actionpack 7.1.5.1 → 7.2.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +61 -642
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +102 -98
- data/lib/abstract_controller/caching/fragments.rb +50 -53
- data/lib/abstract_controller/caching.rb +2 -0
- data/lib/abstract_controller/callbacks.rb +66 -64
- data/lib/abstract_controller/collector.rb +6 -6
- data/lib/abstract_controller/deprecator.rb +2 -0
- data/lib/abstract_controller/error.rb +2 -0
- data/lib/abstract_controller/helpers.rb +70 -85
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/rendering.rb +13 -12
- data/lib/abstract_controller/translation.rb +12 -13
- data/lib/abstract_controller/url_for.rb +8 -6
- data/lib/abstract_controller.rb +2 -0
- data/lib/action_controller/api/api_rendering.rb +2 -0
- data/lib/action_controller/api.rb +74 -72
- data/lib/action_controller/base.rb +155 -117
- data/lib/action_controller/caching.rb +15 -12
- data/lib/action_controller/deprecator.rb +2 -0
- data/lib/action_controller/form_builder.rb +20 -17
- data/lib/action_controller/log_subscriber.rb +3 -1
- data/lib/action_controller/metal/allow_browser.rb +119 -0
- data/lib/action_controller/metal/basic_implicit_render.rb +2 -0
- data/lib/action_controller/metal/conditional_get.rb +188 -174
- data/lib/action_controller/metal/content_security_policy.rb +25 -24
- data/lib/action_controller/metal/cookies.rb +4 -2
- data/lib/action_controller/metal/data_streaming.rb +64 -55
- data/lib/action_controller/metal/default_headers.rb +5 -3
- data/lib/action_controller/metal/etag_with_flash.rb +3 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +17 -15
- data/lib/action_controller/metal/exceptions.rb +11 -9
- data/lib/action_controller/metal/flash.rb +12 -10
- data/lib/action_controller/metal/head.rb +12 -10
- data/lib/action_controller/metal/helpers.rb +63 -55
- data/lib/action_controller/metal/http_authentication.rb +214 -203
- data/lib/action_controller/metal/implicit_render.rb +17 -15
- data/lib/action_controller/metal/instrumentation.rb +15 -12
- data/lib/action_controller/metal/live.rb +113 -107
- data/lib/action_controller/metal/logging.rb +6 -4
- data/lib/action_controller/metal/mime_responds.rb +151 -142
- data/lib/action_controller/metal/parameter_encoding.rb +34 -32
- data/lib/action_controller/metal/params_wrapper.rb +57 -59
- data/lib/action_controller/metal/permissions_policy.rb +13 -12
- data/lib/action_controller/metal/rate_limiting.rb +62 -0
- data/lib/action_controller/metal/redirecting.rb +108 -82
- data/lib/action_controller/metal/renderers.rb +50 -49
- data/lib/action_controller/metal/rendering.rb +103 -75
- data/lib/action_controller/metal/request_forgery_protection.rb +162 -133
- data/lib/action_controller/metal/rescue.rb +11 -9
- data/lib/action_controller/metal/streaming.rb +138 -136
- data/lib/action_controller/metal/strong_parameters.rb +483 -478
- data/lib/action_controller/metal/testing.rb +2 -0
- data/lib/action_controller/metal/url_for.rb +17 -15
- data/lib/action_controller/metal.rb +58 -57
- data/lib/action_controller/railtie.rb +3 -0
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +42 -36
- data/lib/action_controller/template_assertions.rb +4 -2
- data/lib/action_controller/test_case.rb +146 -126
- data/lib/action_controller.rb +5 -1
- data/lib/action_dispatch/constants.rb +2 -0
- data/lib/action_dispatch/deprecator.rb +2 -0
- data/lib/action_dispatch/http/cache.rb +27 -26
- data/lib/action_dispatch/http/content_disposition.rb +2 -0
- data/lib/action_dispatch/http/content_security_policy.rb +48 -59
- data/lib/action_dispatch/http/filter_parameters.rb +13 -14
- data/lib/action_dispatch/http/filter_redirect.rb +15 -1
- data/lib/action_dispatch/http/headers.rb +22 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +30 -41
- data/lib/action_dispatch/http/mime_type.rb +25 -21
- data/lib/action_dispatch/http/mime_types.rb +2 -0
- data/lib/action_dispatch/http/parameters.rb +11 -9
- data/lib/action_dispatch/http/permissions_policy.rb +26 -36
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +75 -95
- data/lib/action_dispatch/http/response.rb +61 -61
- data/lib/action_dispatch/http/upload.rb +18 -16
- data/lib/action_dispatch/http/url.rb +75 -73
- data/lib/action_dispatch/journey/formatter.rb +13 -6
- data/lib/action_dispatch/journey/gtg/builder.rb +4 -3
