TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
35,988 Commits 2 Branches 0 Tags 294 MiB
86cf7a2d16
Commit Graph

10169 Commits

Author SHA1 Message Date
Egor Homakov
baa240d09c Use \A in Regexps 
So, if there is redirect_to params[:q]
i can send ?q=javascript:asdf()%0A/localpath
Or something more nasty, so please use \A
 2013-02-01 00:01:11 +07:00
Aaron Patterson
bb21d6ed7a remove dead code 2013-01-30 10:24:58 -08:00
Aaron Patterson
0cabcf924a change parameter name for positional args 2013-01-30 10:24:58 -08:00
Aaron Patterson
cc00239151 nodoc the helper classes, cache stuff for optimized helper 2013-01-30 10:24:58 -08:00
Aaron Patterson
c337e8707c cache path parts in the instance 2013-01-30 10:24:58 -08:00
Aaron Patterson
8e5b4372d0 stop evaling a string every time 2013-01-30 10:24:58 -08:00
Aaron Patterson
27bccf02ee moving helper classes outside the private block 2013-01-30 10:24:58 -08:00
Aaron Patterson
3bfdfc869b pushing specialization down to the optimized class 2013-01-30 10:24:57 -08:00
Aaron Patterson
026c40fc18 use polymorphism to remove conditional 2013-01-30 10:24:57 -08:00
Aaron Patterson
23b2d60697 move conditionals to instance 2013-01-30 10:24:57 -08:00
Aaron Patterson
06f2ec4530 pull stuff out of the caller and hide in the instance 2013-01-30 10:24:57 -08:00
Aaron Patterson
2cdbe2270d moving more stuff on to the instance 2013-01-30 10:24:57 -08:00
Aaron Patterson
d783ba2029 move optimize_helper? to the helper instance 2013-01-30 10:24:57 -08:00
Aaron Patterson
532e12287e moving more stuff to the instance 2013-01-30 10:24:57 -08:00
Aaron Patterson
621ca05ae4 moving some stuff to the initializer 2013-01-30 10:24:57 -08:00
Aaron Patterson
44dd44ad70 moved more evald code 2013-01-30 10:24:57 -08:00
Aaron Patterson
fc8f45a3c1 factored out some of the dynamic code 2013-01-30 10:24:56 -08:00
Semyon Perepelitsa
540ebe37cd Fix content_tag_for with array html option. 
It would embed array as string instead of joining it like `content_tag` does:

    content_tag(:td, class: ["foo", "bar"]){}
    #=> '<td class="foo bar"></td>'

Before:

    content_tag_for(:td, item, class: ["foo", "bar"]){}
    #=> '<td class="item [&quot;foo&quot;, &quot;bar&quot;]" id="item_1"></td>'

After:

