activestorage 5.2.3 → 6.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 077c1da19deeca0ecb5c0a29368bc1a2f54efacf2b988952711aa954692dd0a6
-  data.tar.gz: '090e05af4c46201d10d8b32a3f3c3ae4da6e7195a8b84d670882f15bfc244390'
+  metadata.gz: 552504b488cd3a71744bf26402444008d417219053f2aaf0d56cedda76c98fd2
+  data.tar.gz: 6d1e4241db656db0397763c982789e0336b8cbcaa8c06cda48f9707118e967e6
 SHA512:
-  metadata.gz: a56d7375b12d9171df2a3787ddb2a6c52e442bc7284b2e9baf1a6177ff59100e1e4e6c9feb78d322f8ef1af822b205f9f9d8b84e3c1b9bdedc1ecffda49c2c88
-  data.tar.gz: 2d2d164bc9c34f032b443a2db7e9645d36cb4cab4a68dfc03b486071dcf568a40a6b373cd47e170b092259ab31a023a35a280f93c9ec9bbe77a398a08c6c987f
+  metadata.gz: 96773f10ef5074d0cf9f112e8b881034c94c04d9d1b370179aebb926be2ce9fc344faf7db6a9104475f852af11afae2576650f4398866fd622dadbdb554e46d1
+  data.tar.gz: 5a444b03f9a8ff6e6ee16c9f847049894fb84a8f2dbede5f6829855fc53d63f3b5135e75f46c3d285efbbe0ee7bb4d09333ac331ae5cc28af8f015cbb15f5732

data/CHANGELOG.md

@@ -1,117 +1,211 @@
-## Rails 5.2.3 (March 27, 2019) ##
+## Rails 6.0.1 (November 5, 2019) ##
+
+*   `ActiveStorage::AnalyzeJob`s are discarded on `ActiveRecord::RecordNotFound` errors.
+
+    *George Claghorn*
+
+*   Blobs are recorded in the database before being uploaded to the service.
+    This fixes that generated blob keys could silently collide, leading to
+    data loss.
+
+    *Julik Tarkhanov*
+
+
+## Rails 6.0.0 (August 16, 2019) ##
 
 *   No changes.
 
 
-## Rails 5.2.2.1 (March 11, 2019) ##
+## Rails 6.0.0.rc2 (July 22, 2019) ##
 
 *   No changes.
 
 
-## Rails 5.2.2 (December 04, 2018) ##
+## Rails 6.0.0.rc1 (April 24, 2019) ##
 
-*   Support multiple submit buttons in Active Storage forms.
+*   Don't raise when analyzing an image whose type is unsupported by ImageMagick.
 
-    *Chrıs Seelus*
+    Fixes #36065.
 
-*   Fix `ArgumentError` when uploading to amazon s3
+    *Guilherme Mansur*
 
-    *Hiroki Sanpei*
+*   Permit generating variants of BMP images.
 
-*   Add a foreign-key constraint to the `active_storage_attachments` table for blobs.
+    *Younes Serraj*
 
-    *George Claghorn*
 
-*   Discard `ActiveStorage::PurgeJobs` for missing blobs.
+## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-    *George Claghorn*
+*   No changes.
 
-*   Fix uploading Tempfiles to Azure Storage.
 
-    *George Claghorn*
+## Rails 6.0.0.beta2 (February 25, 2019) ##
 
+*   No changes.
 
-## Rails 5.2.1.1 (November 27, 2018) ##
 
-*   Prevent content type and disposition bypass in storage service URLs.
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-    Fix CVE-2018-16477.
+*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
+    [`activestorage`](https://www.npmjs.com/package/activestorage) to
+    [`@rails/activestorage`](https://www.npmjs.com/package/@rails/activestorage).
 
-    *Rosa Gutierrez*
+    *Javan Makhmali*
 
+*   Replace `config.active_storage.queue` with two options that indicate which
+    queues analysis and purge jobs should use, respectively:
 
-## Rails 5.2.1 (August 07, 2018) ##
+    * `config.active_storage.queues.analysis`
+    * `config.active_storage.queues.purge`
 
-*   Fix direct upload with zero-byte files.
+    `config.active_storage.queue` is preferred over the new options when it's
+    set, but it is deprecated and will be removed in Rails 6.1.
 
     *George Claghorn*
 
-*   Exclude JSON root from `active_storage/direct_uploads#create` response.
+*   Permit generating variants of TIFF images.
 
