TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
4fe767535d
rails/actionpack/CHANGELOG.md

161 lines
4.7 KiB
Markdown
Raw Normal View History

Modify respond_to behaviour always setting the request's content type: - `respond_to any` doesn't allow to specify a content type and the content type in the response will be based on the request format. ```ruby def my_action respond_to do |format| format.html { render(html: 'hello') } format.any { render(json: { foo: 'bar'}) } end end get('my_action.csv') # Before this patch, content type was `text/csv' # Ather this patch, content type is correctly set to whateve we did in the `format.any` block ``` If the client specify the type of data he wants but the server doesn't know how to handle it and return plain text (or whatever) I don't think it make sense to falsey claim that we are returning a `text/csv` a response where in fact we are returning something else. Fix #37345
2019-11-01 00:06:05 +00:00
* `respond_to#any` no longer returns a response's Content-Type based on the
request format but based on the block given.
Example:
```ruby
def my_action
respond_to do |format|
format.any { render(json: { foo: 'bar' }) }
end
end
get('my_action.csv')
```
The previous behaviour was to respond with a `text/csv` Content-Type which
is inaccurate since a JSON response is being rendered.
Now it correctly returns a `application/json` Content-Type.
* Edouard Chin*
Remove slashes and backslashes from image paths When a test method name includes a slash (e.g. `test "signup on the /signup page"`) the screenshot is generated in the nested directory on systems that use slash as a directory separator (e.g. a screenshot called `signup_page.png` is generated within `failures_signup_on_the_`). Nesting screenshots causes an issue with `tmp:clear` rake task: ``` == Removing old logs and tempfiles == rails aborted! Errno::EISDIR: Is a directory @ apply2files - tmp/screenshots/failures_signup_on_the_ /var/lib/gems/2.5.0/gems/railties-5.2.3/lib/rails/tasks/tmp.rake:41:in `block (3 levels) in <top (required)>' /var/lib/gems/2.5.0/gems/railties-5.2.3/lib/rails/commands/rake/rake_command.rb:23:in `block in perform' ... Tasks: TOP => tmp:clear => tmp:screenshots:clear ``` While the error could be prevented by changing `tmp:clear` task, there's no reason to generate deep directory structures for tests using slashes. To prevent a similar problem on Windows, we'll also "sanitize" backslashes. Replacing the problamatic characters with dashes seems to be a safe workaround, although dash is very arbitrary choice in this case. Co-Authored-By: Louis-Michel Couture <louim_1@hotmail.com>
2019-11-12 21:44:10 +00:00
* Replaces (back)slashes in failure screenshot image paths with dashes.
If a failed test case contained a slash or a backslash, a screenshot would be created in a
nested directory, causing issues with `tmp:clear`.
*Damir Zekic*
Add params.member? to mimic Hash behavior
2019-11-19 15:03:01 +00:00
* Add `params.member?` to mimic Hash behavior
*Younes Serraj*
Add :uuid to process_action.action_controller payloads
2019-11-04 15:30:38 +00:00
* `process_action.action_controller` notifications now include the following in their payloads:
Provide the whole request
2019-11-04 23:29:38 +00:00
* `:request` - the `ActionDispatch::Request`
Provide the whole response
2019-11-16 13:17:01 +00:00
* `:response` - the `ActionDispatch::Response`
Add :location to process_action.action_controller payloads
2019-11-04 12:46:48 +00:00
*George Claghorn*
Updated `ActionDispatch::Request.remote_ip=` Updated the setter to clear the value in the `@remote_ip` instance variable before setting the header that the value is derived from in the getter.
2019-10-06 21:28:43 +00:00
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
`remote_ip` to `nil` before setting the header that the value is derived
from.
Fixes https://github.com/rails/rails/issues/37383
*Norm Provost*
Add ActionController::Base.log_at Allow setting a different log level per request.
2019-09-24 17:47:34 +00:00
* `ActionController::Base.log_at` allows setting a different log level per request.
```ruby
# Use the debug level if a particular cookie is set.
class ApplicationController < ActionController::Base
log_at :debug, if: -> { cookies[:debug] }
end
```
*George Claghorn*
Add code to save the HTML of the page being screenshotted during the `take_screenshot` method that is enabled by a new environment variable - RAILS_SYSTEM_TESTING_SCREENSHOT_HTML=1 Add the ability to call `take_screenshot` more than once in a single test by prefixing the name of the image file with a counter that is incremented on every `take_screenshot` call. This allows a developer to see their pages in sequence when trying to debug test errors. This does not affect the failure case where the prefix remains 'failures'
2019-06-24 02:41:30 +00:00
* Allow system test screen shots to be taken more than once in
a test by prefixing the file name with an incrementing counter.
