails 7.0.
|
1
|
+
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
5
|
-
|
6
|
-
*Hartley McGuire*, *Daniel Schlosser*
|
7
|
-
|
8
|
-
|
9
|
-
## Rails 7.0.7.2 (August 22, 2023) ##
|
10
|
-
|
11
|
-
* No changes.
|
12
|
-
|
13
|
-
|
14
|
-
## Rails 7.0.7.1 (August 22, 2023) ##
|
15
|
-
|
16
|
-
* No changes.
|
17
|
-
|
18
|
-
|
19
|
-
## Rails 7.0.7 (August 09, 2023) ##
|
20
|
-
|
21
|
-
* No changes.
|
22
|
-
|
23
|
-
|
24
|
-
## Rails 7.0.6 (June 29, 2023) ##
|
25
|
-
|
26
|
-
* No changes.
|
27
|
-
|
28
|
-
|
29
|
-
## Rails 7.0.5.1 (June 26, 2023) ##
|
30
|
-
|
31
|
-
* Raise an exception if illegal characters are provide to redirect_to
|
32
|
-
[CVE-2023-28362]
|
33
|
-
|
34
|
-
*Zack Deveau*
|
35
|
-
|
36
|
-
## Rails 7.0.5 (May 24, 2023) ##
|
37
|
-
|
38
|
-
* Do not return CSP headers for 304 Not Modified responses.
|
39
|
-
|
40
|
-
*Tobias Kraze*
|
41
|
-
|
42
|
-
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
43
|
-
|
44
|
-
*fatkodima*
|
45
|
-
|
46
|
-
* Fix content-type header with `send_stream`.
|
47
|
-
|
48
|
-
*Elliot Crosby-McCullough*
|
49
|
-
|
50
|
-
* Address Selenium `:capabilities` deprecation warning.
|
51
|
-
|
52
|
-
*Ron Shinall*
|
3
|
+
* `AbstractController::Translation.raise_on_missing_translations` removed
|
53
4
|
|
54
|
-
|
55
|
-
|
56
|
-
*John Hawthorn*
|
57
|
-
|
58
|
-
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
59
|
-
|
60
|
-
Previously if you set `config.active_record.query_log_tags` to an array that included
|
61
|
-
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
62
|
-
This bug has been fixed.
|
5
|
+
This was a private API, and has been removed in favour of a more broadly applicable
|
6
|
+
`config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
|
63
7
|
|
64
8
|
*Alex Ghiculescu*
|
65
9
|
|
66
|
-
*
|
67
|
-
|
68
|
-
*Nikita Vasilevsky*
|
69
|
-
|
70
|
-
* Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
|
71
|
-
|
72
|
-
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
73
|
-
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
74
|
-
clear the cookie and force app users to manually clear it in their browser.
|
10
|
+
* Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
|
75
11
|
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
* No changes.
|
12
|
+
```ruby
|
13
|
+
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
|
14
|
+
params.extract_value(:id) # => ["1", "123"]
|
15
|
+
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
|
16
|
+
```
|
83
17
|
|
18
|
+
*Nikita Vasilevsky*
|
84
19
|
|
85
|
-
|
20
|
+
* Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
|
86
21
|
|
87
|
-
|
22
|
+
Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
|
23
|
+
of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
|
24
|
+
that it's pattern-matching compatible.
|
88
25
|
|
89
|
-
|
90
|
-
release when using `domain: :all` with a two letter but single level top
|
91
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
26
|
+
*Sean Doyle*
|
92
27
|
|
28
|
+
* Add support for Playwright as a driver for system tests.
|
93
29
|
|
94
|
-
|
30
|
+
*Yuki Nishijima*
|
95
31
|
|
96
|
-
* Fix
|
32
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
33
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
97
34
|
|
98
|
-
|
99
|
-
to malicious sites.
|
35
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
100
36
|
|
101
|
-
|
37
|
+
* Rename `fixture_file_upload` method to `file_fixture_upload`
|
102
38
|
|
103
|
-
|
39
|
+
Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
|
104
40
|
|
105
|
-
|
41
|
+
*Sean Doyle*
|
106
42
|
|
107
|
-
*
|
43
|
+
* `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
|
108
44
|
|
109
|
-
|
45
|
+
*Matija Čupić*
|
110
46
|
|
111
|
-
|
47
|
+
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
48
|
+
`ActionDispatch::Assertions#html_document`.