- data/lib/action_dispatch/journey/gtg/simulator.rb +2 -0
- data/lib/action_dispatch/journey/gtg/transition_table.rb +10 -8
- data/lib/action_dispatch/journey/nfa/dot.rb +2 -0
- data/lib/action_dispatch/journey/nodes/node.rb +6 -5
- data/lib/action_dispatch/journey/parser.rb +4 -3
- data/lib/action_dispatch/journey/parser_extras.rb +2 -0
- data/lib/action_dispatch/journey/path/pattern.rb +4 -1
- data/lib/action_dispatch/journey/route.rb +9 -7
- data/lib/action_dispatch/journey/router/utils.rb +16 -15
- data/lib/action_dispatch/journey/router.rb +4 -2
- data/lib/action_dispatch/journey/routes.rb +4 -2
- data/lib/action_dispatch/journey/scanner.rb +4 -2
- data/lib/action_dispatch/journey/visitors.rb +2 -0
- data/lib/action_dispatch/journey.rb +2 -0
- data/lib/action_dispatch/log_subscriber.rb +2 -0
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +2 -0
- data/lib/action_dispatch/middleware/assume_ssl.rb +8 -5
- data/lib/action_dispatch/middleware/callbacks.rb +3 -1
- data/lib/action_dispatch/middleware/cookies.rb +119 -104
- data/lib/action_dispatch/middleware/debug_exceptions.rb +13 -5
- data/lib/action_dispatch/middleware/debug_locks.rb +15 -13
- data/lib/action_dispatch/middleware/debug_view.rb +2 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +6 -11
- data/lib/action_dispatch/middleware/executor.rb +2 -0
- data/lib/action_dispatch/middleware/flash.rb +63 -51
- data/lib/action_dispatch/middleware/host_authorization.rb +17 -15
- data/lib/action_dispatch/middleware/public_exceptions.rb +8 -6
- data/lib/action_dispatch/middleware/reloader.rb +5 -3
- data/lib/action_dispatch/middleware/remote_ip.rb +77 -72
- data/lib/action_dispatch/middleware/request_id.rb +14 -9
- data/lib/action_dispatch/middleware/server_timing.rb +4 -2
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +13 -8
- data/lib/action_dispatch/middleware/session/cookie_store.rb +27 -26
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +7 -3
- data/lib/action_dispatch/middleware/show_exceptions.rb +16 -16
- data/lib/action_dispatch/middleware/ssl.rb +43 -40
- data/lib/action_dispatch/middleware/stack.rb +11 -10
- data/lib/action_dispatch/middleware/static.rb +33 -31
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +1 -1
- data/lib/action_dispatch/railtie.rb +2 -3
- data/lib/action_dispatch/request/session.rb +23 -21
- data/lib/action_dispatch/request/utils.rb +2 -0
- data/lib/action_dispatch/routing/endpoint.rb +2 -0
- data/lib/action_dispatch/routing/inspector.rb +6 -4
- data/lib/action_dispatch/routing/mapper.rb +623 -625
- data/lib/action_dispatch/routing/polymorphic_routes.rb +69 -62
- data/lib/action_dispatch/routing/redirection.rb +37 -32
- data/lib/action_dispatch/routing/route_set.rb +60 -46
- data/lib/action_dispatch/routing/routes_proxy.rb +6 -4
- data/lib/action_dispatch/routing/url_for.rb +130 -125
- data/lib/action_dispatch/routing.rb +150 -148
- data/lib/action_dispatch/system_test_case.rb +91 -81
- data/lib/action_dispatch/system_testing/browser.rb +4 -2
- data/lib/action_dispatch/system_testing/driver.rb +2 -0
- data/lib/action_dispatch/system_testing/server.rb +2 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +32 -21
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +2 -0
- data/lib/action_dispatch/testing/assertion_response.rb +8 -6
- data/lib/action_dispatch/testing/assertions/response.rb +26 -23
- data/lib/action_dispatch/testing/assertions/routing.rb +153 -84
- data/lib/action_dispatch/testing/assertions.rb +2 -0
- data/lib/action_dispatch/testing/integration.rb +223 -222
- data/lib/action_dispatch/testing/request_encoder.rb +2 -0
- data/lib/action_dispatch/testing/test_helpers/page_dump_helper.rb +35 -0
- data/lib/action_dispatch/testing/test_process.rb +12 -8
- data/lib/action_dispatch/testing/test_request.rb +3 -1
- data/lib/action_dispatch/testing/test_response.rb +27 -26
- data/lib/action_dispatch.rb +22 -32
- data/lib/action_pack/gem_version.rb +6 -4
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +17 -16
- metadata +33 -16
data/CHANGELOG.md
CHANGED
@@ -1,70 +1,4 @@
|
|
1
|
-
## Rails 7.
|
2
|
-
|
3
|
-
* Add validation to content security policies to disallow spaces and semicolons.
|
4
|
-
Developers should use multiple arguments, and different directive methods instead.