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
enable saving of HTML during a screenshot in addition to the image.
This uses the same image name, with the extension replaced with `.html`
*Tom Fakes*
Add `Vary: Accept` header when rendering Problem description (quoted from @rafaelfranca's excellent explanation in https://github.com/rails/jquery-ujs/issues/318#issuecomment-88129005): > Let say that we requested /tasks/1 using Ajax, and the previous page has the same url. When we click the back button the browser tries to get the response from its cache and it gets the javascript response. With vary we "fix" this behavior because we are telling the browser that the url is the same but it is not from the same type what will skip the cache. And there's a Rails issue discussing about this problem as well https://github.com/rails/rails/issues/25842 Also, according to [RFC 7231 7.1.4](https://tools.ietf.org/html/rfc7231#section-7.1.4) > An origin server SHOULD send a Vary header field when its algorithm > for selecting a representation varies based on aspects of the request > message other than the method and request target we should add `Vary: Accept` header when determining content based on the `Accept` header. Although adding such header by default could cause unnecessary cache invalidation. But this PR only adds the header if: - The format param is not provided - The request is a `xhr` request - The request has accept headers and the headers are valid So if the user - sends request with explicit format, like `/users/1.json` - or sends a normal request (non xhr) - or doesn't specify accept headers then the header won't be added. See the discussion in https://github.com/rails/rails/issues/25842 and https://github.com/rails/rails/pull/36213 for more details.
2019-05-08 14:28:47 +00:00
* Add `Vary: Accept` header when using `Accept` header for response
For some requests like `/users/1`, Rails uses requests' `Accept`
header to determine what to return. And if we don't add `Vary`
in the response header, browsers might accidentally cache different
types of content, which would cause issues: e.g. javascript got displayed
instead of html content. This PR fixes these issues by adding `Vary: Accept`
in these types of requests. For more detailed problem description, please read:
https://github.com/rails/rails/pull/36213
Fixes #25842
*Stan Lo*
fix `follow_redirect!` not using the same HTTP verb on 307 redirection: - According to the HTTP 1.1 spec, the 307 redirection guarantees that the method and the body will not be changed during redirection. This PR fixes that since follow_redirect! would always follow the redirection my making a GET request. Ref https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307
2018-10-12 06:06:13 +00:00
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
a 307 redirection.
*Edouard Chin*
Stop setting a default Capybara app host It's intended not to be set if Capybara starts the app server itself. Base Rails-generated URLs off of Capybara.current_session.server_url instead.
2019-07-25 02:19:21 +00:00
* System tests require Capybara 3.26 or newer.
*George Claghorn*
Reduce log noise handling ActionController::RoutingErrors Each time a missing route is hit 32 lines of internal rails traces are written to the log. This is overly verbose and doesn't offer any actionable information to the user. With this change we'll still write an error message showing the route error but the trace will be omitted.
2018-01-04 11:27:14 +00:00
* Reduced log noise handling ActionController::RoutingErrors.
*Alberto Fernández-Capel*
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
2019-07-10 22:33:16 +00:00
* Add DSL for configuring HTTP Feature Policy
Fix typo in actionpack changelog, `a HTTP` -> `an HTTP` [ci skip]
2019-09-23 23:33:10 +00:00
This new DSL provides a way to configure an HTTP Feature Policy at a
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
2019-07-10 22:33:16 +00:00
global or per-controller level. Full details of HTTP Feature Policy
specification and guidelines can be found at MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Example global policy
```
Rails.application.config.feature_policy do |f|
f.camera :none
f.gyroscope :none
f.microphone :none
f.usb :none
f.fullscreen :self
Use reserved domain for example configuration Updates the generator output to use a reserved domain[1] instead of a potentially real world domain. [1]: https://tools.ietf.org/html/rfc2606#section-3
2019-07-14 21:10:22 +00:00
f.payment :self, "https://secure.example.com"
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
2019-07-10 22:33:16 +00:00
end
```
Example controller level policy
```
class PagesController < ApplicationController
feature_policy do |p|
p.geolocation "https://example.com"
end
end
```
*Jacob Bednarz*
Add the ability to set the CSP nonce only to the specified directives I changed to set CSP nonce to `style-src` directive in #32932. But this causes an issue when `unsafe-inline` is specified to `style-src` (If a nonce is present, a nonce takes precedence over `unsafe-inline`). So, I fixed to nonce directives configurable. By configure this, users can make CSP as before. Fixes #35137.