-    *Javan Makhmali*
+    *Luciano Sousa*
+
+*   Use base36 (all lowercase) for all new Blob keys to prevent
+    collisions and undefined behavior with case-insensitive filesystems and
+    database indices.
+
+    *Julik Tarkhanov*
+
+*   It doesn’t include an `X-CSRF-Token` header if a meta tag is not found on
+    the page. It previously included one with a value of `undefined`.
+
+    *Cameron Bothner*
 
+*   Fix `ArgumentError` when uploading to amazon s3
+
+    *Hiroki Sanpei*
+
+*   Add progressive JPG to default list of variable content types
+
+    *Maurice Kühlborn*
+
+*   Add `ActiveStorage.routes_prefix` for configuring generated routes.
+
+    *Chris Bisnett*
+
+*   `ActiveStorage::Service::AzureStorageService` only handles specifically
+    relevant types of `Azure::Core::Http::HTTPError`. It previously obscured
+    other types of `HTTPError`, which is the azure-storage gem’s catch-all
+    exception class.
+
+    *Cameron Bothner*
+
+*   `ActiveStorage::DiskController#show` generates a 404 Not Found response when
+    the requested file is missing from the disk service. It previously raised
+    `Errno::ENOENT`.
 
-## Rails 5.2.0 (April 09, 2018) ##
+    *Cameron Bothner*
 
-*   Allow full use of the AWS S3 SDK options for authentication. If an
-    explicit AWS key pair and/or region is not provided in `storage.yml`,
-    attempt to use environment variables, shared credentials, or IAM
-    (instance or task) role credentials. Order of precedence is determined
-    by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html).
+*   `ActiveStorage::Blob#download` and `ActiveStorage::Blob#open` raise
+    `ActiveStorage::FileNotFoundError` when the corresponding file is missing
+    from the storage service. Services translate service-specific missing object
+    exceptions (e.g. `Google::Cloud::NotFoundError` for the GCS service and
+    `Errno::ENOENT` for the disk service) into
+    `ActiveStorage::FileNotFoundError`.
 
-    *Brian Knight*
+    *Cameron Bothner*
 
-*   Remove path config option from Azure service.
+*   Added the `ActiveStorage::SetCurrent` concern for custom Active Storage
+    controllers that can't inherit from `ActiveStorage::BaseController`.
 
-    The Active Storage service for Azure Storage has an option called `path`
-    that is ambiguous in meaning. It needs to be set to the primary blob
-    storage endpoint but that can be determined from the blobs client anyway.
+    *George Claghorn*
+
+*   Active Storage error classes like `ActiveStorage::IntegrityError` and
+    `ActiveStorage::UnrepresentableError` now inherit from `ActiveStorage::Error`
+    instead of `StandardError`. This permits rescuing `ActiveStorage::Error` to
+    handle all Active Storage errors.
 
-    To simplify the configuration, we've removed the `path` option and
-    now get the endpoint from the blobs client instead.
+    *Andrei Makarov*, *George Claghorn*
 
-    Closes #32225.
+*   Uploaded files assigned to a record are persisted to storage when the record
+    is saved instead of immediately.
 
-    *Andrew White*
+    In Rails 5.2, the following causes an uploaded file in `params[:avatar]` to
+    be stored:
 
-*   Generate root-relative paths in disk service URL methods.
+    ```ruby
+    @user.avatar = params[:avatar]
+    ```
 
-    Obviate the disk service's `:host` configuration option.
+    In Rails 6, the uploaded file is stored when `@user` is successfully saved.
 
     *George Claghorn*
 
-*   Add source code to published npm package.
+*   Add the ability to reflect on defined attachments using the existing
+    ActiveRecord reflection mechanism.
+
+    *Kevin Deisz*
+
+*   Variant arguments of `false` or `nil` will no longer be passed to the
+    processor. For example, the following will not have the monochrome
+    variation applied:
+
+    ```ruby
+      avatar.variant(monochrome: false)
+    ```
+
+    *Jacob Smith*
+
+*   Generated attachment getter and setter methods are created
+    within the model's `GeneratedAssociationMethods` module to
+    allow overriding and composition using `super`.
+
+    *Josh Susser*, *Jamon Douglas*
+
+*   Add `ActiveStorage::Blob#open`, which downloads a blob to a tempfile on disk
+    and yields the tempfile. Deprecate `ActiveStorage::Downloading`.
+
+    *David Robertson*, *George Claghorn*
 
-    This allows activestorage users to depend on the javascript source code
-    rather than the compiled code, which can produce smaller javascript bundles.
+*   Pass in `identify: false` as an argument when providing a `content_type` for
+    `ActiveStorage::Attached::{One,Many}#attach` to bypass automatic content
+    type inference. For example:
 
-    *Richard Macklin*
+    ```ruby
+      @message.image.attach(
+        io: File.open('/path/to/file'),
+        filename: 'file.pdf',
+        content_type: 'application/pdf',
+        identify: false
+      )
+    ```
 
-*   Preserve display aspect ratio when extracting width and height from videos
-    with rectangular samples in `ActiveStorage::Analyzer::VideoAnalyzer`.
+    *Ryan Davidson*
 
-    When a video contains a display aspect ratio, emit it in metadata as
-    `:display_aspect_ratio` rather than the ambiguous `:aspect_ratio`. Compute
-    its height by scaling its encoded frame width according to the DAR.
+*   The Google Cloud Storage service properly supports streaming downloads.
+    It now requires version 1.11 or newer of the google-cloud-storage gem.
 