|
5
|
-
|
6
|
-
[CVE-2024-54133]
|
7
|
-
|
8
|
-
*Gannon McGibbon*
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 7.1.5 (October 30, 2024) ##
|
12
|
-
|
13
|
-
* No changes.
|
14
|
-
|
15
|
-
|
16
|
-
## Rails 7.1.4.2 (October 23, 2024) ##
|
17
|
-
|
18
|
-
* No changes.
|
19
|
-
|
20
|
-
|
21
|
-
## Rails 7.1.4.1 (October 15, 2024) ##
|
22
|
-
|
23
|
-
* Avoid regex backtracking in HTTP Token authentication
|
24
|
-
|
25
|
-
[CVE-2024-47887]
|
26
|
-
|
27
|
-
*John Hawthorn*
|
28
|
-
|
29
|
-
* Avoid regex backtracking in query parameter filtering
|
30
|
-
|
31
|
-
[CVE-2024-41128]
|
32
|
-
|
33
|
-
*John Hawthorn*
|
34
|
-
|
35
|
-
## Rails 7.1.4 (August 22, 2024) ##
|
36
|
-
|
37
|
-
* Resolve deprecation warning in latest `selenium-webdriver`.
|
38
|
-
|
39
|
-
*Earlopain*
|
40
|
-
|
41
|
-
* Don't preload Selenium browser when remote.
|
42
|
-
|
43
|
-
*Noah Horton*
|
44
|
-
|
45
|
-
* Fix crash for invalid Content-Type in ShowExceptions middleware.
|
46
|
-
|
47
|
-
*Earlopain*
|
48
|
-
|
49
|
-
* Fix inconsistent results of `params.deep_transform_keys`.
|
50
|
-
|
51
|
-
*Iago Pimenta*
|
52
|
-
|
53
|
-
* Do not report rendered errors except 500.
|
54
|
-
|
55
|
-
*Nikita Vasilevsky*
|
56
|
-
|
57
|
-
* Improve routes source location detection.
|
58
|
-
|
59
|
-
*Jean Boussier*
|
60
|
-
|
61
|
-
* Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
|
62
|
-
|
63
|
-
*Hartley McGuire*
|
64
|
-
|
65
|
-
* Fix url generation in nested engine when script name is empty.
|
66
|
-
|
67
|
-
*zzak*
|
1
|
+
## Rails 7.2.0.beta1 (May 29, 2024) ##
|
68
2
|
|
69
3
|
* Fix `Mime::Type.parse` handling type parameters for HTTP Accept headers.
|
70
4
|
|
@@ -75,6 +9,13 @@
|
|
75
9
|
|
76
10
|
*Joshua Young*
|
77
11
|
|
12
|
+
* Add `save_and_open_page` helper to `IntegrationTest`.
|
13
|
+
|
14
|
+
`save_and_open_page` is a helpful helper to keep a short feedback loop when working on system tests.
|
15
|
+
A similar helper with matching signature has been added to integration tests.
|
16
|
+
|
17
|
+
*Joé Dupuis*
|
18
|
+
|
78
19
|
* Fix a regression in 7.1.3 passing a `to:` option without a controller when the controller is already defined by a scope.
|
79
20
|
|
80
21
|
```ruby
|
@@ -87,633 +28,111 @@
|
|
87
28
|
|
88
29
|
*Étienne Barrié*
|
89
30
|
|
90
|
-
*
|
91
|
-
|
92
|
-
In the default production environment, `ShowExceptions` rescues uncaught errors
|
93
|
-
and returns a response. Because of this the executor wouldn't report production
|
94
|
-
errors with the default Rails configuration.
|
95
|
-
|
96
|
-
*Jean Boussier*
|
97
|
-
|
98
|
-
|
99
|
-
## Rails 7.1.3.4 (June 04, 2024) ##
|
100
|
-
|
101
|
-
* Include the HTTP Permissions-Policy on non-HTML Content-Types
|
102
|
-
[CVE-2024-28103]
|
103
|
-
|
104
|
-
*Aaron Patterson*
|
105
|
-
|
106
|
-
## Rails 7.1.3.3 (May 16, 2024) ##
|
107
|
-
|
108
|
-
* No changes.
|
109
|
-
|
110
|
-
|
111
|
-
## Rails 7.1.3.2 (February 21, 2024) ##
|
112
|
-
|
113
|
-
* Fix `raise_on_missing_translations` not working correctly with the
|
114
|
-
`translate` method in controllers after the patch for CVE-2024-26143.
|
115
|
-
|
116
|
-
*John Hawthorn*
|
117
|
-
|
118
|
-
## Rails 7.1.3.1 (February 21, 2024) ##
|
119
|
-
|
120
|
-
* Fix possible XSS vulnerability with the `translate` method in controllers
|
121
|
-
|
122
|
-
CVE-2024-26143
|
31
|
+
* Request Forgery takes relative paths into account.