|
112
49
|
|
113
|
-
|
50
|
+
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
51
|
+
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
52
|
+
Nokogiri's HTML4 parser.
|
114
53
|
|
115
|
-
|
116
|
-
it would overwritten by `ActionDispatch::ServerTiming`.
|
54
|
+
*Mike Dalessio*
|
117
55
|
|
118
|
-
|
56
|
+
* The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
|
57
|
+
be setup before each test, and reset after every test. For example:
|
119
58
|
|
59
|
+
```ruby
|
60
|
+
class RoutingTest < ActionController::TestCase
|
61
|
+
with_routing do |routes|
|
62
|
+
routes.draw do
|
63
|
+
resources :articles
|
64
|
+
resources :authors
|
65
|
+
end
|
66
|
+
end
|
120
67
|
|
121
|
-
|
68
|
+
def test_articles_route
|
69
|
+
assert_routing("/articles", controller: "articles", action: "index")
|
70
|
+
end
|
122
71
|
|
123
|
-
|
72
|
+
def test_authors_route
|
73
|
+
assert_routing("/authors", controller: "authors", action: "index")
|
74
|
+
end
|
75
|
+
end
|
76
|
+
```
|
124
77
|
|
78
|
+
*Andrew Novoselac*
|
125
79
|
|
126
|
-
|
80
|
+
* The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
|
81
|
+
When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
|
82
|
+
To keep the current functionality, a fallback is created to look for the media-type without the parameters.
|
127
83
|
|
128
|
-
|
84
|
+
This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
|
129
85
|
|
130
|
-
*
|
86
|
+
*Nicolas Erni*
|
131
87
|
|
132
|
-
*
|
88
|
+
* The url_for helpers now support a new option called `path_params`.
|
89
|
+
This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
|
133
90
|
|
134
|
-
|
91
|
+
Given the following router...
|
135
92
|
|
136
93
|
```ruby
|
137
|
-
|
138
|
-
|
94
|
+
Rails.application.routes.draw do
|
95
|
+
scope ":account_id" do
|
96
|
+
get "dashboard" => "pages#dashboard", as: :dashboard
|
97
|
+
get "search/:term" => "search#search", as: :search
|
98
|
+
end
|
99
|
+
delete "signout" => "sessions#destroy", as: :signout
|
139
100
|
end
|
140
101
|
```
|
141
102
|
|
142
|
-
|
143
|
-
|
144
|
-
*Jean Boussier*
|
145
|
-
|
146
|
-
* Fix `content_security_policy` returning invalid directives.
|
147
|
-
|
148
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
149
|
-
single quoted when the directive was the result of calling a lambda
|
150
|
-
returning an array.
|
103
|
+
And given the following `ApplicationController`
|
151
104
|
|
152
105
|
```ruby
|
153
|
-
|
154
|
-
|
106
|
+
class ApplicationController < ActionController::Base
|
107
|
+
def default_url_options
|
108
|
+
{ path_params: { account_id: "foo" } }
|
109
|
+
end
|
155
110
|
end
|
156
111
|
```
|
157
112
|
|
158
|
-
|
159
|
-
|
160
|
-
*Edouard Chin*
|
161
|
-
|
162
|
-
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
163
|
-
protection has not been enabled / `verify_authenticity_token` is not a
|
164
|
-
defined callback.
|
165
|
-
|
166
|
-
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
167
|
-
`ArgumentError` if `default_protect_from_forgery` is false.
|
168
|
-
|
169
|
-
*Brad Trick*
|
170
|
-
|
171
|
-
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
172
|
-
|
173
|
-
Since its inception `ActionController::Live` has been copying thread local variables
|
174
|
-
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
175
|
-
|
176
|
-
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
177
|
-
`ActionController::Live` controllers.
|
178
|
-
|
179
|
-
*Jean Boussier*
|
180
|
-
|
181
|
-
* Fix setting `trailing_slash: true` in route definition.