    content_tag_for(:td, item, class: ["foo", "bar"]){}
    #=> '<td class="item foo bar" id="item_1"></td>'
 2013-01-31 01:28:57 +08:00
Guillermo Iguaran
673915035d Changelog about BestStandardsSupport removal 2013-01-29 16:35:03 -05:00
Guillermo Iguaran
54a90a4794 Add 'X-UA-Compatible' => 'chrome=1' to default headers 2013-01-29 14:55:03 -05:00
Guillermo Iguaran
3bccd12373 Remove BestStandardsSupport middleware 2013-01-29 14:20:58 -05:00
Carlos Antonio da Silva
29000a7dbd Merge pull request #9104 from bemurphy/remove_bad_idea_parser_test 
Remove yaml Proc param parser test
 2013-01-29 03:24:17 -08:00
Brendon Murphy
c302741d8f Remove yaml Proc param parser test 
I don't believe this test is exercising any explicit params_parser
behavior that the other two Proc tests aren't already doing.  Given
that we now know it's a bad idea to load user input via YAML.load,
somebody reading this test might get a dangerous idea about building
out a YAML params parser.
 2013-01-28 23:18:16 -08:00
Akira Matsuda
c38515693a s/ERb/ERB/ 2013-01-29 14:16:30 +09:00
Rafael Mendonça França
ba6cae4cc5 Merge pull request #9096 from tricknotes/fix-code-comment 
Fix code comment
 2013-01-28 15:49:15 -08:00
Ryunosuke SATO
8a13721b8c Fix JavaScript syntax in code comment [ci skip] 2013-01-29 08:38:26 +09:00
Carlos Antonio da Silva
68f69ec31e Move AS changelog entry to the top, improve AP changelog a bit 
[ci skip]
 2013-01-28 19:40:18 -02:00
Michiel Sikkes
489138802c Added a Changelog entry for fixing HEAD requests. 2013-01-28 21:29:21 +01:00
Michiel Sikkes
f7277d99bf Make current_url? work with a HEAD method 
ActionDispatch::Head was removed in favor of Rack::Head. But Rack::Head
does not convert GET requests to HEAD requests so we need to do
checking for HEAD requests ourselves.
 2013-01-28 21:18:57 +01:00
Michiel Sikkes
c4bc360e4e Remove caching_allowed? from ActionController::Caching 
Where is this used? No other code references to this method and it
isn't being tested anywhere. No tests fail when commented out.
 2013-01-28 21:17:48 +01:00
Santiago Pastorino
5f5a43e2f7 Merge pull request #9032 from firmhouse/head-breaks-csrf 
Make HEAD work / convert to GET once more
 2013-01-28 07:25:20 -08:00
Akira Matsuda
5f30b547c8 Use Encoding::UTF_8 constant 🚯 2013-01-28 17:06:02 +09:00
Akira Matsuda
59deaecc76 Use already defined Encoding constants rather than creating one-trip Strings 2013-01-28 15:23:31 +09:00
Aaron Patterson
789df3be3e add fetch to CookieJar 2013-01-27 14:17:56 -08:00
Xavier Noria
0b5d3f3273 Merge remote-tracking branch 'docrails/master' 
Conflicts:
	actionpack/lib/action_view/helpers/form_options_helper.rb
	guides/code/getting_started/app/controllers/comments_controller.rb
 2013-01-26 17:41:56 +01:00
Xavier Noria
4313461587 generic pass before merging docrails 2013-01-26 17:36:38 +01:00
Akira Matsuda
fb2ecaad6c ✂️ "raise" duplication 2013-01-26 12:25:42 +09:00
Carlos Antonio da Silva
9df25844ba Add keys/values methods to TestSession 
Bring back the same API we have with Request::Session.
 2013-01-25 19:15:32 -02:00
Carlos Antonio da Silva
7d624e0e8c Integrate Action Pack with Rack 1.5 
All ActionPack and Railties tests are passing. Closes #8891.

[Carlos Antonio da Silva + Santiago Pastorino]
 2013-01-25 17:28:41 -02:00
Aaron Patterson
ccaeb6b667 use the helpers list rather than getting the methods from the module 2013-01-24 15:43:08 -08:00
Aaron Patterson
06573a3a76 module_eval is not necessary here 2013-01-24 15:33:08 -08:00
Aaron Patterson
345fc3badb don't need to eval everything 2013-01-24 15:24:07 -08:00
Akira Matsuda + Koichi Sasada
b7b27fc2a3 Set Thread.abort_on_exception for the whole AS, AP, and AR tests 
this would give us some more clues in case a test silently dies inside Thread
 2013-01-24 20:00:45 +09:00
Xavier Noria
8ac94d7c89 ActionDispatch::Http::UploadedFile is a permitted scalar [Closes #9051] 2013-01-23 23:15:26 +01:00
Michiel Sikkes
2ef138f0d4 Added request.head? to forgery protection code 2013-01-22 22:01:57 +01:00
Michiel Sikkes
64245e02e3 Added a test that shows that a HEAD request does not normally pass CSRF protection 2013-01-22 21:05:22 +01:00
Rafael Mendonça França
cb56c39b51 Lets kepp using Ruby 1.9 syntax 2013-01-22 10:40:33 -02:00
Rafael Mendonça França
16e0c8816c Only check for unpermmited parameters if 
action_on_unpermitted_parameters is present
 2013-01-22 10:38:03 -02:00
Xavier Noria
2d9c4017dd avoid creating an object in every call 
This was a suggestion of @carlosantoniodasilva, thanks!
 2013-01-22 11:18:41 +01:00
Carlos Antonio da Silva
bf112e551b Remove tabs, use spaces ✂️ 
[ci skip]
 2013-01-22 00:35:33 -02:00
Akira Matsuda
1e8d5e62c6 Merge branch 'isolating_tests' 
Now we're almost ready to remove this: https://github.com/rails/rails/blob/5294ad8/activesupport/lib/active_support/test_case.rb#L29
 2013-01-22 10:27:12 +09:00
Akira Matsuda
9b520d31e5 Restore I18n.locale after running tests 2013-01-22 10:26:44 +09:00
Rafael Mendonça França
5e4fb4da83 Stylistic pass at form_helper_test 2013-01-21 23:01:09 -02:00
José Mota
ee82ce7829 Capture block so content won't leak. 
The [following pull request](https://github.com/rails/rails/pull/8916) fixed
the block being passed to the appropriate helper method. However, the content
being passed into the block is generating repeated markup on the page due to
some weird ERb evaluation.