|
123
32
|
|
124
|
-
*
|
33
|
+
*Stefan Wienert*
|
125
34
|
|
126
|
-
*
|
127
|
-
|
128
|
-
CVE-2024-26142
|
129
|
-
|
130
|
-
*Aaron Patterson*
|
131
|
-
|
132
|
-
## Rails 7.1.3 (January 16, 2024) ##
|
133
|
-
|
134
|
-
* Fix including `Rails.application.routes.url_helpers` directly in an
|
135
|
-
`ActiveSupport::Concern.`
|
136
|
-
|
137
|
-
*Jonathan Hefner*
|
138
|
-
|
139
|
-
* Fix system tests when using a Chrome binary that has been downloaded by
|
140
|
-
Selenium.
|
141
|
-
|
142
|
-
*Jonathan Hefner*
|
143
|
-
|
144
|
-
|
145
|
-
## Rails 7.1.2 (November 10, 2023) ##
|
146
|
-
|
147
|
-
* Fix a race condition that could cause a `Text file busy - chromedriver`
|
148
|
-
error with parallel system tests
|
149
|
-
|
150
|
-
*Matt Brictson*
|
151
|
-
|
152
|
-
* Fix `StrongParameters#extract_value` to include blank values
|
153
|
-
|
154
|
-
Otherwise composite parameters may not be parsed correctly when one of the
|
155
|
-
component is blank.
|
156
|
-
|
157
|
-
*fatkodima*, *Yasha Krasnou*, *Matthias Eiglsperger*
|
158
|
-
|
159
|
-
* Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
|
35
|
+
* Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
|
160
36
|
|
161
|
-
*
|
162
|
-
|
163
|
-
* Support handling Enumerator for non-buffered responses.
|
164
|
-
|
165
|
-
*Zachary Scott*
|
166
|
-
|
167
|
-
|
168
|
-
## Rails 7.1.1 (October 11, 2023) ##
|
169
|
-
|
170
|
-
* No changes.
|
171
|
-
|
172
|
-
|
173
|
-
## Rails 7.1.0 (October 05, 2023) ##
|
174
|
-
|
175
|
-
* No changes.
|
176
|
-
|
177
|
-
|
178
|
-
## Rails 7.1.0.rc2 (October 01, 2023) ##
|
179
|
-
|
180
|
-
* No changes.
|
181
|
-
|
182
|
-
|
183
|
-
## Rails 7.1.0.rc1 (September 27, 2023) ##
|
184
|
-
|
185
|
-
* Add support for `#deep_merge` and `#deep_merge!` to
|
186
|
-
`ActionController::Parameters`.
|
187
|
-
|
188
|
-
*Sean Doyle*
|
189
|
-
|
190
|
-
|
191
|
-
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
192
|
-
|
193
|
-
* `AbstractController::Translation.raise_on_missing_translations` removed
|
194
|
-
|
195
|
-
This was a private API, and has been removed in favour of a more broadly applicable
|
196
|
-
`config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
|
197
|
-
|
198
|
-
*Alex Ghiculescu*
|
199
|
-
|
200
|
-
* Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
|
201
|
-
|
202
|
-
```ruby
|
203
|
-
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
|
204
|
-
params.extract_value(:id) # => ["1", "123"]
|
205
|
-
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
|
206
|
-
```
|
207
|
-
|
208
|
-
*Nikita Vasilevsky*
|
209
|
-
|
210
|
-
* Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
|
211
|
-
|
212
|
-
Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
|
213
|
-
of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
|
214
|
-
that it's pattern-matching compatible.
|
215
|
-
|
216
|
-
*Sean Doyle*
|
217
|
-
|
218
|
-
* Add support for Playwright as a driver for system tests.
|
219
|
-
|
220
|
-
*Yuki Nishijima*
|
221
|
-
|
222
|
-
* Fix `HostAuthorization` potentially displaying the value of the
|
223
|
-
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
224
|
-
|
225
|
-
*Hartley McGuire*, *Daniel Schlosser*
|
226
|
-
|
227
|
-
* Rename `fixture_file_upload` method to `file_fixture_upload`
|
228
|
-
|
229
|
-
Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
|
230
|
-
|
231
|
-
*Sean Doyle*
|
232
|
-
|
233
|
-
* `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
|
234
|
-
|
235
|
-
*Matija Čupić*
|
236
|
-
|
237
|
-
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
238
|
-
`ActionDispatch::Assertions#html_document`.
|
239
|
-
|
240
|
-
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
241
|
-
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
242
|
-
Nokogiri's HTML4 parser.
|
243
|
-
|
244
|
-
*Mike Dalessio*
|
245
|
-
|
246
|
-
* Ensure an uncaught exception when rendering a Turbo Frame properly breaks
|
247
|
-
out of the Frame and shows the `DebugView` error page in development.
|
37
|
+
*DHH*
|
248
38
|
|
249
|
-
|
39
|
+
* Add `allow_browser` to set minimum browser versions for the application.
|
250
40
|
|
251
|
-
|
252
|
-
be setup before each test, and reset after every test. For example:
|
41
|
+
A browser that's blocked will by default be served the file in `public/406-unsupported-browser.html` with a HTTP status code of "406 Not Acceptable".