|
113
|
+
The standard url_for helper and friends will now behave as follows:
|
182
114
|
|
183
115
|
```ruby
|
184
|
-
|
116
|
+
dashboard_path # => /foo/dashboard
|
117
|
+
dashboard_path(account_id: "bar") # => /bar/dashboard
|
185
118
|
|
186
|
-
|
119
|
+
signout_path # => /signout
|
120
|
+
signout_path(account_id: "bar") # => /signout?account_id=bar
|
121
|
+
signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
|
122
|
+
search_path("quin") # => /foo/search/quin
|
187
123
|
```
|
188
124
|
|
189
|
-
*
|
190
|
-
|
191
|
-
## Rails 7.0.2.4 (April 26, 2022) ##
|
192
|
-
|
193
|
-
* Allow Content Security Policy DSL to generate for API responses.
|
194
|
-
|
195
|
-
*Tim Wade*
|
196
|
-
|
197
|
-
## Rails 7.0.2.3 (March 08, 2022) ##
|
198
|
-
|
199
|
-
* No changes.
|
200
|
-
|
201
|
-
|
202
|
-
## Rails 7.0.2.2 (February 11, 2022) ##
|
203
|
-
|
204
|
-
* No changes.
|
205
|
-
|
206
|
-
|
207
|
-
## Rails 7.0.2.1 (February 11, 2022) ##
|
208
|
-
|
209
|
-
* Under certain circumstances, the middleware isn't informed that the
|
210
|
-
response body has been fully closed which result in request state not
|
211
|
-
being fully reset before the next request
|
125
|
+
*Jason Meller, Jeremy Beker*
|
212
126
|
|
213
|
-
|
127
|
+
* Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
|
128
|
+
`:none`. `:all` and `:none` behave the same as the previous `true` and
|
129
|
+
`false` respectively. The new `:rescuable` option will only show exceptions
|
130
|
+
that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
|
131
|
+
now the default for the test environment.
|
214
132
|
|
133
|
+
*Jon Dufresne*
|
215
134
|
|
216
|
-
|
135
|
+
* `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
|
136
|
+
`:message_pack_allow_marshal` as serializers. These serializers require the
|
137
|
+
[`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
|
217
138
|
|
218
|
-
|
139
|
+
The Message Pack format can provide improved performance and smaller payload
|
140
|
+
sizes. It also supports roundtripping some Ruby types that are not supported
|
141
|
+
by JSON. For example:
|
219
142
|
|
143
|
+
```ruby
|
144
|
+
cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
|
220
145
|
|
221
|
-
|
146
|
+
# BEFORE with config.action_dispatch.cookies_serializer = :json
|
147
|
+
cookies.encrypted[:foo]
|
148
|
+
# => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
|
149
|
+
cookies.encrypted[:foo].map(&:class)
|
150
|
+
# => [Hash, Hash, String, String]
|
222
151
|
|
223
|
-
|
224
|
-
|
152
|
+
# AFTER with config.action_dispatch.cookies_serializer = :message_pack
|
153
|
+
cookies.encrypted[:foo]
|
154
|
+
# => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
|
155
|
+
cookies.encrypted[:foo].map(&:class)
|
156
|
+
# => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
|
157
|
+
```
|
225
158
|
|
226
|
-
|
159
|
+
The `:message_pack` serializer can fall back to deserializing with
|
160
|
+
`ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
|
161
|
+
serializer can fall back to deserializing with `Marshal` as well as
|
162
|
+
`ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
|
163
|
+
`:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
|
164
|
+
deserializing with `ActiveSupport::MessagePack` when necessary. These
|
165
|
+
behaviors ensure old cookies can still be read so that migration is easier.
|
227
166
|
|
167
|
+
*Jonathan Hefner*
|
228
168
|
|
229
|
-
|
230
|
-
|
231
|
-
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
232
|
-
|
233
|
-
*Étienne Barrié*
|
234
|
-
|
235
|
-
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
236
|
-
|
237
|
-
This means if you make multiple requests in the same test, instance variables set in the first request will
|
238
|
-
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
239
|
-
|
240
|
-
*Alex Ghiculescu*
|
241
|
-
|
169
|
+
* Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
|
242
170
|
|
243
|
-
|
171
|
+
*Gareth Adams*
|
244
172
|
|
245
|
-
*
|
173
|
+
* Include source location in routes extended view.
|
246
174
|
|
175
|
+
```bash
|
176
|
+
$ bin/rails routes --expanded
|
247
177
|
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
This helps to better simulate request or job local state being reset between requests and prevent state
|
258
|
-
leaking from one request to another.
