railties 6.0.0.beta3 → 6.0.2.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4b78369d9f271572d3a302573c3074369e2d00f9507ade58f17667c9dda5476
-  data.tar.gz: b3afe11e12e754306480173cfa772222d9b998d27a232d209a64624604a91341
+  metadata.gz: cf37cc2a76f9cfbd932a8804269ee295aa31ef9f6f461c3868bc350425ad8263
+  data.tar.gz: 3e46350b318203d9db5c938f475c0fa09a850a87d1f80085b7feb990a19f12f4
 SHA512:
-  metadata.gz: fc7ff12025bd5ae53ee9db3a985bbc6fc661d9f11aef9fdcd243e26a7dcd4c7186c12dd888479ebbd9f1da1204c031c9cdfaf34eab2e6411e81b63130a8167d3
-  data.tar.gz: 612e651ac16761224f2de33b9ee6829309aaa685935d576a935e782762ef5be87b111e585df6741eefe67c5937819b15c3c5be856eae8c74afb3a3185928c6cb
+  metadata.gz: 545592751b707fd054ba604f505f3dd6dce218129fd7d1d1c3de5e9755dd4c76910294bf4801b65468f303b7f792e53ab6df8aa8b4c8dd3208764107a125f3be
+  data.tar.gz: c3cb4f31a6e9f8b35217893e2b73e3a15ba5ba5af5da591de817a6b492605da070fa5924306dd23f6f5862d4751e360a3977aa2675dbf72dcaf0e0cf2c30e7b9

data/CHANGELOG.md

@@ -1,6 +1,135 @@
+## Rails 6.0.2.rc2 (December 09, 2019) ##
+
+*   Fix the collision check for the scaffold generator.
+
+    *Ryan Robeson*
+
+## Rails 6.0.1 (November 5, 2019) ##
+
+*   The `zeitwerk:check` Rake task reports files outside the app's root
+    directory, as in engines loaded from gems.
+
+    *Xavier Noria*
+
+*   Fixed a possible error when using the evented file update checker.
+
+    *Yuji Yaginuma*
+
+*   The sqlite3 database files created by the parallel testing feature are
+    included in the default `.gitignore` file for newly-generated apps.
+
+    *Yasuo Honda*
+
+*   `rails new` generates a `.keep` file in `tmp/pids`. This fixes starting
+    a server via `rackup` instead of `rails server`.
+
+    *Rafael Mendonça França*
+
+
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   `Rails.autoloaders.log!` is a logging shortcut to get the activity of the
+    loaders printed to standard output. May be handy for troubleshooting.
+
+    *Xavier Noria*
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   The new configuration point `config.add_autoload_paths_to_load_path` allows
+    users to opt-out from adding autoload paths to `$LOAD_PATH`. This flag is
+    `true` by default, but it is recommended to be set to `false` in `:zeitwerk`
+    mode early, in `config/application.rb`.
+
+    Zeitwerk uses only absolute paths internally, and applications running in
+    `:zeitwerk` mode do not need `require_dependency`, so models, controllers,
+    jobs, etc. do not need to be in `$LOAD_PATH`. Setting this to `false` saves
+    Ruby from checking these directories when resolving `require` calls with
+    relative paths, and saves Bootsnap work and RAM, since it does not need to
+    build an index for them.
+
+    *Xavier Noria*
+
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Applications upgrading to Rails 6 can run the command
+
+    ```
+    bin/rails zeitwerk:check
+    ```
+
+    to check if the project structure they were using with the classic
+    autoloader is compatible with `:zeitwerk` mode.
+
+    *Matilda Smeds* & *Xavier Noria*
+
+*   Allow loading seeds without ActiveJob.
+
+    Fixes #35782
+
+    *Jeremy Weathers*
+
+*   `null: false` is set in the migrations by default for column pointed by
+    `belongs_to` / `references` association generated by model generator.
+
+    Also deprecate passing {required} to the model generator.
+
+    *Prathamesh Sonpatki*
+
+*   New applications get `config.cache_classes = false` in `config/environments/test.rb`
+    unless `--skip-spring`.
+
+    *Xavier Noria*
+
+*   Autoloading during initialization is deprecated.
+
+    *Xavier Noria*
+
+*   Only force `:async` ActiveJob adapter to `:inline` during seeding.
+
+    *BatedUrGonnaDie*
+
+*   The `connection` option of `rails dbconsole` command is deprecated in
+    favor of `database` option.
+
+    *Yuji Yaginuma*
+
+*   Replace `chromedriver-helper` gem with `webdrivers` in default Gemfile.
+    `chromedriver-helper` is deprecated as of March 31, 2019 and won't
+    receive any further updates.
+
+    *Guillermo Iguaran‮*
+
+*   Applications running in `:zeitwerk` mode that use `bootsnap` need
+    to upgrade `bootsnap` to at least 1.4.2.
+
+    *Xavier Noria*
+
+*   Add `config.disable_sandbox` option to Rails console.
+
+    This setting will disable `rails console --sandbox` mode, preventing
+    developer from accidentally starting a sandbox console,
+    which when left inactive, can cause the database server to run out of memory.
+
+    *Prem Sichanugrist*
+
+*   Add `-e/--environment` option to `rails initializers`.
+
+    *Yuji Yaginuma*
+
+
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-*   No changes.
+*   Generate random development secrets
+
+    A random development secret is now generated to tmp/development_secret.txt
+
+    This avoids an issue where development mode servers were vulnerable to
+    remote code execution.
+
+    Fixes CVE-2019-5420
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn*
 
