In cases where this option is set to `true`, the option is redundant and can be safely removed; otherwise, the corresponding `*_url` helper should be used instead. Fixes #17294. See also #17363. [Dan Olson, Godfrey Chan]
12 KiB
-
Deprecate the
only_path
option on*_path
helpers.In cases where this option is set to
true
, the option is redundant and can be safely removed; otherwise, the corresponding*_url
helper should be used instead.Fixes #17294.
Dan Olson, Godfrey Chan
-
Improve Journey compliance to RFC 3986.
The scanner in Journey failed to recognize routes that use literals from the sub-delims section of RFC 3986. It's now able to parse those authorized delimiters and route as expected.
Fixes #17212.
Nicolas Cavigneaux
-
Deprecate implicit Array conversion for Response objects. It was added (using
#to_ary
) so we could conveniently use implicit splatting:status, headers, body = response
But it also means
response + response
works and[response].flatten
cascades down to the Rack body. Nonsense behavior. Instead, rely on explicit conversion and splatting with#to_a
:status, header, body = *response
Jeremy Kemper
-
Don't rescue
IPAddr::InvalidAddressError
.IPAddr::InvalidAddressError
does not exist in Ruby 1.9.3 and fails for JRuby in 1.9 mode.Peter Suschlik
-
Fix bug where the router would ignore any constraints added to redirect routes.
Fixes #16605.
Agis Anastasopoulos
-
Allow
config.action_dispatch.trusted_proxies
to accept an IPAddr object.Example:
# config/environments/production.rb config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
Sam Aarons
-
Avoid duplicating routes for HEAD requests.
Instead of duplicating the routes, we will first match the HEAD request to HEAD routes. If no match is found, we will then map the HEAD request to GET routes.
Guo Xiang Tan, Andrew White
-
Requests that hit
ActionDispatch::Static
can now take advantage of gzipped assets on disk. By default a gzip asset will be served if the client supports gzip and a compressed file is on disk.Richard Schneeman
-
ActionController::Parameters
will stop inheriting fromHash
andHashWithIndifferentAccess
in the next major release. If you use any method that is not available onActionController::Parameters
you should consider calling#to_h
to convert it to aHash
first before calling that method.Prem Sichanugrist
-
ActionController::Parameters#to_h
now returns aHash
with unpermitted keys removed. This change is to reflect on a security concern where some method performed on anActionController::Parameters
may yield aHash
object which does not maintainpermitted?
status. If you would like to get aHash
with all the keys intact, duplicate and mark it as permitted before calling#to_h
.params = ActionController::Parameters.new({ name: 'Senjougahara Hitagi', oddity: 'Heavy stone crab' }) params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot change the code to stop
ActionController::Parameters
to inherit fromHashWithIndifferentAccess
in the next minor release.Prem Sichanugrist
-
Deprecated
TagAssertions
.Kasper Timm Hansen
-
Use the Active Support JSON encoder for cookie jars using the
:json
or:hybrid
serializer. This allows you to serialize custom Ruby objects into cookies by defining the#as_json
hook on such objects.Fixes #16520.
Godfrey Chan
-
Add
config.action_dispatch.cookies_digest
option for setting custom digest. The default remains the same - 'SHA1'.Łukasz Strzałkowski
-
Move
respond_with
(and the class-levelrespond_to
) to theresponders
gem.José Valim
-
When your templates change, browser caches bust automatically.
New default: the template digest is automatically included in your ETags. When you call
fresh_when @post
, the digest forposts/show.html.erb
is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions.If you render a different template, you can now pass the
:template
option to include its digest instead:fresh_when @post, template: 'widgets/show'
Pass
template: false
to skip the lookup. To turn this off entirely, set:config.action_controller.etag_with_template_digest = false
Jeremy Kemper
-
Remove deprecated
AbstractController::Helpers::ClassMethods::MissingHelperError
in favor ofAbstractController::Helpers::MissingHelperError
.Yves Senn
-
Fix
assert_template
not being able to assert that no files were rendered.Guo Xiang Tan
-
Extract source code for the entire exception stack trace for better debugging and diagnosis.
Ryan Dao
-
Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8 loopback address.
Earl St Sauver, Sven Riedel
-
Preserve original path in
ShowExceptions
middleware by stashing it asenv["action_dispatch.original_path"]
ActionDispatch::ShowExceptions
overwritesPATH_INFO
with the status code for the exception defined inExceptionWrapper
, so the path the user was visiting when an exception occurred was not previously available to any custom exceptions_app. The originalPATH_INFO
is now stashed inenv["action_dispatch.original_path"]
.Grey Baker
-
Use
String#bytesize
instead ofString#size
when checking for cookie overflow.Agis Anastasopoulos
-
render nothing: true
or rendering anil
body no longer add a single space to the response body.The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary.