|
259
|
-
|
260
|
-
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
178
|
+
...
|
179
|
+
--[ Route 14 ]----------
|
180
|
+
Prefix | new_gist
|
181
|
+
Verb | GET
|
182
|
+
URI | /gist(.:format)
|
183
|
+
Controller#Action | gists/gists#new
|
184
|
+
Source Location | config/routes/gist.rb:3
|
185
|
+
```
|
261
186
|
|
262
|
-
*
|
187
|
+
*Luan Vieira, John Hawthorn and Daniel Colson*
|
263
188
|
|
264
|
-
*
|
189
|
+
* Add `without` as an alias of `except` on `ActiveController::Parameters`.
|
265
190
|
|
266
|
-
*
|
191
|
+
*Hidde-Jan Jongsma*
|
267
192
|
|
268
|
-
*
|
193
|
+
* Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
|
269
194
|
|
270
|
-
*
|
195
|
+
*Jason Kotchoff*
|
271
196
|
|
272
|
-
* Remove deprecated
|
197
|
+
* Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
|
273
198
|
|
274
199
|
*Rafael Mendonça França*
|
275
200
|
|
276
|
-
* Remove deprecated `
|
201
|
+
* Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
|
277
202
|
|
278
203
|
*Rafael Mendonça França*
|
279
204
|
|
280
|
-
*
|
205
|
+
* Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
|
281
206
|
|
282
207
|
*Rafael Mendonça França*
|
283
208
|
|
284
|
-
* Remove deprecated `
|
209
|
+
* Remove deprecated behavior on `Request#content_type`.
|
285
210
|
|
286
211
|
*Rafael Mendonça França*
|
287
212
|
|
288
|
-
*
|
289
|
-
|
290
|
-
This allows `rescue_from` to be used to add a default fallback route:
|
213
|
+
* Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
|
291
214
|
|
292
215
|
```ruby
|
293
|
-
|
294
|
-
|
295
|
-
|
216
|
+
get "/posts?password=test"
|
217
|
+
request.fullpath # => "/posts?password=test"
|
218
|
+
request.filtered_path # => "/posts?password=[FILTERED]"
|
296
219
|
```
|
297
220
|
|
298
|
-
*
|
221
|
+
*Ritikesh G*
|
299
222
|
|
300
|
-
*
|
223
|
+
* Deprecate `AbstractController::Helpers::MissingHelperError`
|
301
224
|
|
302
|
-
|
303
|
-
|
304
|
-
|
225
|
+
*Hartley McGuire*
|
226
|
+
|
227
|
+
* Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
|
228
|
+
a Nokogiri document
|
305
229
|
|
306
230
|
```ruby
|
307
|
-
|
308
|
-
|
309
|
-
|
231
|
+
get "/posts"
|
232
|
+
response.content_type # => "text/html; charset=utf-8"
|
233
|
+
response.parsed_body.class # => Nokogiri::HTML5::Document
|
234
|
+
response.parsed_body.to_html # => "<!DOCTYPE html>\n<html>\n..."
|
310
235
|
```
|
311
236
|
|
312
|
-
*
|
313
|
-
|
314
|
-
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
237
|
+
*Sean Doyle*
|
315
238
|
|
316
|
-
|
317
|
-
type (selenium, poltergeist, webkit, rack test).
|
239
|
+
* Deprecate `ActionDispatch::IllegalStateError`.
|
318
240
|
|
319
|
-
|
241
|
+
*Samuel Williams*
|
320
242
|
|
321
|
-
|
243
|
+
* Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
|
322
244
|
|
323
|
-
*
|
245
|
+
*Joel Hawksley*, *Kate Higa*
|
324
246
|
|
325
|
-
|
326
|
-
|
327
|
-
|
247
|
+
* Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
|
248
|
+
It makes the application believe that all requests are arriving over SSL. This is useful
|
249
|
+
when proxying through a load balancer that terminates SSL, the forwarded request will appear
|
250
|
+
as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
|
251
|
+
security target HTTP instead of HTTPS. This middleware makes the server assume that the
|
252
|
+
proxy already terminated SSL, and that the request really is HTTPS.
