actionpack 7.0.8 → 7.1.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +324 -383
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -2
- data/lib/abstract_controller/base.rb +19 -10
- data/lib/abstract_controller/caching/fragments.rb +2 -0
- data/lib/abstract_controller/callbacks.rb +31 -6
- data/lib/abstract_controller/deprecator.rb +7 -0
- data/lib/abstract_controller/helpers.rb +61 -18
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -16
- data/lib/abstract_controller/rendering.rb +3 -3
- data/lib/abstract_controller/translation.rb +1 -5
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +6 -0
- data/lib/action_controller/api.rb +5 -3
- data/lib/action_controller/base.rb +3 -17
- data/lib/action_controller/caching.rb +2 -0
- data/lib/action_controller/deprecator.rb +7 -0
- data/lib/action_controller/form_builder.rb +2 -0
- data/lib/action_controller/log_subscriber.rb +16 -4
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +2 -0
- data/lib/action_controller/metal/default_headers.rb +2 -0
- data/lib/action_controller/metal/etag_with_flash.rb +2 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
- data/lib/action_controller/metal/exceptions.rb +8 -0
- data/lib/action_controller/metal/head.rb +8 -6
- data/lib/action_controller/metal/helpers.rb +3 -14
- data/lib/action_controller/metal/http_authentication.rb +11 -4
- data/lib/action_controller/metal/implicit_render.rb +5 -3
- data/lib/action_controller/metal/instrumentation.rb +8 -1
- data/lib/action_controller/metal/live.rb +24 -0
- data/lib/action_controller/metal/mime_responds.rb +2 -2
- data/lib/action_controller/metal/params_wrapper.rb +3 -1
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +2 -2
- data/lib/action_controller/metal/rendering.rb +0 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +138 -50
- data/lib/action_controller/metal/rescue.rb +2 -0
- data/lib/action_controller/metal/streaming.rb +70 -30
- data/lib/action_controller/metal/strong_parameters.rb +122 -52
- data/lib/action_controller/metal/url_for.rb +7 -0
- data/lib/action_controller/metal.rb +79 -21
- data/lib/action_controller/railtie.rb +22 -9
- data/lib/action_controller/renderer.rb +98 -65
- data/lib/action_controller/test_case.rb +15 -5
- data/lib/action_controller.rb +8 -1
- data/lib/action_dispatch/constants.rb +32 -0
- data/lib/action_dispatch/deprecator.rb +7 -0
- data/lib/action_dispatch/http/cache.rb +1 -3
- data/lib/action_dispatch/http/content_security_policy.rb +9 -8
- data/lib/action_dispatch/http/filter_parameters.rb +11 -5
- data/lib/action_dispatch/http/headers.rb +2 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +21 -21
- data/lib/action_dispatch/http/mime_type.rb +35 -12
- data/lib/action_dispatch/http/mime_types.rb +3 -1
- data/lib/action_dispatch/http/parameters.rb +1 -1
- data/lib/action_dispatch/http/permissions_policy.rb +39 -17
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +48 -14
- data/lib/action_dispatch/http/response.rb +78 -59
- data/lib/action_dispatch/http/upload.rb +2 -0
- data/lib/action_dispatch/journey/formatter.rb +8 -2
- data/lib/action_dispatch/journey/path/pattern.rb +14 -14
- data/lib/action_dispatch/journey/route.rb +3 -2
- data/lib/action_dispatch/journey/router.rb +9 -8
- data/lib/action_dispatch/journey/routes.rb +2 -2
- data/lib/action_dispatch/log_subscriber.rb +23 -0
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -6
- data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -0
- data/lib/action_dispatch/middleware/cookies.rb +81 -98
- data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -25
- data/lib/action_dispatch/middleware/debug_locks.rb +4 -1
- data/lib/action_dispatch/middleware/debug_view.rb +7 -2
- data/lib/action_dispatch/middleware/exception_wrapper.rb +181 -27
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +7 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +6 -3
- data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
- data/lib/action_dispatch/middleware/reloader.rb +7 -5
- data/lib/action_dispatch/middleware/remote_ip.rb +17 -16
- data/lib/action_dispatch/middleware/request_id.rb +2 -0
- data/lib/action_dispatch/middleware/server_timing.rb +4 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +5 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