This commit tries to capture the block's generated output so the page isn't
flooded with markup.

[Rafael França + José Mota]

Closes #8936
 2013-01-21 22:02:02 -02:00
Piotr Sarnacki
351b0d9092 Update actionpack's CHANGELOG for 445f14e 2013-01-21 21:53:06 +01:00
Akira Matsuda
d1c02a7fc2 Make sure to reset default_url_options 2013-01-22 05:24:23 +09:00
Piotr Sarnacki
445f14e975 Fix asset_path in mounted engine 
Historically serving assets from a mountable engine could be achieved by
running ActionDispatch::Static as a part of engine middleware stack or
to copy assets prefixed with an engine name. After introduction of
assets pipeline this is not needed as all of the assets are served or
compiled into main application's assets.

This commit removes the obsolete line making asset_path always generate
paths relative to the root or config.relative_url_root if it's set.

(closes #8119)
 2013-01-21 21:21:39 +01:00
Andrew White
c4106d0c08 Duplicate possible frozen string from route 
Ruby 1.9 freezes Hash string keys by default so where a route is
defined like this:

  get 'search' => 'search'

then the Mapper will derive the action from the key. This blows up
later when the action is added to the parameters hash and the
encoding is forced.

Closes #3429
 2013-01-21 17:14:10 +00:00
Rafael Mendonça França
c6a39c01f7 Merge pull request #9014 from virusman/form_helpers_ar_tests 
AR integration tests for form helpers
 2013-01-21 05:52:42 -08:00
virusman
9047ca019a Added AR integration tests for form helpers 2013-01-21 17:09:12 +04:00
Rafael Mendonça França
68a6fb6953 Merge pull request #9001 from schneems/schneems/routes-path-js 
In Browser Path Matching with Javascript
 2013-01-21 04:06:31 -08:00
Carlos Antonio da Silva
57b65ef416 Fix setting expected value in translation tests 
It was being set to nil instead due to the wrong assignment.
 2013-01-21 09:29:03 -02:00
schneems
8b72d689e3 In Browser Path Matching with Javascript 
When debugging routes ,it can sometimes be difficult to understand exactly how the paths are matched. This PR adds a JS based path matching widget to the `/rails/info/routes` output. You can enter in a path, and it will tell you which of the routes that path matches, while preserving order (top match wins).

The matching widget in action:

![](http://f.cl.ly/items/3A2F0v2m3m1Z1p3P3O3k/path-match.gif)

Prior to this PR the only way to check matching paths is via mental math, or typing in a path in the url bar and seeing where it goes. This feature will be an invaluable debugging tool by dramatically decreasing the time needed to check a path match. 

