2022-05-17 09:37:23 -04:00
|
|
|
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
|
|
|
|
|
|
|
Previously you could access basic helpers (defined in helper modules), but not
|
|
|
|
helper methods defined using `helper_method`. Now you can use either.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
content_security_policy do |p|
|
|
|
|
p.default_src "https://example.com"
|
|
|
|
p.script_src "https://example.com" if helpers.script_csp?
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-04-09 10:48:39 -04:00
|
|
|
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
|
|
|
|
|
|
|
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
|
|
|
The new implementation takes care of conversions.
|
|
|
|
|
|
|
|
*Seva Stefkin*
|
|
|
|
|
2022-04-05 05:23:25 -04:00
|
|
|
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
|
|
|
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
|
|
|
with keys that aren't strings or symbols.
|
|
|
|
|
|
|
|
*Seva Stefkin*
|
|
|
|
|
2022-03-11 10:53:39 -05:00
|
|
|
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
|
|
|
|
|
|
|
By default, the token will be stored in the session. Custom classes can be
|
2022-05-25 19:48:46 -04:00
|
|
|
defined to specify arbitrary behavior, but the ability to store them in
|
2022-03-11 10:53:39 -05:00
|
|
|
encrypted cookies is built in.
|
|
|
|
|
|
|
|
*Andrew Kowpak*
|
|
|
|
|
2022-03-31 18:10:23 -04:00
|
|
|
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
2022-03-18 16:17:10 -04:00
|
|
|
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
|
|
|
|
|
|
|
Use these as an alternative to the already-available environment variables.
|
|
|
|
|
|
|
|
For example, this will display a screenshot in iTerm, save the HTML, and output
|
|
|
|
its path.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
take_screenshot(html: true, screenshot: "inline")
|
|
|
|
```
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
2022-03-23 15:44:53 -04:00
|
|
|
* Allow `ActionController::Parameters#to_h` to receive a block.
|
|
|
|
|
|
|
|
*Bob Farrell*
|
|
|
|
|
2022-03-09 19:37:07 -05:00
|
|
|
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
|
|
|
|
|
|
|
*Tom Hughes*
|
|
|
|
|
2020-06-16 13:54:35 -04:00
|
|
|
* Allow Content Security Policy DSL to generate for API responses.
|
2022-03-07 19:33:00 -05:00
|
|
|
|
2020-06-16 13:54:35 -04:00
|
|
|
*Tim Wade*
|
|
|
|
|
2022-03-04 05:53:20 -05:00
|
|
|
* Fix `authenticate_with_http_basic` to allow for missing password.
|
|
|
|
|
|
|
|
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
2022-03-31 18:10:23 -04:00
|
|
|
|
2022-03-04 05:53:20 -05:00
|
|
|
```ruby
|
|
|
|
authenticate_with_http_basic do |token, _|
|
|
|
|
ApiClient.authenticate(token)
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
This ability is restored.
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-28 13:12:45 -05:00
|
|
|
* Fix `content_security_policy` returning invalid directives.
|
|
|
|
|
|
|
|
Directives such as `self`, `unsafe-eval` and few others were not
|
|
|
|
single quoted when the directive was the result of calling a lambda
|
|
|
|
returning an array.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
content_security_policy do |policy|
|
|
|
|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
With this fix the policy generated from above will now be valid.
|
|
|
|
|
|
|
|
*Edouard Chin*
|
|
|
|
|
2022-02-27 21:58:42 -05:00
|
|
|
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
|
|
|
protection has not been enabled / `verify_authenticity_token` is not a
|
|
|
|
defined callback.
|
|
|
|
|
|
|
|
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
|
|
|
`ArgumentError` if `default_protect_from_forgery` is false.
|
|
|
|
|
|
|
|
*Brad Trick*
|
|
|
|
|
2022-02-25 09:11:56 -05:00
|
|
|
* Make `redirect_to` return an empty response body.
|
|
|
|
|
|
|
|
Application controllers that wish to add a response body after calling
|
|
|
|
`redirect_to` can continue to do so.
|
|
|
|
|
|
|
|
*Jon Dufresne*
|
|
|
|
|
2022-02-22 11:03:19 -05:00
|
|
|
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
|
|
|
|
|
|
|
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
|
|
|
|
|
|
|
*Sam Bostock*
|
|
|
|
|
2022-02-22 12:53:52 -05:00
|
|
|
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
2022-02-21 05:35:22 -05:00
|
|
|
|
2022-02-22 12:53:52 -05:00
|
|
|
Since its inception `ActionController::Live` has been copying thread local variables
|
2022-02-21 05:35:22 -05:00
|
|
|
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
|
|
|
|
|
|
|
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
2022-02-22 12:53:52 -05:00
|
|
|
`ActionController::Live` controllers.
|
2022-02-21 05:35:22 -05:00
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-02-15 04:41:42 -05:00
|
|
|
* Fix setting `trailing_slash: true` in route definition.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
get '/test' => "test#index", as: :test, trailing_slash: true
|
|
|
|
|
|
|
|
test_path() # => "/test/"
|
|
|
|
```
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
2022-01-26 09:47:35 -05:00
|
|
|
* Make `Session#merge!` stringify keys.
|
2021-11-10 12:58:18 -05:00
|
|
|
|
2022-01-26 09:47:35 -05:00
|
|
|
Previously `Session#update` would, but `merge!` wouldn't.
|
|
|
|
|
|
|
|
*Drew Bragg*
|
2021-11-10 12:58:18 -05:00
|
|
|
|
2021-12-07 10:52:30 -05:00
|
|
|
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|