- data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -5
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +19 -15
- data/lib/action_dispatch/middleware/ssl.rb +18 -6
- data/lib/action_dispatch/middleware/stack.rb +7 -2
- data/lib/action_dispatch/middleware/static.rb +12 -8
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +7 -7
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +17 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +16 -12
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +46 -37
- data/lib/action_dispatch/railtie.rb +14 -4
- data/lib/action_dispatch/request/session.rb +16 -6
- data/lib/action_dispatch/request/utils.rb +8 -3
- data/lib/action_dispatch/routing/inspector.rb +54 -6
- data/lib/action_dispatch/routing/mapper.rb +26 -14
- data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
- data/lib/action_dispatch/routing/redirection.rb +15 -6
- data/lib/action_dispatch/routing/route_set.rb +52 -22
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +5 -1
- data/lib/action_dispatch/routing.rb +4 -4
- data/lib/action_dispatch/system_test_case.rb +3 -3
- data/lib/action_dispatch/system_testing/browser.rb +5 -6
- data/lib/action_dispatch/system_testing/driver.rb +13 -21
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +27 -16
- data/lib/action_dispatch/testing/assertions/response.rb +13 -6
- data/lib/action_dispatch/testing/assertions/routing.rb +67 -28
- data/lib/action_dispatch/testing/assertions.rb +3 -1
- data/lib/action_dispatch/testing/integration.rb +27 -17
- data/lib/action_dispatch/testing/request_encoder.rb +4 -1
- data/lib/action_dispatch/testing/test_process.rb +4 -3
- data/lib/action_dispatch/testing/test_request.rb +1 -1
- data/lib/action_dispatch/testing/test_response.rb +23 -9
- data/lib/action_dispatch.rb +37 -4
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_pack.rb +1 -1
- metadata +51 -29
data/CHANGELOG.md
CHANGED
@@ -1,591 +1,532 @@
|
|
1
|
-
## Rails 7.0.
|
1
|
+
## Rails 7.1.0.rc1 (September 27, 2023) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
*Hartley McGuire*, *Daniel Schlosser*
|
7
|
-
|
8
|
-
|
9
|
-
## Rails 7.0.7.2 (August 22, 2023) ##
|
10
|
-
|
11
|
-
* No changes.
|
12
|
-
|
13
|
-
|
14
|
-
## Rails 7.0.7.1 (August 22, 2023) ##
|
15
|
-
|
16
|
-
* No changes.
|
17
|
-
|
18
|
-
|
19
|
-
## Rails 7.0.7 (August 09, 2023) ##
|
20
|
-
|
21
|
-
* No changes.
|
22
|
-
|
23
|
-
|
24
|
-
## Rails 7.0.6 (June 29, 2023) ##
|
3
|
+
* Add support for `#deep_merge` and `#deep_merge!` to
|
4
|
+
`ActionController::Parameters`.
|
25
5
|
|
26
|
-
*
|
6
|
+
*Sean Doyle*
|
27
7
|
|
28
8
|
|
29
|
-
## Rails 7.0.
|
9
|
+
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
30
10
|
|
31
|
-
*
|
32
|
-
[CVE-2023-28362]
|
11
|
+
* `AbstractController::Translation.raise_on_missing_translations` removed
|
33
12
|
|
34
|
-
|
35
|
-
|
36
|
-
## Rails 7.0.5 (May 24, 2023) ##
|
37
|
-
|
38
|
-
* Do not return CSP headers for 304 Not Modified responses.
|
39
|
-
|
40
|
-
*Tobias Kraze*
|
41
|
-
|
42
|
-
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
43
|
-
|
44
|
-
*fatkodima*
|
45
|
-
|
46
|
-
* Fix content-type header with `send_stream`.
|
47
|
-
|
48
|
-
*Elliot Crosby-McCullough*
|
49
|
-
|
50
|
-
* Address Selenium `:capabilities` deprecation warning.
|
51
|
-
|
52
|
-
*Ron Shinall*
|
53
|
-
|
54
|
-
* Fix cookie domain for domain: all on two letter single level TLD.
|
55
|
-
|
56
|
-
*John Hawthorn*
|
57
|
-
|
58
|
-
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
59
|
-
|
60
|
-
Previously if you set `config.active_record.query_log_tags` to an array that included
|
61
|
-
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
62
|
-
This bug has been fixed.
|
13
|
+
This was a private API, and has been removed in favour of a more broadly applicable
|
14
|
+
`config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
|
63
15
|
|
64
16
|
*Alex Ghiculescu*
|
65
17
|
|
66
|
-
*
|
67
|
-
|
68
|
-
*Nikita Vasilevsky*
|
69
|
-
|
70
|
-
* Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
|
71
|
-
|
72
|
-
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
73
|
-
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
74
|
-
clear the cookie and force app users to manually clear it in their browser.