ATP actionpack
 2013-01-20 23:10:24 -06:00
Rafael Mendonça França
e4dbfce1c3 Merge pull request #9007 from dpree/master 
Enhanced tests for AbstractController::Translation module
 2013-01-20 20:26:17 -08:00
Carlos Antonio da Silva
2061c98b42 Review #translate docs [ci skip] 2013-01-20 22:49:42 -02:00
Carlos Antonio da Silva
9a7411a92b Refactor grep call to remove .each 
Grep already yields the matching keys to the given block.
 2013-01-20 22:09:32 -02:00
Carlos Antonio da Silva
e0cc7ab3ff Add missing assert calls 2013-01-20 22:03:31 -02:00
Carlos Antonio da Silva
5a69fe724e Use 1.9 hash style in docs/comments [ci skip] 2013-01-20 22:03:25 -02:00
Carlos Antonio da Silva
f12f08d61f Fix markdown formatting to highlight block in changelog [ci skip] 2013-01-20 21:45:05 -02:00
Jens Bissinger
37d15d4e1b Add documentation for abstract controller #translate and #localize method. 2013-01-20 19:15:15 +01:00
Matthew Stopa
56498b4b9e Add documentation to ActionDispatch::Response 2013-01-20 10:41:02 -07:00
Arun Agrawal
53ea940c5b Removing warning: shadowing outer local variable 2013-01-20 23:02:02 +05:30
Xavier Noria
cbec22ce57 strong parameters filters permitted scalars 2013-01-20 17:59:53 +01:00
Jens Bissinger
4685d75736 Removed ActionController::Base dependency from abstract controller translation tests. 2013-01-20 15:53:43 +01:00
Jens Bissinger
1de60c54d3 Test abstract controller's localize method. 2013-01-20 15:44:03 +01:00
Aaron Patterson
b718998f3e Merge pull request #8978 from chrismcg/remove_i18n_symbol_dependency 
Remove i18n symbol dependency
 2013-01-19 11:20:50 -08:00
Rafael Mendonça França
57126ee5e3 Restore and adapt the implementation reverted at 
cc1c3c5be0

Now instead of raise, we log by default in development and test
 2013-01-19 15:32:27 -02:00
Thomas Drake-Brockman
130370b1c8 Added ability to raise or log on unpermitted params. 2013-01-20 00:39:24 +08:00
Aaron Patterson
f209b176c3 Merge pull request #8977 from Soylent/master 
Resovled issue rails#7774
 2013-01-18 17:27:19 -08:00
Guillermo Iguaran
e636f55531 Fix syntax error 😁 2013-01-18 17:16:30 -05:00
schneems
f654c3cfc0 Remove "Application" section title from routes 
This PR standardizes the output of the HTML and console based routes to not include the title for "Application Routes" those that are defined by the application. Instead only routes defined in engines get any special treatment. 

Based on this conversation:

af5c0fd85f (commitcomment-2458823)

ATP actionpack /cc @carlosantoniodasilva
 2013-01-18 15:41:19 -06:00
Francesco Rodriguez
b8ef4f05fb fix broken examples format in image_tag helper [ci skip] 2013-01-18 12:26:03 -05:00
Guillermo Iguaran
8aebe30ef4 Revert "Merge pull request #8989 from robertomiranda/use-rails-4-find-by" 
This reverts commit 637a7d9d357a0f3f725b0548282ca8c5e7d4af4a, reversing
changes made to 5937bd02dee112646469848d7fe8a8bfcef5b4c1.
 2013-01-18 09:15:19 -05:00
robertomiranda
7baecc4802 User Rails 4 find_by 2013-01-18 07:56:05 -05:00
Thiago Pinto
8c603918ab repeating documentation for option form helpers 2013-01-17 13:45:16 -05:00
Thiago Pinto
d1238afc21 repeating documentation for date and time form helpers 2013-01-17 13:40:01 -05:00
Chris McGrath
60289ab659 Don't change the original i18n data 2013-01-17 16:01:19 +00:00
Chris McGrath
6bb784eab0 Remove i18n symbol dependency 
date.order is the only key in rails i18n that is required to be a
symbol. This patch allows for symbols or strings which means:

* No requirement for symbol type in .yml files. A future
  YAML.safe_load wouldn't need to load symbols
* Rails could actually use json rather than yml as the backend
 2013-01-17 15:21:26 +00:00
Konstantin Papkovskiy
bebb02fd1c Fix ActionDispatch::Request#formats when HTTP_ACCEPT header is empty string 2013-01-17 17:42:49 +04:00
Carlos Antonio da Silva
ee314a5e5a Remove useless || operation 2013-01-17 09:28:07 -02:00
Arun Agrawal
c9362182c8 Removing : warning: ambiguous first argument; 2013-01-17 14:43:11 +05:30
Carlos Antonio da Silva
038574a538 Deprecate direct calls to AC::RecordIdentifier.dom_id and dom_class 
Also add some generic tests to ensure they're properly deprecated.
 2013-01-16 23:09:36 -02:00
Colin Burn-Murdoch
3daff0508b Fix date_select :selected option so you can pass it nil 2013-01-16 21:52:09 +00:00
Yves Senn
19e9e67f95 replace regexp global in #url_for 2013-01-16 18:51:12 +01:00
Carlos Antonio da Silva
e5f5863e86 Remove warnings: "(...) interpreted as grouped expression" 2013-01-16 09:41:08 -02:00
Aditya Sanghi
3c19064610 adding regression test in master for #8631 2013-01-16 16:59:45 +05:30
Carlos Antonio da Silva
e7ffb5e4e3 Fix typo introduced in 0004ca3a 
[ci skip]
 2013-01-16 09:26:45 -02:00
Matthew Stopa
0004ca3a97 More documentation for ActionDispatch::Response 
[ci skip]
 2013-01-16 00:48:25 -07:00
Matthew Stopa
7b1a58bbae Document ActionDispatch::Response#body method 2013-01-16 00:33:08 -07:00
Rafael Mendonça França
e42b5f99eb Merge pull request #8958 from balexand/strong_parameters_exception_handling 
Strong parameters exception handling
 2013-01-15 17:28:29 -08:00
Brian Alexander
8e221127ab strong parameters exception handling 2013-01-15 17:45:34 -07:00
Edward Anderson
7925884b5e Remove header bloat introduced by BestStandardsSupport middleware 
The same headers were being duplicated on every request.
 2013-01-15 19:16:08 -05:00
Andrew White
f1d8f2af72 Change the behavior of route defaults 
This commit changes route defaults so that explicit defaults are no
longer required where the key is not part of the path. For example:

  resources :posts, bucket_type: 'posts'

will be required whenever constructing the url from a hash such as a
functional test or using url_for directly. However using the explicit
form alters the behavior so it's not required:

  resources :projects, defaults: { bucket_type: 'projects' }

This changes existing behavior slightly in that any routes which
only differ in their defaults will match the first route rather
than the closest match.

Closes #8814
 2013-01-15 17:22:25 +00:00
Andrew White
90d2802b71 Add support for other types of routing constraints 
This now allows the use of arrays like this:

  get '/foo/:action', to: 'foo', constraints: { subdomain: %w[www admin] }

or constraints where the request method returns an Fixnum like this:

  get '/foo', to: 'foo#index', constraints: { port: 8080 }

Note that this only applies to constraints on the request - path
constraints still need to be specified as Regexps as the various
constraints are compiled into a single Regexp.
 2013-01-15 17:21:33 +00:00
Andrew White
b28fc685a9 Ensure port is set when passed via the process method 2013-01-15 17:21:33 +00:00
Andrew White
db06d12826 Raise correct exception now Journey is integrated. 
Now that Journey has been integrated into ActionDispatch we can raise
the exception ActionController::UrlGenerationError directly rather than
raising the internal Journey::Router::RoutingError and then have
ActionDispatch::Routing::RouteSet#generate re-raise the exception.
 2013-01-15 17:21:33 +00:00
Carlos Antonio da Silva
9dfe2d6f9f Revert "log at debug level what line caused the redirect_to" 
This reverts commit 3fa00070047b5d019d39e691598ee2890283d052.

Reason: This message is usually not accurate and annoying:

    Redirected by ~/.rbenv/versions/1.9.3-p327-perf/lib/ruby/1.9.1/logger.rb:371:in `add'`
 2013-01-15 12:47:25 -02:00
Steve Klabnik
1dd89250d1 Merge pull request #8938 from colinbm/date_select_value 
Rename :value to :selected for date_select, and add missing tests/docs
 2013-01-14 12:18:36 -08:00
Colin Burn-Murdoch
1fecaf15d7 Rename :value option to :selected, in line with other select helpers 
Add tests for time & datetime.
Add documentation.
 2013-01-14 19:49:07 +00:00
Jeremy Kemper
bf095770e5 Revert benchmark helper regression. Use a #capture within a #benchmark 
block. Breaks benchmark calls that return non-String values otherwise.