 
 ## Rails 6.0.0.beta2 (February 25, 2019) ##
@@ -49,7 +178,9 @@
         gsub  Gemfile
     ```
 
-    The change command copies a template `config/database.yml` with the target database adapter into your app, and replaces your database gem with the target database gem.
+    The change command copies a template `config/database.yml` with
+    the target database adapter into your app, and replaces your database gem
+    with the target database gem.
 
     *Gannon McGibbon*
 
@@ -73,9 +204,9 @@
 
     *George Claghorn*
 
-*   Introduce guard against DNS rebinding attacks
+*   Introduce guard against DNS rebinding attacks.
 
-    The `ActionDispatch::HostAuthorization` is a new middleware that prevent
+    The `ActionDispatch::HostAuthorization` is a new middleware that prevents
     against DNS rebinding and other `Host` header attacks. It is included in
     the development environment by default with the following configuration:
 
@@ -93,7 +224,7 @@
         Rails.application.config.hosts << "product.com"
 
     The host of a request is checked against the `hosts` entries with the case
-    operator (`#===`), which lets `hosts` support entries of type `RegExp`,
+    operator (`#===`), which lets `hosts` support entries of type `Regexp`,
     `Proc` and `IPAddr` to name a few. Here is an example with a regexp.
 
         # Allow requests from subdomains like `www.product.com` and
@@ -183,7 +314,7 @@
     The encryption key can be in `ENV["RAILS_MASTER_KEY"]` or `config/credentials/production.key`.
 
     Environment credentials overrides can be edited with `rails credentials:edit --environment production`.
-    If no override is setup for the passed environment, it will be created.
+    If no override is set up for the passed environment, it will be created.
 
     Additionally, the default lookup paths can be overwritten with these configs:
 
@@ -273,9 +404,9 @@
 
     *Jose Luis Duran*
 
-*   Deprecate support for using the `HOST` environment to specify the server IP.
+*   Deprecate support for using the `HOST` environment variable to specify the server IP.
 
-    The `BINDING` environment should be used instead.
+    The `BINDING` environment variable should be used instead.
 
     Fixes #29516.
 

data/RDOC_MAIN.rdoc

@@ -4,7 +4,7 @@
 
 \Rails is a web-application framework that includes everything needed to
 create database-backed web applications according to the
-{Model-View-Controller (MVC)}[http://en.wikipedia.org/wiki/Model-view-controller]
+{Model-View-Controller (MVC)}[https://en.wikipedia.org/wiki/Model-view-controller]
 pattern.
 
 Understanding the MVC pattern is key to understanding \Rails. MVC divides your
@@ -79,8 +79,7 @@ and may also be used independently outside \Rails.
    * The \README file created within your application.
    * {Getting Started with \Rails}[https://guides.rubyonrails.org/getting_started.html].
    * {Ruby on \Rails Guides}[https://guides.rubyonrails.org].
-   * {The API Documentation}[http://api.rubyonrails.org].
-   * {Ruby on \Rails Tutorial}[https://www.railstutorial.org/book].
+   * {The API Documentation}[https://api.rubyonrails.org].
 
 == Contributing
 
@@ -88,7 +87,7 @@ We encourage you to contribute to Ruby on \Rails! Please check out the
 {Contributing to Ruby on \Rails guide}[https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html] for guidelines about how to proceed. {Join us!}[http://contributors.rubyonrails.org]
 
 Trying to report a possible security vulnerability in \Rails? Please
-check out our {security policy}[http://rubyonrails.org/security/] for
+check out our {security policy}[https://rubyonrails.org/security/] for
 guidelines about how to proceed.
 