|
75
|
-
|
76
|
-
(See #45127 for original bug discussion)
|
77
|
-
|
78
|
-
*Nathan Bardoux*
|
79
|
-
|
80
|
-
## Rails 7.0.4.3 (March 13, 2023) ##
|
18
|
+
* Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
|
81
19
|
|
82
|
-
|
20
|
+
```ruby
|
21
|
+
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
|
22
|
+
params.extract_value(:id) # => ["1", "123"]
|
23
|
+
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
|
24
|
+
```
|
83
25
|
|
26
|
+
*Nikita Vasilevsky*
|
84
27
|
|
85
|
-
|
28
|
+
* Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
|
86
29
|
|
87
|
-
|
30
|
+
Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
|
31
|
+
of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
|
32
|
+
that it's pattern-matching compatible.
|
88
33
|
|
89
|
-
|
90
|
-
release when using `domain: :all` with a two letter but single level top
|
91
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
34
|
+
*Sean Doyle*
|
92
35
|
|
36
|
+
* Add support for Playwright as a driver for system tests.
|
93
37
|
|
94
|
-
|
38
|
+
*Yuki Nishijima*
|
95
39
|
|
96
|
-
* Fix
|
40
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
41
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
97
42
|
|
98
|
-
|
99
|
-
to malicious sites.
|
43
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
100
44
|
|
101
|
-
|
45
|
+
* Rename `fixture_file_upload` method to `file_fixture_upload`
|
102
46
|
|
103
|
-
|
47
|
+
Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
|
104
48
|
|
105
|
-
|
49
|
+
*Sean Doyle*
|
106
50
|
|
107
|
-
*
|
51
|
+
* `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
|
108
52
|
|
109
|
-
|
53
|
+
*Matija Čupić*
|
110
54
|
|
111
|
-
|
55
|
+
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
56
|
+
`ActionDispatch::Assertions#html_document`.
|
112
57
|
|
113
|
-
|
58
|
+
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
59
|
+
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
60
|
+
Nokogiri's HTML4 parser.
|
114
61
|
|
115
|
-
|
116
|
-
it would overwritten by `ActionDispatch::ServerTiming`.
|
62
|
+
*Mike Dalessio*
|
117
63
|
|
118
|
-
|
64
|
+
* The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
|
65
|
+
be setup before each test, and reset after every test. For example:
|
119
66
|
|
67
|
+
```ruby
|
68
|
+
class RoutingTest < ActionController::TestCase
|
69
|
+
with_routing do |routes|
|
70
|
+
routes.draw do
|
71
|
+
resources :articles
|
72
|
+
resources :authors
|
73
|
+
end
|
74
|
+
end
|
120
75
|
|
121
|
-
|
76
|
+
def test_articles_route
|
77
|
+
assert_routing("/articles", controller: "articles", action: "index")
|
78
|
+
end
|
122
79
|
|
123
|
-
|
80
|
+
def test_authors_route
|
81
|
+
assert_routing("/authors", controller: "authors", action: "index")
|
82
|
+
end
|
83
|
+
end
|
84
|
+
```
|
124
85
|
|
86
|
+
*Andrew Novoselac*
|
125
87
|
|
126
|
-
|
88
|
+
* The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
|
89
|
+
When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
|
90
|
+
To keep the current functionality, a fallback is created to look for the media-type without the parameters.
|
127
91
|
|
128
|
-
|
92
|
+
This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
|
129
93
|
|
130
|
-
*
|
94
|
+
*Nicolas Erni*
|
131
95
|
|
132
|
-
*
|
96
|
+
* The url_for helpers now support a new option called `path_params`.
|
97
|
+
This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
|
133
98
|
|
134
|
-
|
99
|
+
Given the following router...
|
135
100
|
|
136
101
|
```ruby
|
137
|
-
|
138
|
-
|
102
|
+
Rails.application.routes.draw do
|
103
|
+
scope ":account_id" do
|
104
|
+
get "dashboard" => "pages#dashboard", as: :dashboard
|
105
|
+
get "search/:term" => "search#search", as: :search
|
106
|
+
end
|
107
|
+
delete "signout" => "sessions#destroy", as: :signout
|
139
108
|
end
|
140
109
|
```
|
141
110
|
|
142
|
-
|
143
|
-
|
144
|
-
*Jean Boussier*
|
145
|
-
|
146
|
-
* Fix `content_security_policy` returning invalid directives.
|
147
|
-
|
148
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
149
|
-
single quoted when the directive was the result of calling a lambda
|
150
|
-
returning an array.
