This may break existing tests that are asserting the whole session contents
but should not break existing tests that are asserting individual keys - e.g:
class SomeControllerTest < ActionController::TestCase
setup do
session['user_id'] = 1
end
test "some test" do
get :some_action, nil, { 'another_var' => 2 }
# This assertion will now fail
assert_equal({ 'another_var' => 2 }, session)
# This assertion will still pass
assert_equal 2, session['another_var]
end
end
Fixes#1529.
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes#5964
