2014-09-05 16:33:20 -04:00
|
|
|
* Deprecate implicit Array conversion for Response objects. It was added
|
|
|
|
(using `#to_ary`) so we could conveniently use implicit splatting:
|
|
|
|
|
|
|
|
status, headers, body = response
|
|
|
|
|
|
|
|
But it also means `response + response` works and `[response].flatten`
|
|
|
|
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
|
|
|
explicit conversion and splatting with `#to_a`:
|
|
|
|
|
|
|
|
status, header, body = *response
|
|
|
|
|
|
|
|
*Jeremy Kemper*
|
|
|
|
|
2014-08-28 03:09:04 -04:00
|
|
|
* Don't rescue `IPAddr::InvalidAddressError`.
|
|
|
|
|
|
|
|
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
|
|
|
and fails for JRuby in 1.9 mode.
|
|
|
|
|
|
|
|
*Peter Suschlik*
|
|
|
|
|
2014-08-22 09:52:48 -04:00
|
|
|
* Fix bug where the router would ignore any constraints added to redirect
|
|
|
|
routes.
|
|
|
|
|
|
|
|
Fixes #16605.
|
|
|
|
|
|
|
|
*Agis Anastasopoulos*
|
|
|
|
|
2014-08-20 18:42:32 -04:00
|
|
|
* Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
|
|
|
|
|
|
|
|
Example:
|
2014-08-27 06:09:21 -04:00
|
|
|
|
2014-08-20 18:42:32 -04:00
|
|
|
# config/environments/production.rb
|
|
|
|
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
|
|
|
|
|
|
|
*Sam Aarons*
|
|
|
|
|
2014-07-04 00:32:14 -04:00
|
|
|
* Avoid duplicating routes for HEAD requests.
|
|
|
|
|
|
|
|
Instead of duplicating the routes, we will first match the HEAD request to
|
|
|
|
HEAD routes. If no match is found, we will then map the HEAD request to
|
|
|
|
GET routes.
|
|
|
|
|
|
|
|
*Guo Xiang Tan*, *Andrew White*
|
|
|
|
|
2014-08-11 14:29:25 -04:00
|
|
|
* Requests that hit `ActionDispatch::Static` can now take advantage
|
|
|
|
of gzipped assets on disk. By default a gzip asset will be served if
|
|
|
|
the client supports gzip and a compressed file is on disk.
|
|
|
|
|
|
|
|
*Richard Schneeman*
|
|
|
|
|
2014-07-25 12:00:14 -04:00
|
|
|
* `ActionController::Parameters` will stop inheriting from `Hash` and
|
|
|
|
`HashWithIndifferentAccess` in the next major release. If you use any method
|
|
|
|
that is not available on `ActionController::Parameters` you should consider
|
|
|
|
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
|
|
|
|
|
|
|
*Prem Sichanugrist*
|
|
|
|
|
|
|
|
* `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
|
|
|
|
keys removed. This change is to reflect on a security concern where some
|
|
|
|
method performed on an `ActionController::Parameters` may yield a `Hash`
|
|
|
|
object which does not maintain `permitted?` status. If you would like to
|
|
|
|
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
|
|
|
before calling `#to_h`.
|
|
|
|
|
|
|
|
params = ActionController::Parameters.new({
|
|
|
|
name: 'Senjougahara Hitagi',
|
|
|
|
oddity: 'Heavy stone crab'
|
|
|
|
})
|
|
|
|
params.to_h
|
|
|
|
# => {}
|
|
|
|
|
|
|
|
unsafe_params = params.dup.permit!
|
|
|
|
unsafe_params.to_h
|
|
|
|
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
|
|
|
|
|
|
|
safe_params = params.permit(:name)
|
|
|
|
safe_params.to_h
|
|
|
|
# => {"name"=>"Senjougahara Hitagi"}
|
|
|
|
|
|
|
|
This change is consider a stopgap as we cannot change the code to stop
|
|
|
|
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
|
|
|
in the next minor release.