|
111
|
+
And given the following `ApplicationController`
|
151
112
|
|
152
113
|
```ruby
|
153
|
-
|
154
|
-
|
114
|
+
class ApplicationController < ActionController::Base
|
115
|
+
def default_url_options
|
116
|
+
{ path_params: { account_id: "foo" } }
|
117
|
+
end
|
155
118
|
end
|
156
119
|
```
|
157
120
|
|
158
|
-
|
159
|
-
|
160
|
-
*Edouard Chin*
|
161
|
-
|
162
|
-
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
163
|
-
protection has not been enabled / `verify_authenticity_token` is not a
|
164
|
-
defined callback.
|
165
|
-
|
166
|
-
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
167
|
-
`ArgumentError` if `default_protect_from_forgery` is false.
|
168
|
-
|
169
|
-
*Brad Trick*
|
170
|
-
|
171
|
-
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
172
|
-
|
173
|
-
Since its inception `ActionController::Live` has been copying thread local variables
|
174
|
-
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
175
|
-
|
176
|
-
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
177
|
-
`ActionController::Live` controllers.
|
178
|
-
|
179
|
-
*Jean Boussier*
|
180
|
-
|
181
|
-
* Fix setting `trailing_slash: true` in route definition.
|
121
|
+
The standard url_for helper and friends will now behave as follows:
|
182
122
|
|
183
123
|
```ruby
|
184
|
-
|
124
|
+
dashboard_path # => /foo/dashboard
|
125
|
+
dashboard_path(account_id: "bar") # => /bar/dashboard
|
185
126
|
|
186
|
-
|
127
|
+
signout_path # => /signout
|
128
|
+
signout_path(account_id: "bar") # => /signout?account_id=bar
|
129
|
+
signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
|
130
|
+
search_path("quin") # => /foo/search/quin
|
187
131
|
```
|
188
132
|
|
189
|
-
*
|
190
|
-
|
191
|
-
## Rails 7.0.2.4 (April 26, 2022) ##
|
192
|
-
|
193
|
-
* Allow Content Security Policy DSL to generate for API responses.
|
194
|
-
|
195
|
-
*Tim Wade*
|
196
|
-
|
197
|
-
## Rails 7.0.2.3 (March 08, 2022) ##
|
198
|
-
|
199
|
-
* No changes.
|
133
|
+
*Jason Meller, Jeremy Beker*
|
200
134
|
|
135
|
+
* Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
|
136
|
+
`:none`. `:all` and `:none` behave the same as the previous `true` and
|
137
|
+
`false` respectively. The new `:rescuable` option will only show exceptions
|
138
|
+
that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
|
139
|
+
now the default for the test environment.
|
201
140
|
|
202
|
-
|
141
|
+
*Jon Dufresne*
|
203
142
|
|
204
|
-
*
|
143
|
+
* `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
|
144
|
+
`:message_pack_allow_marshal` as serializers. These serializers require the
|
145
|
+
[`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
|
205
146
|
|
147
|
+
The Message Pack format can provide improved performance and smaller payload
|
148
|
+
sizes. It also supports roundtripping some Ruby types that are not supported
|
149
|
+
by JSON. For example:
|
206
150
|
|
207
|
-
|
151
|
+
```ruby
|
152
|
+
cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
|
208
153
|
|
209
|
-
|
210
|
-
|
211
|
-
|
154
|
+
# BEFORE with config.action_dispatch.cookies_serializer = :json
|
155
|
+
cookies.encrypted[:foo]
|
156
|
+
# => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
|
157
|
+
cookies.encrypted[:foo].map(&:class)
|
158
|
+
# => [Hash, Hash, String, String]
|
212
159
|
|
213
|
-
|
160
|
+
# AFTER with config.action_dispatch.cookies_serializer = :message_pack
|
161
|
+
cookies.encrypted[:foo]
|
162
|
+
# => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
|
163
|
+
cookies.encrypted[:foo].map(&:class)
|
164
|
+
# => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
|
165
|
+
```
|
214
166
|
|
167
|
+
The `:message_pack` serializer can fall back to deserializing with
|
168
|
+
`ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
|
169
|
+
serializer can fall back to deserializing with `Marshal` as well as
|
170
|
+
`ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
|
171
|
+
`:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
|
172
|
+
deserializing with `ActiveSupport::MessagePack` when necessary. These
|
173
|
+
behaviors ensure old cookies can still be read so that migration is easier.
|
215
174
|
|
216
|
-
|
175
|
+
*Jonathan Hefner*
|
217
176
|
|
218
|
-
*
|
177
|
+
* Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
|
219
178
|
|
179
|
+
*Gareth Adams*
|
220
180
|
|
221
|
-
|
181
|
+
* Include source location in routes extended view.