Use
render body: ' '
if the old behavior is desired.See #14883 for details.
Godfrey Chan
-
Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash").
Greg Campbell
-
Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
Karl Entwistle
-
Generate shallow paths for all children of shallow resources.
Fixes #15783.
Seb Jacobs
-
JSONP responses are now rendered with the
text/javascript
content type when rendering through arespond_to
block.Fixes #15081.
Lucas Mazza
-
Add
config.action_controller.always_permitted_parameters
to configure which parameters are permitted globally. The default value of this configuration is['controller', 'action']
.Gary S. Weaver, Rafael Chacon
-
Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
Larry Lv
-
ActionController::Parameters#require now accepts
false
values.Fixes #15685.
Sergio Romano
-
With authorization header
Authorization: Token token=
,authenticate
now recognize token as nil, instead of "token".Fixes #14846.
Larry Lv
-
Ensure the controller is always notified as soon as the client disconnects during live streaming, even when the controller is blocked on a write.
Nicholas Jakobsen, Matthew Draper
-
Routes specifying 'to:' must be a string that contains a "#" or a rack application. Use of a symbol should be replaced with
action: symbol
. Use of a string without a "#" should be replaced withcontroller: string
.Aaron Patterson
-
Fix URL generation with
:trailing_slash
such that it does not add a trailing slash after.:format
Dan Langevin
-
Build full URI as string when processing path in integration tests for performance reasons.
Guo Xiang Tan
-
Fix
'Stack level too deep'
when renderinghead :ok
in an action method called 'status' in a controller.Fixes #13905.
Christiaan Van den Poel
-
Add MKCALENDAR HTTP method (RFC 4791).
Sergey Karpesh
-
Instrument fragment cache metrics.
Adds
:controller
: and:action
keys to the instrumentation payload for the*_fragment.action_controller
notifications. This allows tracking e.g. the fragment cache hit rates for each controller action.Daniel Schierbeck
-
Always use the provided port if the protocol is relative.
Fixes #15043.
Guilherme Cavalcanti, Andrew White
-
Moved
params[request_forgery_protection_token]
into its own method and improved tests.Fixes #11316.
Tom Kadwill
-
Added verification of route constraints given as a Proc or an object responding to
:matches?
. Previously, when given an non-complying object, it would just silently fail to enforce the constraint. It will now raise anArgumentError
when setting up the routes.Xavier Defrang
-
Properly treat the entire IPv6 User Local Address space as private for purposes of remote IP detection. Also handle uppercase private IPv6 addresses.
Fixes #12638.
Caleb Spare
-
Fixed an issue with migrating legacy json cookies.
Previously, the
VerifyAndUpgradeLegacySignedMessage
assumes all incoming cookies are marshal-encoded. This is not the case whensecret_token
is used in conjunction with the:json
or:hybrid
serializer.In those case, when upgrading to use
secret_key_base
, this would cause aTypeError: incompatible marshal file format
and a 500 error for the user.Fixes #14774.
Godfrey Chan
-
Make URL escaping more consistent:
- Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
- Add an
escape_segment
helper toRouter::Utils
that escapes '/' characters - Use
escape_segment
rather thanescape_fragment
in optimized URL generation - Use
escape_segment
rather thanescape_path
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g.
*foo
) then we useescape_path
as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a:controller
segment is used in the path then this usesescape_path
as the controller may be namespaced.Fixes #14629, #14636 and #14070.
Andrew White, Edho Arief
-
Add alias
ActionDispatch::Http::UploadedFile#to_io
toActionDispatch::Http::UploadedFile#tempfile
.Tim Linquist
-
Returns null type format when format is not know and controller is using
any
format block.Fixes #14462.
Rafael Mendonça França
-
Improve routing error page with fuzzy matching search.
Winston
-
Only make deeply nested routes shallow when parent is shallow.
Fixes #14684.
Andrew White, James Coglan
-
Append link to bad code to backtrace when exception is
SyntaxError
.Boris Kuznetsov
-
Swapped the parameters of assert_equal in
assert_select
so that the proper values were printed correctly.Fixes #14422.
Vishal Lal
-
The method
shallow?
returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents.Fixes #14388.
Andrew White
-
Make logging of CSRF failures optional (but on by default) with the
log_warning_on_csrf_failure
configuration setting inActionController::RequestForgeryProtection
.John Barton
-
Fix URL generation in controller tests with request-dependent
default_url_options
methods.Tony Wooster
Please check 4-1-stable for previous changes.