|
|
|
|
|
|
|
|
*Prem Sichanugrist*
|
|
|
|
|
2014-08-27 06:09:21 -04:00
|
|
|
* Deprecated `TagAssertions`.
|
2014-07-10 15:52:00 -04:00
|
|
|
|
2013-09-13 10:35:40 -04:00
|
|
|
*Kasper Timm Hansen*
|
|
|
|
|
2014-08-17 15:40:24 -04:00
|
|
|
* Use the Active Support JSON encoder for cookie jars using the `:json` or
|
|
|
|
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
|
|
|
cookies by defining the `#as_json` hook on such objects.
|
|
|
|
|
|
|
|
Fixes #16520.
|
|
|
|
|
|
|
|
*Godfrey Chan*
|
|
|
|
|
2014-08-12 15:57:51 -04:00
|
|
|
* Add `config.action_dispatch.cookies_digest` option for setting custom
|
|
|
|
digest. The default remains the same - 'SHA1'.
|
|
|
|
|
|
|
|
*Łukasz Strzałkowski*
|
|
|
|
|
2014-08-16 16:24:08 -04:00
|
|
|
* Move `respond_with` (and the class-level `respond_to`) to
|
|
|
|
the `responders` gem.
|
|
|
|
|
|
|
|
*José Valim*
|
|
|
|
|
2014-08-16 18:06:20 -04:00
|
|
|
* When your templates change, browser caches bust automatically.
|
|
|
|
|
|
|
|
New default: the template digest is automatically included in your ETags.
|
|
|
|
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
|
|
|
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
|
|
|
This makes it easy to HTTP-cache many more of your actions.
|
|
|
|
|
|
|
|
If you render a different template, you can now pass the `:template`
|
|
|
|
option to include its digest instead:
|
|
|
|
|
2014-08-27 06:09:21 -04:00
|
|
|
fresh_when @post, template: 'widgets/show'
|
2014-08-16 18:06:20 -04:00
|
|
|
|
|
|
|
Pass `template: false` to skip the lookup. To turn this off entirely, set:
|
|
|
|
|
2014-08-27 06:09:21 -04:00
|
|
|
config.action_controller.etag_with_template_digest = false
|
2014-08-16 18:06:20 -04:00
|
|
|
|
|
|
|
*Jeremy Kemper*
|
|
|
|
|
2014-08-14 03:35:32 -04:00
|
|
|
* Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
|
|
|
|
in favor of `AbstractController::Helpers::MissingHelperError`.
|
|
|
|
|
|
|
|
*Yves Senn*
|
|
|
|
|
2014-07-02 18:36:23 -04:00
|
|
|
* Fix `assert_template` not being able to assert that no files were rendered.
|
|
|
|
|
|
|
|
*Guo Xiang Tan*
|
|
|
|
|
2014-07-30 10:54:03 -04:00
|
|
|
* Extract source code for the entire exception stack trace for
|
|
|
|
better debugging and diagnosis.
|
|
|
|
|
|
|
|
*Ryan Dao*
|
|
|
|
|
2014-07-18 13:27:43 -04:00
|
|
|
* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
|
|
|
|
loopback address.
|
|
|
|
|
|
|
|
*Earl St Sauver*, *Sven Riedel*
|
|
|
|
|
2014-07-13 12:58:20 -04:00
|
|
|
* Preserve original path in `ShowExceptions` middleware by stashing it as
|
|
|
|
`env["action_dispatch.original_path"]`
|
|
|
|
|
|
|
|
`ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
|
|
|
|
for the exception defined in `ExceptionWrapper`, so the path
|
|
|
|
the user was visiting when an exception occurred was not previously
|
|
|
|
available to any custom exceptions_app. The original `PATH_INFO` is now
|
|
|
|
stashed in `env["action_dispatch.original_path"]`.