|
222
182
|
|
223
|
-
|
224
|
-
|
183
|
+
```bash
|
184
|
+
$ bin/rails routes --expanded
|
225
185
|
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
236
|
-
|
237
|
-
This means if you make multiple requests in the same test, instance variables set in the first request will
|
238
|
-
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
239
|
-
|
240
|
-
*Alex Ghiculescu*
|
241
|
-
|
242
|
-
|
243
|
-
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
244
|
-
|
245
|
-
* No changes.
|
246
|
-
|
247
|
-
|
248
|
-
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
249
|
-
|
250
|
-
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
251
|
-
|
252
|
-
|
253
|
-
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
254
|
-
|
255
|
-
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
256
|
-
|
257
|
-
This helps to better simulate request or job local state being reset between requests and prevent state
|
258
|
-
leaking from one request to another.
|
259
|
-
|
260
|
-
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
186
|
+
...
|
187
|
+
--[ Route 14 ]----------
|
188
|
+
Prefix | new_gist
|
189
|
+
Verb | GET
|
190
|
+
URI | /gist(.:format)
|
191
|
+
Controller#Action | gists/gists#new
|
192
|
+
Source Location | config/routes/gist.rb:3
|
193
|
+
```
|
261
194
|
|
262
|
-
*
|
195
|
+
*Luan Vieira, John Hawthorn and Daniel Colson*
|
263
196
|
|
264
|
-
*
|
197
|
+
* Add `without` as an alias of `except` on `ActiveController::Parameters`.
|
265
198
|
|
266
|
-
*
|
199
|
+
*Hidde-Jan Jongsma*
|
267
200
|
|
268
|
-
*
|
201
|
+
* Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
|
269
202
|
|
270
|
-
*
|
203
|
+
*Jason Kotchoff*
|
271
204
|
|
272
|
-
* Remove deprecated
|
205
|
+
* Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
|
273
206
|
|
274
207
|
*Rafael Mendonça França*
|
275
208
|
|
276
|
-
* Remove deprecated `
|
209
|
+
* Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
|
277
210
|
|
278
211
|
*Rafael Mendonça França*
|
279
212
|
|
280
|
-
*
|
213
|
+
* Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
|
281
214
|
|
282
215
|
*Rafael Mendonça França*
|
283
216
|
|
284
|
-
* Remove deprecated `
|
217
|
+
* Remove deprecated behavior on `Request#content_type`.
|
285
218
|
|
286
219
|
*Rafael Mendonça França*
|
287
220
|
|
288
|
-
*
|
289
|
-
|
290
|
-
This allows `rescue_from` to be used to add a default fallback route:
|
221
|
+
* Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
|
291
222
|
|
292
223
|
```ruby
|
293
|
-
|
294
|
-
|
295
|
-
|
224
|
+
get "/posts?password=test"
|
225
|
+
request.fullpath # => "/posts?password=test"
|
226
|
+
request.filtered_path # => "/posts?password=[FILTERED]"
|
296
227
|
```
|
297
228
|
|
298
|
-
*
|
229
|
+
*Ritikesh G*
|
299
230
|
|
300
|
-
*
|
231
|
+
* Deprecate `AbstractController::Helpers::MissingHelperError`
|
301
232
|
|
302
|
-
|
303
|
-
|
304
|
-
|
233
|
+
*Hartley McGuire*
|
234
|
+
|
235
|
+
* Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
|
236
|
+
a Nokogiri document
|
305
237
|
|
306
238
|
```ruby
|
307
|
-
|
308
|
-
|
309
|
-
|
239
|
+
get "/posts"
|
240
|
+
response.content_type # => "text/html; charset=utf-8"
|
241
|
+
response.parsed_body.class # => Nokogiri::HTML5::Document
|
242
|
+
response.parsed_body.to_html # => "<!DOCTYPE html>\n<html>\n..."
|
310
243
|
```
|
311
244
|
|
312
|
-
*
|
245
|
+
*Sean Doyle*
|
313
246
|
|
314
|
-
*
|
247
|
+
* Deprecate `ActionDispatch::IllegalStateError`.
|
315
248
|
|
316
|
-
|
317
|
-
type (selenium, poltergeist, webkit, rack test).