|
328
253
|
|
329
|
-
|
330
|
-
draw do
|
331
|
-
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
332
|
-
end
|
333
|
-
|
334
|
-
# After the change, the path matches.
|
335
|
-
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
336
|
-
```
|
254
|
+
*DHH*
|
337
255
|
|
338
|
-
|
256
|
+
* Only use HostAuthorization middleware if `config.hosts` is not empty
|
339
257
|
|
340
|
-
*
|
258
|
+
*Hartley McGuire*
|
341
259
|
|
342
|
-
*
|
260
|
+
* Allow raising an error when a callback's only/unless symbols aren't existing methods.
|
343
261
|
|
344
|
-
|
262
|
+
When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
|
345
263
|
|
346
|
-
|
264
|
+
For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_pack.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
|
347
265
|
|
348
|
-
|
349
|
-
After this change you can specify different fields for each numbered parameter.
|
350
|
-
For example params like,
|
351
|
-
```ruby
|
352
|
-
book: {
|
353
|
-
authors_attributes: {
|
354
|
-
'0': { name: "William Shakespeare", age_of_death: "52" },
|
355
|
-
'1': { name: "Unattributed Assistant" },
|
356
|
-
'2': "Not a hash",
|
357
|
-
'new_record': { name: "Some name" }
|
358
|
-
}
|
359
|
-
}
|
360
|
-
```
|
266
|
+
*Jess Bees*
|
361
267
|
|
362
|
-
|
363
|
-
`permit book: { authors_attributes: [ :name ] }`
|
268
|
+
* Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
|
364
269
|
|
365
|
-
|
366
|
-
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
270
|
+
*RobL*
|
367
271
|
|
368
|
-
|
272
|
+
* When a host is not specified for an `ActionController::Renderer`'s env,
|
273
|
+
the host and related options will now be derived from the routes'
|
274
|
+
`default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
|
369
275
|
|
370
|
-
|
276
|
+
This means that for an application with a configuration like:
|
371
277
|
|
372
|
-
|
373
|
-
|
278
|
+
```ruby
|
279
|
+
Rails.application.default_url_options = { host: "rubyonrails.org" }
|
280
|
+
Rails.application.config.force_ssl = true
|
281
|
+
```
|
374
282
|
|
375
|
-
|
283
|
+
rendering a URL like:
|
376
284
|
|
377
|
-
|
285
|
+
```ruby
|
286
|
+
ApplicationController.renderer.render inline: "<%= blog_url %>"
|
287
|
+
```
|
378
288
|
|
379
|
-
|
289
|
+
will now return `"https://rubyonrails.org/blog"` instead of
|
290
|
+
`"http://example.org/blog"`.
|
380
291
|
|
381
|
-
*
|
292
|
+
*Jonathan Hefner*
|
382
293
|
|
383
|
-
|
384
|
-
about the request it is responding to.
|
294
|
+
* Add details of cookie name and size to `CookieOverflow` exception.
|
385
295
|
|
386
|
-
|
387
|
-
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
296
|
+
*Andy Waite*
|
388
297
|
|
389
|
-
|
298
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
390
299
|
|
391
|
-
|
300
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
301
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
302
|
+
This bug has been fixed.
|
392
303
|
|
304
|
+
*Alex Ghiculescu*
|
393
305
|
|
394
|
-
|
306
|
+
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
307
|
+
`serial`, `sync-xhr`, `web-share`.
|
395
308
|
|
396
|
-
*
|
309
|
+
*Guillaume Cabanel*
|
397
310
|
|
311
|
+
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
312
|
+
deprecated.
|
398
313
|
|
399
|
-
|
314
|
+
There is no browser support for these directives, and no plan for browser
|
315
|
+
support in the future. You can just remove these directives from your
|
316
|
+
application.
|
400
317
|
|
401
|
-
*
|
402
|
-
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
403
|
-
malformed JSON.
|
318
|
+
*Jonathan Hefner*
|
404
319
|
|
405
|
-
|
320
|
+
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
321
|
+
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
322
|
+
compatibility.
|
406
323
|
|
407
|
-
*
|
324
|
+
*Jon Dufresne*
|
408
325
|
|
409
|
-
*
|
326
|
+
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
410
327
|
|
411
|
-
|
412
|
-
|
328
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
329
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
330
|
+
clear the cookie and force app users to manually clear it in their browser.