|
|
|
|
|
|
|
|
*Grey Baker*
|
|
|
|
|
2014-07-11 06:24:49 -04:00
|
|
|
* Use `String#bytesize` instead of `String#size` when checking for cookie
|
|
|
|
overflow.
|
|
|
|
|
|
|
|
*Agis Anastasopoulos*
|
2014-07-13 12:58:20 -04:00
|
|
|
|
2014-07-10 19:33:22 -04:00
|
|
|
* `render nothing: true` or rendering a `nil` body no longer add a single
|
|
|
|
space to the response body.
|
|
|
|
|
|
|
|
The old behavior was added as a workaround for a bug in an early version of
|
|
|
|
Safari, where the HTTP headers are not returned correctly if the response
|
|
|
|
body has a 0-length. This is been fixed since and the workaround is no
|
|
|
|
longer necessary.
|
|
|
|
|
|
|
|
Use `render body: ' '` if the old behavior is desired.
|
|
|
|
|
|
|
|
See #14883 for details.
|
|
|
|
|
|
|
|
*Godfrey Chan*
|
|
|
|
|
2014-07-09 14:33:09 -04:00
|
|
|
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
|
2014-08-27 06:09:21 -04:00
|
|
|
("Rosetta Flash").
|
2014-07-09 14:33:09 -04:00
|
|
|
|
|
|
|
*Greg Campbell*
|
|
|
|
|
2014-07-10 04:58:46 -04:00
|
|
|
* Because URI paths may contain non US-ASCII characters we need to force
|
|
|
|
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
|
|
|
|
This essentially replicates the functionality of the monkey patch to
|
|
|
|
URI.parser.unescape in active_support/core_ext/uri.rb.
|
|
|
|
|
|
|
|
Fixes #16104.
|
|
|
|
|
|
|
|
*Karl Entwistle*
|
|
|
|
|
2014-07-01 18:56:20 -04:00
|
|
|
* Generate shallow paths for all children of shallow resources.
|
|
|
|
|
|
|
|
Fixes #15783.
|
|
|
|
|
|
|
|
*Seb Jacobs*
|
|
|
|
|
2014-07-02 17:48:04 -04:00
|
|
|
* JSONP responses are now rendered with the `text/javascript` content type
|
|
|
|
when rendering through a `respond_to` block.
|
|
|
|
|
|
|
|
Fixes #15081.
|
|
|
|
|
|
|
|
*Lucas Mazza*
|
|
|
|
|
2014-06-27 17:11:31 -04:00
|
|
|
* Add `config.action_controller.always_permitted_parameters` to configure which
|
|
|
|
parameters are permitted globally. The default value of this configuration is
|
|
|
|
`['controller', 'action']`.
|
2013-10-10 08:01:03 -04:00
|
|
|
|
2014-06-27 17:11:31 -04:00
|
|
|
*Gary S. Weaver*, *Rafael Chacon*
|
2013-10-10 08:01:03 -04:00
|
|
|
|
2014-06-12 02:15:29 -04:00
|
|
|
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
|
|
|
|
|
|
|
|
Fixes #15511.
|
|
|
|
|
|
|
|
*Larry Lv*
|
|
|
|
|
2014-06-13 16:23:45 -04:00
|
|
|
* ActionController::Parameters#require now accepts `false` values.
|
2014-06-13 13:42:38 -04:00
|
|
|
|
|
|
|
Fixes #15685.
|
|
|
|
|
|
|
|
*Sergio Romano*
|
|
|
|
|
2014-06-13 02:19:53 -04:00
|
|
|
* With authorization header `Authorization: Token token=`, `authenticate` now
|
|
|
|
recognize token as nil, instead of "token".
|
|
|
|
|
|
|
|
Fixes #14846.
|
|
|
|
|
|
|
|
*Larry Lv*
|
|
|
|
|
2014-05-31 21:05:00 -04:00
|
|
|
* Ensure the controller is always notified as soon as the client disconnects
|
|
|
|
during live streaming, even when the controller is blocked on a write.