|
249
|
+
*Samuel Williams*
|
318
250
|
|
319
|
-
|
251
|
+
* Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
|
320
252
|
|
321
|
-
*
|
253
|
+
*Joel Hawksley*, *Kate Higa*
|
322
254
|
|
323
|
-
*
|
255
|
+
* Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
|
256
|
+
It makes the application believe that all requests are arriving over SSL. This is useful
|
257
|
+
when proxying through a load balancer that terminates SSL, the forwarded request will appear
|
258
|
+
as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
|
259
|
+
security target HTTP instead of HTTPS. This middleware makes the server assume that the
|
260
|
+
proxy already terminated SSL, and that the request really is HTTPS.
|
324
261
|
|
325
|
-
|
326
|
-
a `No route matches` error.
|
327
|
-
After this change, routes with newlines are detected on wildcard segments. Example
|
328
|
-
|
329
|
-
```ruby
|
330
|
-
draw do
|
331
|
-
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
332
|
-
end
|
262
|
+
*DHH*
|
333
263
|
|
334
|
-
|
335
|
-
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
336
|
-
```
|
264
|
+
* Only use HostAuthorization middleware if `config.hosts` is not empty
|
337
265
|
|
338
|
-
|
266
|
+
*Hartley McGuire*
|
339
267
|
|
340
|
-
|
268
|
+
* Allow raising an error when a callback's only/unless symbols aren't existing methods.
|
341
269
|
|
342
|
-
|
270
|
+
When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
|
343
271
|
|
344
|
-
|
272
|
+
For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_pack.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
|
345
273
|
|
346
|
-
*
|
274
|
+
*Jess Bees*
|
347
275
|
|
348
|
-
|
349
|
-
After this change you can specify different fields for each numbered parameter.
|
350
|
-
For example params like,
|
351
|
-
```ruby
|
352
|
-
book: {
|
353
|
-
authors_attributes: {
|
354
|
-
'0': { name: "William Shakespeare", age_of_death: "52" },
|
355
|
-
'1': { name: "Unattributed Assistant" },
|
356
|
-
'2': "Not a hash",
|
357
|
-
'new_record': { name: "Some name" }
|
358
|
-
}
|
359
|
-
}
|
360
|
-
```
|
276
|
+
* Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
|
361
277
|
|
362
|
-
|
363
|
-
`permit book: { authors_attributes: [ :name ] }`
|
278
|
+
*RobL*
|
364
279
|
|
365
|
-
|
366
|
-
|
280
|
+
* When a host is not specified for an `ActionController::Renderer`'s env,
|
281
|
+
the host and related options will now be derived from the routes'
|
282
|
+
`default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
|
367
283
|
|
368
|
-
|
284
|
+
This means that for an application with a configuration like:
|
369
285
|
|
370
|
-
|
286
|
+
```ruby
|
287
|
+
Rails.application.default_url_options = { host: "rubyonrails.org" }
|
288
|
+
Rails.application.config.force_ssl = true
|
289
|
+
```
|
371
290
|
|
372
|
-
|
373
|
-
when `config.consider_all_requests_local` is set to true.
|
291
|
+
rendering a URL like:
|
374
292
|
|
375
|
-
|
293
|
+
```ruby
|
294
|
+
ApplicationController.renderer.render inline: "<%= blog_url %>"
|
295
|
+
```
|
376
296
|
|
377
|
-
|
297
|
+
will now return `"https://rubyonrails.org/blog"` instead of
|
298
|
+
`"http://example.org/blog"`.
|
378
299
|
|
379
|
-
*
|
300
|
+
*Jonathan Hefner*
|
380
301
|
|
381
|
-
*
|
302
|
+
* Add details of cookie name and size to `CookieOverflow` exception.
|
382
303
|
|
383
|
-
|
384
|
-
about the request it is responding to.
|
304
|
+
*Andy Waite*
|
385
305
|
|
386
|
-
|
387
|
-
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
388
|
-
|
389
|
-
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
306
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
390
307
|
|
391
|
-
|
308
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
309
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
310
|
+
This bug has been fixed.
|
392
311
|
|
312
|
+
*Alex Ghiculescu*
|
393
313
|
|
394
|
-
|
314
|
+
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
315
|
+
`serial`, `sync-xhr`, `web-share`.
|
395
316
|
|
396
|
-
*
|
317
|
+
*Guillaume Cabanel*
|
397
318
|
|
319
|
+
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
320
|
+
deprecated.
|
398
321
|
|
399
|
-
|
322
|
+
There is no browser support for these directives, and no plan for browser
|
323
|
+
support in the future. You can just remove these directives from your
|
324
|
+
application.
|
400
325
|
|
401
|
-
*
|
402
|
-
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
403
|
-
malformed JSON.
|
326
|
+
*Jonathan Hefner*
|
404
327
|
|
405
|
-
|
328
|
+
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
329
|
+
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
330
|
+
compatibility.