     *George Claghorn*
 
-*   Use `after_destroy_commit` instead of `before_destroy` for purging
-    attachments when a record is destroyed.
+*   Use the [ImageProcessing](https://github.com/janko-m/image_processing) gem
+    for Active Storage variants, and deprecate the MiniMagick backend.
 
-    *Hiroki Zenigami*
+    This means that variants are now automatically oriented if the original
+    image was rotated. Also, in addition to the existing ImageMagick
+    operations, variants can now use `:resize_to_fit`, `:resize_to_fill`, and
+    other ImageProcessing macros. These are now recommended over raw `:resize`,
+    as they also sharpen the thumbnail after resizing.
 
-*   Force `:attachment` disposition for specific, configurable content types.
-    This mitigates possible security issues such as XSS or phishing when
-    serving them inline. A list of such content types is included by default,
-    and can be configured via `content_types_to_serve_as_binary`.
+    The ImageProcessing gem also comes with a backend implemented on
+    [libvips](http://jcupitt.github.io/libvips/), an alternative to
+    ImageMagick which has significantly better performance than
+    ImageMagick in most cases, both in terms of speed and memory usage. In
+    Active Storage it's now possible to switch to the libvips backend by
+    changing `Rails.application.config.active_storage.variant_processor` to
+    `:vips`.
 
-    *Rosa Gutierrez*
+    *Janko Marohnić*
 
-*   Fix the gem adding the migrations files to the package.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    *Yuji Yaginuma*
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
-*   Added to Rails.
 
-    *DHH*
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/activestorage/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2018 David Heinemeier Hansson, Basecamp
+Copyright (c) 2017-2019 David Heinemeier Hansson, Basecamp
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -4,11 +4,13 @@ Active Storage makes it simple to upload and reference files in cloud services l
 
 Files can be uploaded from the server to the cloud or directly from the client to the cloud.
 
-Image files can furthermore be transformed using on-demand variants for quality, aspect ratio, size, or any other [MiniMagick](https://github.com/minimagick/minimagick) supported transformation.
+Image files can furthermore be transformed using on-demand variants for quality, aspect ratio, size, or any other [MiniMagick](https://github.com/minimagick/minimagick) or [Vips](https://www.rubydoc.info/gems/ruby-vips/Vips/Image) supported transformation.
+
+You can read more about Active Storage in the [Active Storage Overview](https://edgeguides.rubyonrails.org/active_storage_overview.html) guide.
 
 ## Compared to other storage solutions
 
-A key difference to how Active Storage works compared to other attachment solutions in Rails is through the use of built-in [Blob](https://github.com/rails/rails/blob/5-2-stable/activestorage/app/models/active_storage/blob.rb) and [Attachment](https://github.com/rails/rails/blob/5-2-stable/activestorage/app/models/active_storage/attachment.rb) models (backed by Active Record). This means existing application models do not need to be modified with additional columns to associate with files. Active Storage uses polymorphic associations via the `Attachment` join model, which then connects to the actual `Blob`.
+A key difference to how Active Storage works compared to other attachment solutions in Rails is through the use of built-in [Blob](https://github.com/rails/rails/blob/master/activestorage/app/models/active_storage/blob.rb) and [Attachment](https://github.com/rails/rails/blob/master/activestorage/app/models/active_storage/attachment.rb) models (backed by Active Record). This means existing application models do not need to be modified with additional columns to associate with files. Active Storage uses polymorphic associations via the `Attachment` join model, which then connects to the actual `Blob`.
 
 `Blob` models store attachment metadata (filename, content-type, etc.), and their identifier key in the storage service. Blob models do not store the actual binary data. They are intended to be immutable in spirit. One file, one blob. You can associate the same blob with multiple application models as well. And if you want to do transformations of a given `Blob`, the idea is that you'll simply create a new one, rather than attempt to mutate the existing one (though of course you can delete the previous version later if you don't need it).
 
@@ -16,6 +18,8 @@ A key difference to how Active Storage works compared to other attachment soluti
 
 Run `rails active_storage:install` to copy over active_storage migrations.
 