|
|
|
|
|
|
|
|
*Nicholas Jakobsen*, *Matthew Draper*
|
|
|
|
|
2014-06-03 17:05:16 -04:00
|
|
|
* Routes specifying 'to:' must be a string that contains a "#" or a rack
|
|
|
|
application. Use of a symbol should be replaced with `action: symbol`.
|
|
|
|
Use of a string without a "#" should be replaced with `controller: string`.
|
|
|
|
|
2014-07-11 05:15:00 -04:00
|
|
|
*Aaron Patterson*
|
|
|
|
|
2014-05-24 11:41:28 -04:00
|
|
|
* Fix URL generation with `:trailing_slash` such that it does not add
|
|
|
|
a trailing slash after `.:format`
|
|
|
|
|
|
|
|
*Dan Langevin*
|
|
|
|
|
2014-05-13 22:30:57 -04:00
|
|
|
* Build full URI as string when processing path in integration tests for
|
|
|
|
performance reasons.
|
|
|
|
|
|
|
|
*Guo Xiang Tan*
|
|
|
|
|
2014-05-23 17:45:21 -04:00
|
|
|
* Fix `'Stack level too deep'` when rendering `head :ok` in an action method
|
2014-05-15 15:18:05 -04:00
|
|
|
called 'status' in a controller.
|
|
|
|
|
|
|
|
Fixes #13905.
|
|
|
|
|
|
|
|
*Christiaan Van den Poel*
|
|
|
|
|
2014-05-15 13:36:24 -04:00
|
|
|
* Add MKCALENDAR HTTP method (RFC 4791).
|
|
|
|
|
|
|
|
*Sergey Karpesh*
|
|
|
|
|
2014-02-21 05:28:51 -05:00
|
|
|
* Instrument fragment cache metrics.
|
|
|
|
|
|
|
|
Adds `:controller`: and `:action` keys to the instrumentation payload
|
|
|
|
for the `*_fragment.action_controller` notifications. This allows tracking
|
|
|
|
e.g. the fragment cache hit rates for each controller action.
|
|
|
|
|
|
|
|
*Daniel Schierbeck*
|
|
|
|
|
2014-05-11 07:56:33 -04:00
|
|
|
* Always use the provided port if the protocol is relative.
|
|
|
|
|
|
|
|
Fixes #15043.
|
|
|
|
|
|
|
|
*Guilherme Cavalcanti*, *Andrew White*
|
|
|
|
|
2014-05-02 10:54:35 -04:00
|
|
|
* Moved `params[request_forgery_protection_token]` into its own method
|
|
|
|
and improved tests.
|
|
|
|
|
|
|
|
Fixes #11316.
|
|
|
|
|
|
|
|
*Tom Kadwill*
|
|
|
|
|
2013-06-28 09:37:26 -04:00
|
|
|
* Added verification of route constraints given as a Proc or an object responding
|
2014-05-04 17:47:29 -04:00
|
|
|
to `:matches?`. Previously, when given an non-complying object, it would just
|
|
|
|
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
2013-06-28 09:37:26 -04:00
|
|
|
when setting up the routes.
|
|
|
|
|
|
|
|
*Xavier Defrang*
|
|
|
|
|
2013-10-25 17:16:42 -04:00
|
|
|
* Properly treat the entire IPv6 User Local Address space as private for
|
|
|
|
purposes of remote IP detection. Also handle uppercase private IPv6
|
|
|
|
addresses.
|
|
|
|
|
|
|
|
Fixes #12638.
|
|
|
|
|
|
|
|
*Caleb Spare*
|
|
|
|
|
2014-04-23 12:07:50 -04:00
|
|
|
* Fixed an issue with migrating legacy json cookies.
|
|
|
|
|
|
|
|
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
|
|
|
|
cookies are marshal-encoded. This is not the case when `secret_token` is
|
|
|
|
used in conjunction with the `:json` or `:hybrid` serializer.