|
406
331
|
|
407
|
-
*
|
332
|
+
*Jon Dufresne*
|
408
333
|
|
409
|
-
*
|
334
|
+
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
410
335
|
|
411
|
-
|
412
|
-
|
336
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
337
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
338
|
+
clear the cookie and force app users to manually clear it in their browser.
|
413
339
|
|
414
|
-
|
340
|
+
(See #45127 for original bug discussion)
|
415
341
|
|
416
|
-
*
|
342
|
+
*Nathan Bardoux*
|
417
343
|
|
418
|
-
|
419
|
-
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
344
|
+
* Add `HTTP_REFERER` when following redirects on integration tests
|
420
345
|
|
421
|
-
|
346
|
+
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
422
347
|
|
423
|
-
*
|
348
|
+
*Felipe Sateler*
|
424
349
|
|
425
|
-
|
350
|
+
* Added `exclude?` method to `ActionController::Parameters`.
|
426
351
|
|
427
|
-
|
352
|
+
*Ian Neubert*
|
428
353
|
|
429
|
-
|
354
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
430
355
|
|
431
|
-
*
|
356
|
+
*Nikita Vasilevsky*
|
432
357
|
|
433
|
-
|
434
|
-
are not listed as actions on that controller.
|
358
|
+
* Log redirects from routes the same way as redirects from controllers.
|
435
359
|
|
436
|
-
|
437
|
-
add_flash_types :hype
|
438
|
-
end
|
360
|
+
*Dennis Paagman*
|
439
361
|
|
440
|
-
|
362
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
363
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
364
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
441
365
|
|
442
|
-
*
|
366
|
+
*Jakub Malinowski*
|
443
367
|
|
444
|
-
*
|
368
|
+
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
445
369
|
|
446
|
-
|
370
|
+
You can opt out of `SameSite` by passing `same_site: nil`.
|
447
371
|
|
448
|
-
|
372
|
+
`cookies[:foo] = { value: "bar", same_site: nil }`
|
449
373
|
|
450
|
-
|
374
|
+
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
451
375
|
|
452
|
-
*
|
376
|
+
*Alex Ghiculescu*
|
453
377
|
|
454
|
-
*
|
455
|
-
present in `rescued_responses`.
|
378
|
+
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
456
379
|
|
457
|
-
|
458
|
-
|
459
|
-
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
460
|
-
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
380
|
+
Previously you could access basic helpers (defined in helper modules), but not
|
381
|
+
helper methods defined using `helper_method`. Now you can use either.
|
461
382
|
|
462
|
-
|
383
|
+
```ruby
|
384
|
+
content_security_policy do |p|
|
385
|
+
p.default_src "https://example.com"
|
386
|
+
p.script_src "https://example.com" if helpers.script_csp?
|
387
|
+
end
|
388
|
+
```
|
463
389
|
|
464
|
-
*
|
390
|
+
*Alex Ghiculescu*
|
465
391
|
|
466
|
-
|
392
|
+
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
467
393
|
|
468
|
-
|
394
|
+
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
395
|
+
The new implementation takes care of conversions.
|
469
396
|
|
470
|
-
*
|
397
|
+
*Seva Stefkin*
|
471
398
|
|
472
|
-
*
|
399
|
+
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
400
|
+
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
401
|
+
with keys that aren't strings or symbols.
|
473
402
|
|
474
|
-
*
|
403
|
+
*Seva Stefkin*
|
475
404
|
|
476
|
-
*
|
405
|
+
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
477
406
|
|
478
|
-
|
407
|
+
By default, the token will be stored in the session. Custom classes can be
|
408
|
+
defined to specify arbitrary behavior, but the ability to store them in
|
409
|
+
encrypted cookies is built in.
|
479
410
|
|
480
|
-
*
|
411
|
+
*Andrew Kowpak*
|
481
412
|
|
482
|
-
*
|
413
|
+
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
483
414
|
|
484
415
|
*Gannon McGibbon*
|
485
416
|
|
486
|
-
*
|
417
|
+
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
487
418
|
|
488
|
-
|
419
|
+
Use these as an alternative to the already-available environment variables.
|
489
420
|
|
490
|
-
|
421
|
+
For example, this will display a screenshot in iTerm, save the HTML, and output
|
422
|
+
its path.
|
491
423
|
|
492
|
-
|
424
|
+
```ruby
|
425
|
+
take_screenshot(html: true, screenshot: "inline")
|
426
|
+
```
|
493
427
|
|
494
|
-
|
428
|
+
*Alex Ghiculescu*
|
495
429
|
|
496
|
-
|
430
|
+
* Allow `ActionController::Parameters#to_h` to receive a block.