|
253
42
|
|
254
43
|
```ruby
|
255
|
-
class
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
resources :authors
|
260
|
-
end
|
261
|
-
end
|
44
|
+
class ApplicationController < ActionController::Base
|
45
|
+
# Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has
|
46
|
+
allow_browser versions: :modern
|
47
|
+
end
|
262
48
|
|
263
|
-
|
264
|
-
|
265
|
-
|
49
|
+
class ApplicationController < ActionController::Base
|
50
|
+
# All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
|
51
|
+
allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
|
52
|
+
end
|
266
53
|
|
267
|
-
|
268
|
-
|
269
|
-
|
54
|
+
class MessagesController < ApplicationController
|
55
|
+
# In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
|
56
|
+
allow_browser versions: { opera: 104, chrome: 119 }, only: :show
|
270
57
|
end
|
271
58
|
```
|
272
59
|
|
273
|
-
*
|
274
|
-
|
275
|
-
* The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
|
276
|
-
When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
|
277
|
-
To keep the current functionality, a fallback is created to look for the media-type without the parameters.
|
278
|
-
|
279
|
-
This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
|
280
|
-
|
281
|
-
*Nicolas Erni*
|
282
|
-
|
283
|
-
* The url_for helpers now support a new option called `path_params`.
|
284
|
-
This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
|
60
|
+
*DHH*
|
285
61
|
|
286
|
-
|
62
|
+
* Add rate limiting API.
|
287
63
|
|
288
64
|
```ruby
|
289
|
-
|
290
|
-
|
291
|
-
get "dashboard" => "pages#dashboard", as: :dashboard
|
292
|
-
get "search/:term" => "search#search", as: :search
|
293
|
-
end
|
294
|
-
delete "signout" => "sessions#destroy", as: :signout
|
65
|
+
class SessionsController < ApplicationController
|
66
|
+
rate_limit to: 10, within: 3.minutes, only: :create
|
295
67
|
end
|
296
|
-
```
|
297
68
|
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
class ApplicationController < ActionController::Base
|
302
|
-
def default_url_options
|
303
|
-
{ path_params: { account_id: "foo" } }
|
304
|
-
end
|
69
|
+
class SignupsController < ApplicationController
|
70
|
+
rate_limit to: 1000, within: 10.seconds,
|
71
|
+
by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new
|
305
72
|
end
|
306
73
|
```
|
307
74
|
|
308
|
-
|
309
|
-
|
310
|
-
```ruby
|
311
|
-
dashboard_path # => /foo/dashboard
|
312
|
-
dashboard_path(account_id: "bar") # => /bar/dashboard
|
313
|
-
|
314
|
-
signout_path # => /signout
|
315
|
-
signout_path(account_id: "bar") # => /signout?account_id=bar
|
316
|
-
signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
|
317
|
-
search_path("quin") # => /foo/search/quin
|
318
|
-
```
|
319
|
-
|
320
|
-
*Jason Meller, Jeremy Beker*
|
321
|
-
|
322
|
-
* Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
|
323
|
-
`:none`. `:all` and `:none` behave the same as the previous `true` and
|
324
|
-
`false` respectively. The new `:rescuable` option will only show exceptions
|
325
|
-
that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
|
326
|
-
now the default for the test environment.
|
327
|
-
|
328
|
-
*Jon Dufresne*
|
329
|
-
|
330
|
-
* `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
|
331
|
-
`:message_pack_allow_marshal` as serializers. These serializers require the
|
332
|
-
[`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
|
333
|
-
|
334
|
-
The Message Pack format can provide improved performance and smaller payload
|
335
|
-
sizes. It also supports roundtripping some Ruby types that are not supported
|
336
|
-
by JSON. For example:
|
75
|
+
*DHH*, *Jean Boussier*
|
337
76
|
|
338
|
-
|
339
|
-
cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
|
77
|
+
* Add `image/svg+xml` to the compressible content types of `ActionDispatch::Static`.
|
340
78
|
|
341
|
-
|
342
|
-
cookies.encrypted[:foo]
|
343
|
-
# => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
|
344
|
-
cookies.encrypted[:foo].map(&:class)
|
345
|
-
# => [Hash, Hash, String, String]
|
79
|
+
*Georg Ledermann*
|
346
80
|
|
347
|
-
|
348
|
-
cookies.encrypted[:foo]
|
349
|
-
# => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
|
350
|
-
cookies.encrypted[:foo].map(&:class)
|
351
|
-
# => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
|
352
|
-
```
|
81
|
+
* Add instrumentation for `ActionController::Live#send_stream`.
|
353
82
|
|
354
|
-
|
355
|
-
`ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
|
356
|
-
serializer can fall back to deserializing with `Marshal` as well as
|
357
|
-
`ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
|
358
|
-
`:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
|
359
|
-
deserializing with `ActiveSupport::MessagePack` when necessary. These
|
360
|
-
behaviors ensure old cookies can still be read so that migration is easier.