|
|
|
|
|
|
|
|
In those case, when upgrading to use `secret_key_base`, this would cause a
|
|
|
|
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
|
|
|
|
|
|
|
Fixes #14774.
|
|
|
|
|
|
|
|
*Godfrey Chan*
|
|
|
|
|
2014-04-20 05:08:32 -04:00
|
|
|
* Make URL escaping more consistent:
|
|
|
|
|
|
|
|
1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
|
|
|
|
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
|
|
|
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
|
|
|
4. Use `escape_segment` rather than `escape_path` in URL generation
|
|
|
|
|
|
|
|
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
|
2014-05-23 17:45:21 -04:00
|
|
|
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
|
2014-04-20 05:08:32 -04:00
|
|
|
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
|
|
|
|
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
|
|
|
|
|
|
|
Fixes #14629, #14636 and #14070.
|
|
|
|
|
|
|
|
*Andrew White*, *Edho Arief*
|
|
|
|
|
2014-04-17 13:50:52 -04:00
|
|
|
* Add alias `ActionDispatch::Http::UploadedFile#to_io` to
|
|
|
|
`ActionDispatch::Http::UploadedFile#tempfile`.
|
|
|
|
|
|
|
|
*Tim Linquist*
|
|
|
|
|
2014-04-14 15:59:47 -04:00
|
|
|
* Returns null type format when format is not know and controller is using `any`
|
|
|
|
format block.
|
|
|
|
|
|
|
|
Fixes #14462.
|
|
|
|
|
|
|
|
*Rafael Mendonça França*
|
|
|
|
|
2014-04-11 10:27:24 -04:00
|
|
|
* Improve routing error page with fuzzy matching search.
|
|
|
|
|
|
|
|
*Winston*
|
|
|
|
|
2014-04-11 05:20:54 -04:00
|
|
|
* Only make deeply nested routes shallow when parent is shallow.
|
|
|
|
|
|
|
|
Fixes #14684.
|
|
|
|
|
|
|
|
*Andrew White*, *James Coglan*
|
|
|
|
|
2014-05-23 17:45:21 -04:00
|
|
|
* Append link to bad code to backtrace when exception is `SyntaxError`.
|
2014-01-30 09:33:49 -05:00
|
|
|
|
|
|
|
*Boris Kuznetsov*
|
2014-04-11 05:20:54 -04:00
|
|
|
|
2014-03-22 18:50:55 -04:00
|
|
|
* Swapped the parameters of assert_equal in `assert_select` so that the
|
2014-05-31 14:21:56 -04:00
|
|
|
proper values were printed correctly.
|
2014-03-22 18:50:55 -04:00
|
|
|
|
|
|
|
Fixes #14422.
|
|
|
|
|
|
|
|
*Vishal Lal*
|
|
|
|
|
2014-03-16 05:15:52 -04:00
|
|
|
* The method `shallow?` returns false if the parent resource is a singleton so
|
|
|
|
we need to check if we're not inside a nested scope before copying the :path
|
|
|
|
and :as options to their shallow equivalents.
|
|
|
|
|
|
|
|
Fixes #14388.
|
|
|
|
|
|
|
|
*Andrew White*
|
|
|
|
|
2014-03-04 19:24:51 -05:00
|
|
|
* Make logging of CSRF failures optional (but on by default) with the
|
|
|
|
`log_warning_on_csrf_failure` configuration setting in
|
2014-03-08 16:17:49 -05:00
|
|
|
`ActionController::RequestForgeryProtection`.
|
2014-03-04 19:24:51 -05:00
|
|
|
|
|
|
|
*John Barton*
|
2014-02-18 17:12:11 -05:00
|
|
|
|
2014-03-08 16:17:49 -05:00
|
|
|
* Fix URL generation in controller tests with request-dependent
|
|
|
|
`default_url_options` methods.
|
|
|
|
|
|
|
|
*Tony Wooster*
|
|
|
|
|
2014-02-25 07:14:35 -05:00
|
|
|
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
|