+NOTE: If the task cannot be found, verify that `require "active_storage/engine"` is present in `config/application.rb`.
+
 ## Examples
 
 One attachment:
@@ -99,7 +103,7 @@ Variation of image attachment:
 
 ```erb
 <%# Hitting the variant URL will lazy transform the original blob and then redirect to its new service location %>
-<%= image_tag user.avatar.variant(resize: "100x100") %>
+<%= image_tag user.avatar.variant(resize_to_limit: [100, 100]) %>
 ```
 
 ## Direct uploads
@@ -116,8 +120,7 @@ Active Storage, with its included JavaScript library, supports uploading directl
     ```
     Using the npm package:
     ```js
-    import * as ActiveStorage from "activestorage"
-    ActiveStorage.start()
+    require("@rails/activestorage").start()
     ```
 2. Annotate file inputs with the direct upload URL.
 
@@ -148,7 +151,7 @@ Active Storage is released under the [MIT License](https://opensource.org/licens
 
 API documentation is at:
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports for the Ruby on Rails project can be filed here:
 

data/app/assets/javascripts/activestorage.js

@@ -560,7 +560,10 @@
       this.xhr.setRequestHeader("Content-Type", "application/json");
       this.xhr.setRequestHeader("Accept", "application/json");
       this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
-      this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"));
+      var csrfToken = getMetaValue("csrf-token");
+      if (csrfToken != undefined) {
+        this.xhr.setRequestHeader("X-CSRF-Token", csrfToken);
+      }
       this.xhr.addEventListener("load", function(event) {
         return _this.requestDidLoad(event);
       });

data/app/controllers/active_storage/base_controller.rb

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
-# The base controller for all ActiveStorage controllers.
+# The base class for all Active Storage controllers.
 class ActiveStorage::BaseController < ActionController::Base
-  protect_from_forgery with: :exception
+  include ActiveStorage::SetCurrent
 
-  before_action do
-    ActiveStorage::Current.host = request.base_url
-  end
+  protect_from_forgery with: :exception
 end

data/app/controllers/active_storage/blobs_controller.rb

@@ -8,7 +8,7 @@ class ActiveStorage::BlobsController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
-    expires_in ActiveStorage::Blob.service.url_expires_in
+    expires_in ActiveStorage.service_urls_expire_in
     redirect_to @blob.service_url(disposition: params[:disposition])
   end
 end

data/app/controllers/active_storage/disk_controller.rb

@@ -3,7 +3,7 @@
 # Serves files stored with the disk service in the same way that the cloud services do.
 # This means using expiring, signed URLs that are meant for immediate access, not permanent linking.
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
-# to the service url.
+# to the service URL.
 class ActiveStorage::DiskController < ActiveStorage::BaseController
   skip_forgery_protection
 
@@ -13,16 +13,19 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
     else
       head :not_found
     end
+  rescue Errno::ENOENT
+    head :not_found
   end
 
   def update
     if token = decode_verified_token
       if acceptable_content?(token)
         disk_service.upload token[:key], request.body, checksum: token[:checksum]
-        head :no_content
       else
         head :unprocessable_entity
       end
+    else
+      head :not_found
     end
   rescue ActiveStorage::IntegrityError
     head :unprocessable_entity

data/app/controllers/active_storage/representations_controller.rb

@@ -8,7 +8,7 @@ class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
-    expires_in ActiveStorage::Blob.service.url_expires_in
+    expires_in ActiveStorage.service_urls_expire_in
     redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
   end
 end

data/app/controllers/concerns/active_storage/set_current.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Sets the <tt>ActiveStorage::Current.host</tt> attribute, which the disk service uses to generate URLs.
+# Include this concern in custom controllers that call ActiveStorage::Blob#service_url,
+# ActiveStorage::Variant#service_url, or ActiveStorage::Preview#service_url so the disk service can
+# generate URLs using the same host, protocol, and base path as the current request.
+module ActiveStorage::SetCurrent
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      ActiveStorage::Current.host = request.base_url
+    end
+  end
+end

data/app/javascript/activestorage/blob_record.js

@@ -17,7 +17,12 @@ export class BlobRecord {
     this.xhr.setRequestHeader("Content-Type", "application/json")
     this.xhr.setRequestHeader("Accept", "application/json")
     this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
-    this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"))
+
+    const csrfToken = getMetaValue("csrf-token")
+    if (csrfToken != undefined) {
+      this.xhr.setRequestHeader("X-CSRF-Token", csrfToken)
+    }
+
     this.xhr.addEventListener("load", event => this.requestDidLoad(event))
     this.xhr.addEventListener("error", event => this.requestDidError(event))
   }