|
83
|
+
Allows subscribing to `send_stream` events. The event payload contains the filename, disposition, and type.
|
361
84
|
|
362
|
-
*
|
85
|
+
*Hannah Ramadan*
|
363
86
|
|
364
|
-
*
|
87
|
+
* Add support for `with_routing` test helper in `ActionDispatch::IntegrationTest`.
|
365
88
|
|
366
|
-
*
|
367
|
-
|
368
|
-
* Include source location in routes extended view.
|
369
|
-
|
370
|
-
```bash
|
371
|
-
$ bin/rails routes --expanded
|
372
|
-
|
373
|
-
...
|
374
|
-
--[ Route 14 ]----------
|
375
|
-
Prefix | new_gist
|
376
|
-
Verb | GET
|
377
|
-
URI | /gist(.:format)
|
378
|
-
Controller#Action | gists/gists#new
|
379
|
-
Source Location | config/routes/gist.rb:3
|
380
|
-
```
|
381
|
-
|
382
|
-
*Luan Vieira, John Hawthorn and Daniel Colson*
|
383
|
-
|
384
|
-
* Add `without` as an alias of `except` on `ActiveController::Parameters`.
|
385
|
-
|
386
|
-
*Hidde-Jan Jongsma*
|
387
|
-
|
388
|
-
* Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
|
389
|
-
|
390
|
-
*Jason Kotchoff*
|
89
|
+
*Gannon McGibbon*
|
391
90
|
|
392
|
-
* Remove deprecated `
|
91
|
+
* Remove deprecated support to set `Rails.application.config.action_dispatch.show_exceptions` to `true` and `false`.
|
393
92
|
|
394
93
|
*Rafael Mendonça França*
|
395
94
|
|
396
|
-
* Remove deprecated
|
95
|
+
* Remove deprecated `speaker`, `vibrate`, and `vr` permissions policy directives.
|
397
96
|
|
398
97
|
*Rafael Mendonça França*
|
399
98
|
|
400
|
-
*
|
99
|
+
* Remove deprecated `Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type`.
|
401
100
|
|
402
101
|
*Rafael Mendonça França*
|
403
102
|
|
404
|
-
*
|
103
|
+
* Deprecate `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
|
405
104
|
|
406
105
|
*Rafael Mendonça França*
|
407
106
|
|
408
|
-
*
|
409
|
-
|
410
|
-
```ruby
|
411
|
-
get "/posts?password=test"
|
412
|
-
request.fullpath # => "/posts?password=test"
|
413
|
-
request.filtered_path # => "/posts?password=[FILTERED]"
|
414
|
-
```
|
415
|
-
|
416
|
-
*Ritikesh G*
|
417
|
-
|
418
|
-
* Deprecate `AbstractController::Helpers::MissingHelperError`
|
419
|
-
|
420
|
-
*Hartley McGuire*
|
421
|
-
|
422
|
-
* Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
|
423
|
-
a Nokogiri document
|
107
|
+
* Remove deprecated comparison between `ActionController::Parameters` and `Hash`.
|
424
108
|
|
425
|
-
|
426
|
-
get "/posts"
|
427
|
-
response.content_type # => "text/html; charset=utf-8"
|
428
|
-
response.parsed_body.class # => Nokogiri::HTML5::Document
|
429
|
-
response.parsed_body.to_html # => "<!DOCTYPE html>\n<html>\n..."
|
430
|
-
```
|
431
|
-
|
432
|
-
*Sean Doyle*
|
433
|
-
|
434
|
-
* Deprecate `ActionDispatch::IllegalStateError`.
|
435
|
-
|
436
|
-
*Samuel Williams*
|
109
|
+
*Rafael Mendonça França*
|
437
110
|
|
438
|
-
*
|
111
|
+
* Remove deprecated constant `AbstractController::Helpers::MissingHelperError`.
|
439
112
|
|
440
|
-
*
|
113
|
+
*Rafael Mendonça França*
|
441
114
|
|
442
|
-
*
|
443
|
-
|
444
|
-
when proxying through a load balancer that terminates SSL, the forwarded request will appear
|
445
|
-
as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
|
446
|
-
security target HTTP instead of HTTPS. This middleware makes the server assume that the
|
447
|
-
proxy already terminated SSL, and that the request really is HTTPS.
|
115
|
+
* Fix a race condition that could cause a `Text file busy - chromedriver`
|
116
|
+
error with parallel system tests.
|
448
117
|
|
449
|
-
*
|
118
|
+
*Matt Brictson*
|
450
119
|
|
451
|
-
*
|
120
|
+
* Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
|
452
121
|
|
453
122
|
*Hartley McGuire*
|
123
|
+
* Remove deprecated constant `ActionDispatch::IllegalStateError`.