|
497
431
|
|
498
|
-
*
|
432
|
+
*Bob Farrell*
|
499
433
|
|
500
|
-
|
434
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
501
435
|
|
502
|
-
*
|
436
|
+
*Tom Hughes*
|
503
437
|
|
504
|
-
*
|
438
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
505
439
|
|
506
|
-
*
|
440
|
+
*Tim Wade*
|
507
441
|
|
508
|
-
*
|
442
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
509
443
|
|
510
|
-
|
444
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
511
445
|
|
512
|
-
|
446
|
+
```ruby
|
447
|
+
authenticate_with_http_basic do |token, _|
|
448
|
+
ApiClient.authenticate(token)
|
449
|
+
end
|
450
|
+
```
|
513
451
|
|
514
|
-
|
515
|
-
know which controller action received unpermitted parameters.
|
452
|
+
This ability is restored.
|
516
453
|
|
517
|
-
*
|
454
|
+
*Jean Boussier*
|
518
455
|
|
519
|
-
*
|
456
|
+
* Fix `content_security_policy` returning invalid directives.
|
520
457
|
|
521
|
-
|
522
|
-
|
523
|
-
|
458
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
459
|
+
single quoted when the directive was the result of calling a lambda
|
460
|
+
returning an array.
|
524
461
|
|
525
|
-
|
526
|
-
|
527
|
-
|
462
|
+
```ruby
|
463
|
+
content_security_policy do |policy|
|
464
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
528
465
|
end
|
529
466
|
```
|
530
467
|
|
531
|
-
|
468
|
+
With this fix the policy generated from above will now be valid.
|
532
469
|
|
533
|
-
*
|
470
|
+
*Edouard Chin*
|
534
471
|
|
535
|
-
|
472
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
473
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
474
|
+
defined callback.
|
536
475
|
|
537
|
-
|
476
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
477
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
538
478
|
|
539
|
-
|
540
|
-
This behavior changed to returned Content-Type header containing charset part as it is.
|
479
|
+
*Brad Trick*
|
541
480
|
|
542
|
-
|
481
|
+
* Make `redirect_to` return an empty response body.
|
543
482
|
|
544
|
-
|
483
|
+
Application controllers that wish to add a response body after calling
|
484
|
+
`redirect_to` can continue to do so.
|
545
485
|
|
546
|
-
|
547
|
-
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
548
|
-
request.content_type #=> "text/csv"
|
549
|
-
```
|
486
|
+
*Jon Dufresne*
|
550
487
|
|
551
|
-
|
488
|
+
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
552
489
|
|
553
|
-
|
554
|
-
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
555
|
-
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
556
|
-
request.media_type #=> "text/csv"
|
557
|
-
```
|
490
|
+
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
558
491
|
|
559
|
-
*
|
492
|
+
*Sam Bostock*
|
560
493
|
|
561
|
-
*
|
494
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
562
495
|
|
563
|
-
|
496
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
497
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
564
498
|
|
565
|
-
|
499
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
500
|
+
`ActionController::Live` controllers.
|
566
501
|
|
567
|
-
*
|
502
|
+
*Jean Boussier*
|
568
503
|
|
569
|
-
*
|
504
|
+
* Fix setting `trailing_slash: true` in route definition.
|
505
|
+
|
506
|
+
```ruby
|
507
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
570
508
|
|
571
|
-
|
509
|
+
test_path() # => "/test/"
|
510
|
+
```
|
572
511
|
|
573
|
-
*
|
512
|
+
*Jean Boussier*
|
574
513
|
|
575
|
-
|
514
|
+
* Make `Session#merge!` stringify keys.
|
576
515
|
|
577
|
-
|
578
|
-
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
579
|
-
with a single value or an enumerable.
|
516
|
+
Previously `Session#update` would, but `merge!` wouldn't.
|
580
517
|
|
581
|
-
|
518
|
+
*Drew Bragg*
|
582
519
|
|
583
|
-
|
520
|
+
* Add `:unsafe_hashes` mapping for `content_security_policy`
|
584
521
|
|
585
|
-
|
586
|
-
|
522
|
+
```ruby
|
523
|
+
# Before
|
524
|
+
policy.script_src :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
587
525
|
|
588
|
-
|
526
|
+
# After
|
527
|
+
policy.script_src :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
528
|
+
```
|
589
529
|
|
530
|
+
*Igor Morozov*
|
590
531
|
|
591
|
-
Please check [
|
532
|
+
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|