 Everyone interacting in \Rails and its sub-projects' codebases, issue trackers, chat rooms, and mailing lists is expected to follow the \Rails {code of conduct}[http://rubyonrails.org/conduct/].

data/README.rdoc

@@ -29,7 +29,7 @@ Railties is released under the MIT license:
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports can be filed for the Ruby on Rails project here:
 

data/lib/rails/api/task.rb

@@ -18,6 +18,7 @@ module Rails
           include: %w(
             README.rdoc
             lib/active_record/**/*.rb
+            lib/arel.rb
           )
         },
 

data/lib/rails/application.rb

@@ -270,7 +270,8 @@ module Rails
           "action_dispatch.use_cookies_with_metadata" => config.action_dispatch.use_cookies_with_metadata,
           "action_dispatch.content_security_policy" => config.content_security_policy,
           "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only,
-          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator
+          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator,
+          "action_dispatch.content_security_policy_nonce_directives" => config.content_security_policy_nonce_directives
         )
       end
     end
@@ -349,7 +350,7 @@ module Rails
       files, dirs = config.watchable_files.dup, config.watchable_dirs.dup
 
       ActiveSupport::Dependencies.autoload_paths.each do |path|
-        dirs[path.to_s] = [:rb]
+        File.file?(path) ? files << path.to_s : dirs[path.to_s] = [:rb]
       end
 
       [files, dirs]
@@ -409,7 +410,8 @@ module Rails
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
     # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
     #
-    # In test and development, this is simply derived as a MD5 hash of the application's name.
+    # In development and test, this is randomly generated and stored in a
+    # temporary file in <tt>tmp/development_secret.txt</tt>.
     #
     # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
     # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
@@ -587,6 +589,7 @@ module Rails
 
           if !File.exist?(key_file)
             random_key = SecureRandom.hex(64)
+            FileUtils.mkdir_p(key_file.dirname)
             File.binwrite(key_file, random_key)
           end
 

data/lib/rails/application/bootstrap.rb

@@ -34,20 +34,12 @@ INFO
       # Initialize the logger early in the stack in case we need to log some deprecation.
       initializer :initialize_logger, group: :all do
         Rails.logger ||= config.logger || begin
-          path = config.paths["log"].first
-          unless File.exist? File.dirname path
-            FileUtils.mkdir_p File.dirname path
-          end
-
-          f = File.open path, "a"
-          f.binmode
-          f.sync = config.autoflush_log # if true make sure every write flushes
-
-          logger = ActiveSupport::Logger.new f
+          logger = ActiveSupport::Logger.new(config.default_log_file)
           logger.formatter = config.log_formatter
           logger = ActiveSupport::TaggedLogging.new(logger)
           logger
         rescue StandardError
+          path = config.paths["log"].first
           logger = ActiveSupport::TaggedLogging.new(ActiveSupport::Logger.new(STDERR))
           logger.level = ActiveSupport::Logger::WARN
           logger.warn(

data/lib/rails/application/configuration.rb

@@ -18,7 +18,8 @@ module Rails
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
                     :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
-                    :content_security_policy_nonce_generator, :require_master_key, :credentials
+                    :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
+                    :require_master_key, :credentials, :disable_sandbox, :add_autoload_paths_to_load_path
 
       attr_reader :encoding, :api_only, :loaded_config_version, :autoloader
 
@@ -59,14 +60,18 @@ module Rails
         @content_security_policy                 = nil
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
+        @content_security_policy_nonce_directives = nil
         @require_master_key                      = false
         @loaded_config_version                   = nil
         @credentials                             = ActiveSupport::OrderedOptions.new
         @credentials.content_path                = default_credentials_content_path
         @credentials.key_path                    = default_credentials_key_path
         @autoloader                              = :classic
+        @disable_sandbox                         = false
+        @add_autoload_paths_to_load_path         = true
       end
 
+      # Loads default configurations. See {the result of the method for each version}[https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults].
       def load_defaults(target_version)
         case target_version.to_s
         when "5.0"
@@ -126,6 +131,7 @@ module Rails
 
           if respond_to?(:action_dispatch)
             action_dispatch.use_cookies_with_metadata = true
+            action_dispatch.return_only_media_type_on_content_type = false
           end
 
           if respond_to?(:action_mailer)
@@ -139,6 +145,12 @@ module Rails
           if respond_to?(:active_storage)
             active_storage.queues.analysis = :active_storage_analysis
             active_storage.queues.purge    = :active_storage_purge
+
+            active_storage.replace_on_assign_to_many = true
+          end
+
+          if respond_to?(:active_record)
+            active_record.collection_cache_versioning = true
           end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
@@ -184,6 +196,26 @@ module Rails
         end
       end
 