|
413
331
|
|
414
|
-
|
332
|
+
(See #45127 for original bug discussion)
|
415
333
|
|
416
|
-
*
|
334
|
+
*Nathan Bardoux*
|
417
335
|
|
418
|
-
|
419
|
-
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
336
|
+
* Add `HTTP_REFERER` when following redirects on integration tests
|
420
337
|
|
421
|
-
|
338
|
+
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
422
339
|
|
423
|
-
*
|
340
|
+
*Felipe Sateler*
|
424
341
|
|
425
|
-
|
342
|
+
* Added `exclude?` method to `ActionController::Parameters`.
|
426
343
|
|
427
|
-
|
344
|
+
*Ian Neubert*
|
428
345
|
|
429
|
-
|
346
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
430
347
|
|
431
|
-
*
|
348
|
+
*Nikita Vasilevsky*
|
432
349
|
|
433
|
-
|
434
|
-
are not listed as actions on that controller.
|
350
|
+
* Log redirects from routes the same way as redirects from controllers.
|
435
351
|
|
436
|
-
|
437
|
-
add_flash_types :hype
|
438
|
-
end
|
352
|
+
*Dennis Paagman*
|
439
353
|
|
440
|
-
|
354
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
355
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
356
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
441
357
|
|
442
|
-
*
|
358
|
+
*Jakub Malinowski*
|
443
359
|
|
444
|
-
*
|
360
|
+
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
445
361
|
|
446
|
-
|
362
|
+
You can opt out of `SameSite` by passing `same_site: nil`.
|
447
363
|
|
448
|
-
|
364
|
+
`cookies[:foo] = { value: "bar", same_site: nil }`
|
449
365
|
|
450
|
-
|
366
|
+
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
451
367
|
|
452
|
-
*
|
368
|
+
*Alex Ghiculescu*
|
453
369
|
|
454
|
-
*
|
455
|
-
present in `rescued_responses`.
|
370
|
+
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
456
371
|
|
457
|
-
|
458
|
-
|
459
|
-
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
460
|
-
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
372
|
+
Previously you could access basic helpers (defined in helper modules), but not
|
373
|
+
helper methods defined using `helper_method`. Now you can use either.
|
461
374
|
|
462
|
-
|
375
|
+
```ruby
|
376
|
+
content_security_policy do |p|
|
377
|
+
p.default_src "https://example.com"
|
378
|
+
p.script_src "https://example.com" if helpers.script_csp?
|
379
|
+
end
|
380
|
+
```
|
463
381
|
|
464
|
-
*
|
382
|
+
*Alex Ghiculescu*
|
465
383
|
|
466
|
-
|
384
|
+
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
467
385
|
|
468
|
-
|
386
|
+
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
387
|
+
The new implementation takes care of conversions.
|
469
388
|
|
470
|
-
*
|
389
|
+
*Seva Stefkin*
|
471
390
|
|
472
|
-
*
|
391
|
+
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
392
|
+
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
393
|
+
with keys that aren't strings or symbols.
|
473
394
|
|
474
|
-
*
|
395
|
+
*Seva Stefkin*
|
475
396
|
|
476
|
-
*
|
397
|
+
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
477
398
|
|
478
|
-
|
399
|
+
By default, the token will be stored in the session. Custom classes can be
|
400
|
+
defined to specify arbitrary behavior, but the ability to store them in
|
401
|
+
encrypted cookies is built in.
|
479
402
|
|
480
|
-
*
|
403
|
+
*Andrew Kowpak*
|
481
404
|
|
482
|
-
*
|
405
|
+
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
483
406
|
|
484
407
|
*Gannon McGibbon*
|
485
408
|
|
486
|
-
*
|
409
|
+
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
487
410
|
|
488
|
-
|
411
|
+
Use these as an alternative to the already-available environment variables.
|
489
412
|
|
490
|
-
|
413
|
+
For example, this will display a screenshot in iTerm, save the HTML, and output
|
414
|
+
its path.
|
491
415
|
|
492
|
-
|
416
|
+
```ruby
|
417
|
+
take_screenshot(html: true, screenshot: "inline")
|
418
|
+
```
|
493
419
|
|
494
|
-
|
420
|
+
*Alex Ghiculescu*
|
495
421
|
|
496
|
-
|
422
|
+
* Allow `ActionController::Parameters#to_h` to receive a block.