|
454
124
|
|
455
|
-
*
|
456
|
-
|
457
|
-
When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
|
458
|
-
|
459
|
-
For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_controller.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
|
460
|
-
|
461
|
-
*Jess Bees*
|
462
|
-
|
463
|
-
* Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
|
464
|
-
|
465
|
-
*RobL*
|
466
|
-
|
467
|
-
* When a host is not specified for an `ActionController::Renderer`'s env,
|
468
|
-
the host and related options will now be derived from the routes'
|
469
|
-
`default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
|
470
|
-
|
471
|
-
This means that for an application with a configuration like:
|
472
|
-
|
473
|
-
```ruby
|
474
|
-
Rails.application.default_url_options = { host: "rubyonrails.org" }
|
475
|
-
Rails.application.config.force_ssl = true
|
476
|
-
```
|
477
|
-
|
478
|
-
rendering a URL like:
|
479
|
-
|
480
|
-
```ruby
|
481
|
-
ApplicationController.renderer.render inline: "<%= blog_url %>"
|
482
|
-
```
|
483
|
-
|
484
|
-
will now return `"https://rubyonrails.org/blog"` instead of
|
485
|
-
`"http://example.org/blog"`.
|
486
|
-
|
487
|
-
*Jonathan Hefner*
|
488
|
-
|
489
|
-
* Add details of cookie name and size to `CookieOverflow` exception.
|
490
|
-
|
491
|
-
*Andy Waite*
|
492
|
-
|
493
|
-
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
494
|
-
|
495
|
-
Previously if you set `config.active_record.query_log_tags` to an array that included
|
496
|
-
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
497
|
-
This bug has been fixed.
|
498
|
-
|
499
|
-
*Alex Ghiculescu*
|
500
|
-
|
501
|
-
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
502
|
-
`serial`, `sync-xhr`, `web-share`.
|
503
|
-
|
504
|
-
*Guillaume Cabanel*
|
505
|
-
|
506
|
-
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
507
|
-
deprecated.
|
508
|
-
|
509
|
-
There is no browser support for these directives, and no plan for browser
|
510
|
-
support in the future. You can just remove these directives from your
|
511
|
-
application.
|
512
|
-
|
513
|
-
*Jonathan Hefner*
|
514
|
-
|
515
|
-
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
516
|
-
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
517
|
-
compatibility.
|
518
|
-
|
519
|
-
*Jon Dufresne*
|
520
|
-
|
521
|
-
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
522
|
-
|
523
|
-
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
524
|
-
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
525
|
-
clear the cookie and force app users to manually clear it in their browser.
|
526
|
-
|
527
|
-
(See #45127 for original bug discussion)
|
528
|
-
|
529
|
-
*Nathan Bardoux*
|
530
|
-
|
531
|
-
* Add `HTTP_REFERER` when following redirects on integration tests
|
532
|
-
|
533
|
-
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
534
|
-
|
535
|
-
*Felipe Sateler*
|
536
|
-
|
537
|
-
* Added `exclude?` method to `ActionController::Parameters`.
|
538
|
-
|
539
|
-
*Ian Neubert*
|
540
|
-
|
541
|
-
* Rescue `EOFError` exception from `rack` on a multipart request.
|
542
|
-
|
543
|
-
*Nikita Vasilevsky*
|
544
|
-
|
545
|
-
* Log redirects from routes the same way as redirects from controllers.
|
546
|
-
|
547
|
-
*Dennis Paagman*
|
548
|
-
|
549
|
-
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
550
|
-
Previously, if another middleware down the chain set `Server-Timing` header,
|
551
|
-
it would overwritten by `ActionDispatch::ServerTiming`.
|
552
|
-
|
553
|
-
*Jakub Malinowski*
|
554
|
-
|
555
|
-
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
556
|
-
|
557
|
-
You can opt out of `SameSite` by passing `same_site: nil`.
|
558
|
-
|
559
|
-
`cookies[:foo] = { value: "bar", same_site: nil }`
|
560
|
-
|
561
|
-
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
562
|
-
|
563
|
-
*Alex Ghiculescu*
|
564
|
-
|
565
|
-
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
566
|
-
|
567
|
-
Previously you could access basic helpers (defined in helper modules), but not
|
568
|
-
helper methods defined using `helper_method`. Now you can use either.
|
569
|
-
|
570
|
-
```ruby
|
571
|
-
content_security_policy do |p|
|
572
|
-
p.default_src "https://example.com"
|
573
|
-
p.script_src "https://example.com" if helpers.script_csp?
|
574
|
-
end
|
575
|
-
```
|
576
|
-
|
577
|
-
*Alex Ghiculescu*
|
578
|
-
|
579
|
-
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
580
|
-
|
581
|
-
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
582
|
-
The new implementation takes care of conversions.
|
583
|
-
|
584
|
-
*Seva Stefkin*
|
585
|
-
|
586
|
-
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
587
|
-
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
588
|
-
with keys that aren't strings or symbols.