2019-02-03 02:33:44 +00:00
* Add the ability to set the CSP nonce only to the specified directives.
Fixes #35137.
*Yuji Yaginuma*
Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation.
2019-06-04 20:47:33 +00:00
* Keep part when scope option has value.
Keep part when scope option has value When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This patch ensures scope is kept both when the route takes parameters or when it doesn't. Fixes #33219
2018-12-08 21:42:40 +00:00
When a route was defined within an optional scope, if that route didn't
take parameters the scope was lost when using path helpers. This commit
ensures scope is kept both when the route takes parameters or when it
doesn't.
Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation.
2019-06-04 20:47:33 +00:00
Fixes #33219.
Keep part when scope option has value When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This patch ensures scope is kept both when the route takes parameters or when it doesn't. Fixes #33219
2018-12-08 21:42:40 +00:00
*Alberto Almagro*
Implemented deep_transform_keys/! for ActionController::Parameters
2019-05-17 13:13:03 +00:00
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
*Gustavo Gutierrez*
Revert "Merge pull request #36785 from shes50103/fix_typo_actionpack_changelog" This reverts commit ac6f3c9299209ea4b2fa7c368ea1ff406735ca93, reversing changes made to 5b0ea95a1a8acc5054f9a58d324070303cbd19b9.
2019-07-28 06:53:51 +00:00
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
Return parameters enumerator from transform_keys/! Previously calling `ActionController::Parameters#transform_keys/!` without passing a block would return an enumerator for the underlying hash, which was inconsistent with the behaviour when a block was passed: ActionController::Parameters.new(foo: "bar").transform_keys { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false> ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => {"foo"=>"bar"} An enumerator for the parameters is now returned instead, ensuring that evaluating it produces another parameters object instead of a hash: ActionController::Parameters.new(foo: "bar").transform_keys.each { |k| k } => <ActionController::Parameters {"foo"=>"bar"} permitted: false>
2019-05-18 21:49:32 +00:00
an enumerator for the parameters instead of the underlying hash.
*Eugene Kenny*
Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation.
2019-06-04 20:47:33 +00:00
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
It should only block invalid key's values instead.
Make system tests take failed screenshots in `before_teardown` hook Previously we were calling the `take_failed_screenshot` method in an `after_teardown` hook. However, this means that other teardown hooks have to be executed before we take the screenshot. Since there can be dynamic updates to the page after the assertion fails and before we take a screenshot, it seems desirable to minimize that gap as much as possible. Taking the screenshot in a `before_teardown` rather than an `after_teardown` helps with that, and has a side benefit of allowing us to remove the nested `ensure` commented on here: https://github.com/rails/rails/pull/34411#discussion_r232819478
2019-04-21 02:09:50 +00:00
fixed usage of Parameters when a non-numeric key exists test for non-numeric key in nested attributes test: extra blank line between tests removed test for non-numeric key fixed (by Daniel) Update according to feedback
2017-08-01 18:02:41 +00:00
*Stan Lo*
Make system tests take failed screenshots in `before_teardown` hook Previously we were calling the `take_failed_screenshot` method in an `after_teardown` hook. However, this means that other teardown hooks have to be executed before we take the screenshot. Since there can be dynamic updates to the page after the assertion fails and before we take a screenshot, it seems desirable to minimize that gap as much as possible. Taking the screenshot in a `before_teardown` rather than an `after_teardown` helps with that, and has a side benefit of allowing us to remove the nested `ensure` commented on here: https://github.com/rails/rails/pull/34411#discussion_r232819478
2019-04-21 02:09:50 +00:00
Unify to use 4 spaces indentation in CHANGELOGs [ci skip] Especially, somehow `CHANGELOG.md` in actiontext and activestorage in master branch had used 3 spaces indentation.
2019-06-04 20:47:33 +00:00
Start Rails 6.1 development
2019-04-24 19:57:14 +00:00
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
Reference in New Issue Copy Permalink