+      # Load the database YAML without evaluating ERB. This allows us to
+      # create the rake tasks for multiple databases without filling in the
+      # configuration values or loading the environment. Do not use this
+      # method.
+      #
+      # This uses a DummyERB custom compiler so YAML can ignore the ERB
+      # tags and load the database.yml for the rake tasks.
+      def load_database_yaml # :nodoc:
+        if path = paths["config/database"].existent.first
+          require "rails/application/dummy_erb_compiler"
+
+          yaml = Pathname.new(path)
+          erb = DummyERB.new(yaml.read)
+
+          YAML.load(erb.result) || {}
+        else
+          {}
+        end
+      end
+
       # Loads and returns the entire raw configuration of database from
       # values stored in <tt>config/database.yml</tt>.
       def database_configuration
@@ -282,6 +314,18 @@ module Rails
         end
       end
 
+      def default_log_file
+        path = paths["log"].first
+        unless File.exist? File.dirname path
+          FileUtils.mkdir_p File.dirname path
+        end
+
+        f = File.open path, "a"
+        f.binmode
+        f.sync = autoflush_log # if true make sure every write flushes
+        f
+      end
+
       class Custom #:nodoc:
         def initialize
           @configurations = Hash.new

data/lib/rails/application/default_middleware_stack.rb

@@ -49,6 +49,7 @@ module Rails
           middleware.use ::Rails::Rack::Logger, config.log_tags
           middleware.use ::ActionDispatch::ShowExceptions, show_exceptions_app
           middleware.use ::ActionDispatch::DebugExceptions, app, config.debug_exception_response_format
+          middleware.use ::ActionDispatch::ActionableExceptions
 
           unless config.cache_classes
             middleware.use ::ActionDispatch::Reloader, app.reloader

data/lib/rails/application/dummy_erb_compiler.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# These classes are used to strip out the ERB configuration
+# values so we can evaluate the database.yml without evaluating
+# the ERB values.
+class DummyERB < ERB # :nodoc:
+  def make_compiler(trim_mode)
+    DummyCompiler.new trim_mode
+  end
+end
+
+class DummyCompiler < ERB::Compiler # :nodoc:
+  def compile_content(stag, out)
+    if stag == "<%="
+      out.push "_erbout << ''"
+    end
+  end
+end

data/lib/rails/application/finisher.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/array/conversions"
+
 module Rails
   class Application
     module Finisher
@@ -21,10 +24,50 @@ module Rails
         end
       end
 
+      # This will become an error if/when we remove classic mode. The plan is
+      # autoloaders won't be configured up to this point in the finisher, so
+      # constants just won't be found, raising regular NameError exceptions.
+      initializer :warn_if_autoloaded, before: :let_zeitwerk_take_over do
+        next if config.cache_classes
+        next if ActiveSupport::Dependencies.autoloaded_constants.empty?
+
+        autoloaded    = ActiveSupport::Dependencies.autoloaded_constants
+        constants     = "constant".pluralize(autoloaded.size)
+        enum          = autoloaded.to_sentence
+        have          = autoloaded.size == 1 ? "has" : "have"
+        these         = autoloaded.size == 1 ? "This" : "These"
+        example       = autoloaded.first
+        example_klass = example.constantize.class
+
+        if config.autoloader == :zeitwerk
+          ActiveSupport::DescendantsTracker.clear
+          ActiveSupport::Dependencies.clear
+
+          unload_message = "#{these} autoloaded #{constants} #{have} been unloaded."
+        else
+          unload_message = "`config.autoloader` is set to `#{config.autoloader}`. #{these} autoloaded #{constants} would have been unloaded if `config.autoloader` had been set to `:zeitwerk`."
+        end
+
+        ActiveSupport::Deprecation.warn(<<~WARNING)
+          Initialization autoloaded the #{constants} #{enum}.
+
+          Being able to do this is deprecated. Autoloading during initialization is going
+          to be an error condition in future versions of Rails.
+
+          Reloading does not reboot the application, and therefore code executed during
+          initialization does not run again. So, if you reload #{example}, for example,
+          the expected changes won't be reflected in that stale #{example_klass} object.
+
+          #{unload_message}
+
+          Please, check the "Autoloading and Reloading Constants" guide for solutions.
+        WARNING
+      end
+
       initializer :let_zeitwerk_take_over do
         if config.autoloader == :zeitwerk
           require "active_support/dependencies/zeitwerk_integration"
-          ActiveSupport::Dependencies::ZeitwerkIntegration.take_over
+          ActiveSupport::Dependencies::ZeitwerkIntegration.take_over(enable_reloading: !config.cache_classes)
         end
       end