|
589
|
-
|
590
|
-
*Seva Stefkin*
|
591
|
-
|
592
|
-
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
593
|
-
|
594
|
-
By default, the token will be stored in the session. Custom classes can be
|
595
|
-
defined to specify arbitrary behavior, but the ability to store them in
|
596
|
-
encrypted cookies is built in.
|
597
|
-
|
598
|
-
*Andrew Kowpak*
|
599
|
-
|
600
|
-
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
601
|
-
|
602
|
-
*Gannon McGibbon*
|
603
|
-
|
604
|
-
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
605
|
-
|
606
|
-
Use these as an alternative to the already-available environment variables.
|
607
|
-
|
608
|
-
For example, this will display a screenshot in iTerm, save the HTML, and output
|
609
|
-
its path.
|
610
|
-
|
611
|
-
```ruby
|
612
|
-
take_screenshot(html: true, screenshot: "inline")
|
613
|
-
```
|
614
|
-
|
615
|
-
*Alex Ghiculescu*
|
616
|
-
|
617
|
-
* Allow `ActionController::Parameters#to_h` to receive a block.
|
618
|
-
|
619
|
-
*Bob Farrell*
|
620
|
-
|
621
|
-
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
622
|
-
|
623
|
-
*Tom Hughes*
|
624
|
-
|
625
|
-
* Allow Content Security Policy DSL to generate for API responses.
|
626
|
-
|
627
|
-
*Tim Wade*
|
628
|
-
|
629
|
-
* Fix `authenticate_with_http_basic` to allow for missing password.
|
630
|
-
|
631
|
-
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
632
|
-
|
633
|
-
```ruby
|
634
|
-
authenticate_with_http_basic do |token, _|
|
635
|
-
ApiClient.authenticate(token)
|
636
|
-
end
|
637
|
-
```
|
638
|
-
|
639
|
-
This ability is restored.
|
640
|
-
|
641
|
-
*Jean Boussier*
|
642
|
-
|
643
|
-
* Fix `content_security_policy` returning invalid directives.
|
644
|
-
|
645
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
646
|
-
single quoted when the directive was the result of calling a lambda
|
647
|
-
returning an array.
|
648
|
-
|
649
|
-
```ruby
|
650
|
-
content_security_policy do |policy|
|
651
|
-
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
652
|
-
end
|
653
|
-
```
|
654
|
-
|
655
|
-
With this fix the policy generated from above will now be valid.
|
656
|
-
|
657
|
-
*Edouard Chin*
|
658
|
-
|
659
|
-
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
660
|
-
protection has not been enabled / `verify_authenticity_token` is not a
|
661
|
-
defined callback.
|
662
|
-
|
663
|
-
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
664
|
-
`ArgumentError` if `default_protect_from_forgery` is false.
|
665
|
-
|
666
|
-
*Brad Trick*
|
667
|
-
|
668
|
-
* Make `redirect_to` return an empty response body.
|
669
|
-
|
670
|
-
Application controllers that wish to add a response body after calling
|
671
|
-
`redirect_to` can continue to do so.
|
672
|
-
|
673
|
-
*Jon Dufresne*
|
674
|
-
|
675
|
-
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
676
|
-
|
677
|
-
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
678
|
-
|
679
|
-
*Sam Bostock*
|
680
|
-
|
681
|
-
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
682
|
-
|
683
|
-
Since its inception `ActionController::Live` has been copying thread local variables
|
684
|
-
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
685
|
-
|
686
|
-
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
687
|
-
`ActionController::Live` controllers.
|
688
|
-
|
689
|
-
*Jean Boussier*
|
690
|
-
|
691
|
-
* Fix setting `trailing_slash: true` in route definition.
|
692
|
-
|
693
|
-
```ruby
|
694
|
-
get '/test' => "test#index", as: :test, trailing_slash: true
|
695
|
-
|
696
|
-
test_path() # => "/test/"
|
697
|
-
```
|
698
|
-
|
699
|
-
*Jean Boussier*
|
700
|
-
|
701
|
-
* Make `Session#merge!` stringify keys.
|
702
|
-
|
703
|
-
Previously `Session#update` would, but `merge!` wouldn't.
|
125
|
+
*Rafael Mendonça França*
|
704
126
|
|
705
|
-
|
127
|
+
* Add parameter filter capability for redirect locations.
|
706
128
|
|
707
|
-
|
129
|
+
It uses the `config.filter_parameters` to match what needs to be filtered.
|
130
|
+
The result would be like this:
|
708
131
|
|
709
|
-
|
710
|
-
# Before
|
711
|
-
policy.script_src :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
132
|
+
Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
|
712
133
|
|
713
|
-
#
|
714
|
-
policy.script_src :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
715
|
-
```
|
134
|
+
Fixes #14055.
|
716
135
|
|
717
|
-
*
|
136
|
+
*Roque Pinel*, *Trevor Turk*, *tonytonyjan*
|
718
137
|
|
719
|
-
Please check [7-
|
138
|
+
Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.
|