|
497
423
|
|
498
|
-
*
|
424
|
+
*Bob Farrell*
|
499
425
|
|
500
|
-
|
426
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
501
427
|
|
502
|
-
*
|
428
|
+
*Tom Hughes*
|
503
429
|
|
504
|
-
*
|
430
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
505
431
|
|
506
|
-
*
|
432
|
+
*Tim Wade*
|
507
433
|
|
508
|
-
*
|
434
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
509
435
|
|
510
|
-
|
436
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
511
437
|
|
512
|
-
|
438
|
+
```ruby
|
439
|
+
authenticate_with_http_basic do |token, _|
|
440
|
+
ApiClient.authenticate(token)
|
441
|
+
end
|
442
|
+
```
|
513
443
|
|
514
|
-
|
515
|
-
know which controller action received unpermitted parameters.
|
444
|
+
This ability is restored.
|
516
445
|
|
517
|
-
*
|
446
|
+
*Jean Boussier*
|
518
447
|
|
519
|
-
*
|
448
|
+
* Fix `content_security_policy` returning invalid directives.
|
520
449
|
|
521
|
-
|
522
|
-
|
523
|
-
|
450
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
451
|
+
single quoted when the directive was the result of calling a lambda
|
452
|
+
returning an array.
|
524
453
|
|
525
|
-
|
526
|
-
|
527
|
-
|
454
|
+
```ruby
|
455
|
+
content_security_policy do |policy|
|
456
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
528
457
|
end
|
529
458
|
```
|
530
459
|
|
531
|
-
|
460
|
+
With this fix the policy generated from above will now be valid.
|
461
|
+
|
462
|
+
*Edouard Chin*
|
532
463
|
|
533
|
-
*
|
464
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
465
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
466
|
+
defined callback.
|
534
467
|
|
535
|
-
|
468
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
469
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
536
470
|
|
537
|
-
*
|
471
|
+
*Brad Trick*
|
538
472
|
|
539
|
-
|
540
|
-
This behavior changed to returned Content-Type header containing charset part as it is.
|
473
|
+
* Make `redirect_to` return an empty response body.
|
541
474
|
|
542
|
-
|
475
|
+
Application controllers that wish to add a response body after calling
|
476
|
+
`redirect_to` can continue to do so.
|
543
477
|
|
544
|
-
|
478
|
+
*Jon Dufresne*
|
545
479
|
|
546
|
-
|
547
|
-
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
548
|
-
request.content_type #=> "text/csv"
|
549
|
-
```
|
480
|
+
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
550
481
|
|
551
|
-
|
482
|
+
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
552
483
|
|
553
|
-
|
554
|
-
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
555
|
-
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
556
|
-
request.media_type #=> "text/csv"
|
557
|
-
```
|
484
|
+
*Sam Bostock*
|
558
485
|
|
559
|
-
|
486
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
560
487
|
|
561
|
-
|
488
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
489
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
562
490
|
|
563
|
-
|
491
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
492
|
+
`ActionController::Live` controllers.
|
564
493
|
|
565
|
-
*
|
494
|
+
*Jean Boussier*
|
566
495
|
|
567
|
-
|
496
|
+
* Fix setting `trailing_slash: true` in route definition.
|
568
497
|
|
569
|
-
|
498
|
+
```ruby
|
499
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
570
500
|
|
571
|
-
|
501
|
+
test_path() # => "/test/"
|
502
|
+
```
|
572
503
|
|
573
|
-
*
|
504
|
+
*Jean Boussier*
|
574
505
|
|
575
|
-
|
506
|
+
* Make `Session#merge!` stringify keys.
|
576
507
|
|
577
|
-
|
578
|
-
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
579
|
-
with a single value or an enumerable.
|
508
|
+
Previously `Session#update` would, but `merge!` wouldn't.
|
580
509
|
|
581
|
-
|
510
|
+
*Drew Bragg*
|
582
511
|
|
583
|
-
|
512
|
+
* Add `:unsafe_hashes` mapping for `content_security_policy`
|
584
513
|
|
585
|
-
|
586
|
-
|
514
|
+
```ruby
|
515
|
+
# Before
|
516
|
+
policy.script_src :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
587
517
|
|
588
|
-
|
518
|
+
# After
|
519
|
+
policy.script_src :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
520
|
+
```
|
589
521
|
|
522
|
+
*Igor Morozov*
|
590
523
|
|
591
|
-
Please check [
|
524
|
+
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|