Revert "add benchmark helper that works in erb"

This reverts commit 904e544cc8f5846de7c31827bb5556c6a238c0de.

Conflicts:
	actionpack/lib/action_view/helpers.rb
	actionpack/lib/action_view/helpers/benchmark_helper.rb
	actionpack/test/template/benchmark_helper_test.rb
 2013-01-14 10:24:43 -07:00
Rafael Mendonça França
242f12506d Merge pull request #8916 from josemota/collection-with-block 
Collection radio buttons and collection check boxes through FormBuilder render the provided block.

Closes #8897
 2013-01-13 18:27:41 -08:00
Colin Burn-Murdoch
aea3820261 Allow value to be set on date_select 2013-01-13 21:03:21 +00:00
Steve Klabnik
a0265b98f1 Associaton -> Association 2013-01-13 10:43:24 -05:00
José Mota
8cc60d8136 Collection radio buttons and collection check boxes through FormBuilder render 
the provided block.

In the case of having a form_for method being called, the block for each
collection would not be passed and thus the result expected was always the same.
This patch passes the block to the original method like it would be assumed.
 2013-01-12 17:42:18 +00:00
Sam Ruby
c692774bba Fix regression introduced in pull request 8812 
See https://github.com/rails/rails/pull/8812#commitcomment-2416514
 2013-01-11 16:48:58 -05:00
Carlos Antonio da Silva
d61b49e178 Merge pull request #8882 from goshakkk/clearer-conditional 
Clearer conditional in constraint match check
 2013-01-11 03:21:51 -08:00
Jon Leighton
94797ed146 Merge pull request #8623 from virusman/form_helpers_collectionproxy_fix 
Fixed nested fields bug when called with AssociationProxy
 2013-01-11 03:08:41 -08:00
Dylan Smith
bae92681be Fix json params parsing regression for non-object JSON content. 
Fixes #8845.
 2013-01-11 00:28:32 -05:00
Gosha Arinich
caa54db8a0 clearer conditional in constraint match check 2013-01-10 23:40:57 +03:00
Guillermo Iguaran
416a179ddf Merge pull request #8876 from senny/extract_performance_tests 
Extract ActionDispatch::PerformanceTest
 2013-01-10 08:10:22 -08:00
Yves Senn
3e1ed7818b extract PerformanceTest into rails-performance_tests gem 2013-01-10 17:09:06 +01:00
Rafael Mendonça França
2b5019e234 Merge pull request #8821 from jamis/master 
Evaluate view_cache_dependencies at the instance level

Conflicts:
	actionpack/lib/action_controller/caching.rb
 2013-01-10 13:34:40 -02:00
zires
ff8f92b2bf Remove redundant double quotation marks 2013-01-10 10:23:26 +08:00
Aaron Patterson
8ae9b4623e adding missing requires 2013-01-09 15:34:58 -08:00
Nathaniel Jones
d2f1ca29fc Fix typo in deprecation warning 2013-01-09 04:04:57 -06:00
Santiago Pastorino
5d0d82957a Merge pull request #8824 from mjtko/fix/cookie-store-inheritance 
Modify CookieStore middleware inheritance to avoid subclassing Rack::Session::Cookie [Fix for #7372]
 2013-01-08 17:27:13 -08:00
Carlos Antonio da Silva
b28d6e2c76 Remove :yaml related tests and fix other related to parsing empty arrays 
All Action Pack tests are green.
 2013-01-08 20:27:48 -02:00
Carlos Antonio da Silva
21879c560f Fix warning: & interpreted as argument prefix 2013-01-08 20:16:20 -02:00
Aaron Patterson
e80546cdec remove yaml as a param parser :burn: 
If you revert this commit, I will hunt you down, I will make you regret
ever terrible thing you've ever done, I will make you suffer.
 2013-01-08 13:50:38 -08:00
Jeremy Kemper
46e0d2397e CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 2013-01-08 12:42:29 -08:00
Aaron Patterson
8e577fe560 * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu 
Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_dispatch/http/request.rb
	actionpack/lib/action_dispatch/middleware/params_parser.rb
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/predicate_builder.rb
	activerecord/test/cases/relation/where_test.rb
 2013-01-08 12:41:24 -08:00
Jeremy Kemper
c31cc963da Revert "Merge branch 'master-sec'" 
This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing
changes made to f049016cd348627bf8db0d72382d7580bf802a79.
 2013-01-08 12:41:04 -08:00
Aaron Patterson
88cc1688d0 Merge branch 'master-sec' 
* master-sec:
  CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
  * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
 2013-01-08 12:11:18 -08:00
Jeremy Kemper
2ced6f2f8a CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 2013-01-08 12:03:34 -08:00
Vijay Dev
f049016cd3 Merge branch 'master' of github.com:lifo/docrails 
Conflicts:
	guides/source/getting_started.md
 2013-01-09 01:04:15 +05:30
Jamis Buck
0121377cfb evaluate the dependency blocks at the instance level, not class level 2013-01-08 12:02:11 -07:00
Jamis Buck
70e684a681 view_cache_dependency API 
A declarative API for specifying dependencies that affect template
cache digest computation. In your controller, specify any of said
dependencies:

  view_cache_dependency { "phone" if using_phone? }

When the block is evaluated, the resulting value is included in the
cache digest calculation, allowing you to generate different digests
for effectively the same template. (Mostly useful if you're mucking
with template load paths.)
 2013-01-08 11:20:47 -07:00
Steve Klabnik
ac86cbec82 Merge pull request #8810 from NARKOZ/image-submit-tag 
set 'alt' attribute for image_submit_tag
 2013-01-08 07:39:06 -08:00
David Heinemeier Hansson
cc1c3c5be0 Revert "unpermitted params" exception -- it's just not going to work. See the discussion on https://github.com/rails/strong_parameters/pull/75. 2013-01-08 16:17:30 +01:00
David Heinemeier Hansson
ae3286b743 Never treat action or controller as unpermitted params 2013-01-08 15:52:18 +01:00
Carlos Antonio da Silva
4f002a1df3 Bump rack dependency to 1.4.3 
It includes security bug fixes and changes the initialization of
Rack::File to accept a hash, otherwise generating warnings.

See 295806e for the warnings fix.
 2013-01-08 10:49:02 -02:00
Sam Ruby
9cc82b7719 Eliminate Rack::File headers deprecation warning 
See http://intertwingly.net/projects/AWDwR4/checkdepot/section-6.1.html
rake test produces:
   "Rack::File headers parameter replaces cache_control after Rack 1.5."

Despite what the message says, it appears that the hearders parameter change
will be effective as of Rack 1.5:

https://github.com/rack/rack/blob/rack-1.4/lib/rack/file.rb#L24
https://github.com/rack/rack/blob/master/lib/rack/file.rb#L24
 2013-01-08 07:22:48 -05:00
Nihad Abbasov
0f8f75c81a set 'alt' attribute for image_submit_tag 2013-01-08 15:56:47 +04:00
Carlos Antonio da Silva
c67005f221 Do not generate local vars for partials without object or collection 
Previously rendering a partial without giving :object or :collection
would generate a local variable with the partial name by default.

This was noticed due to warnings in Ruby 2.0 of not used variables,
which turned out to be the generation of not used variables inside
partials that do not contain objects related to them.
 2013-01-08 09:15:20 -02:00
Mark J. Titorenko
109a1b3358 Revert cb3181e - no longer required. 2013-01-08 10:10:39 +00:00
Mark J. Titorenko
fc66b6b004 Fix CookieStore middleware inheritance hierarchy s.t. it inherits from Rack::Session::Abstract::ID rather than Rack::Session::Cookie. 2013-01-08 10:10:36 +00:00
Santiago Pastorino
cb3181e81e Avoid Rack security warning no secret provided 
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
 2013-01-08 00:33:16 -02:00
Aaron Patterson
d99e8c9e16 * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu 
Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_dispatch/http/request.rb
	actionpack/lib/action_dispatch/middleware/params_parser.rb
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/predicate_builder.rb
	activerecord/test/cases/relation/where_test.rb
 2013-01-07 17:20:12 -08:00
Francesco Rodriguez
2aa08e313d improve StrongParameters documentation [ci skip] 2013-01-07 16:18:06 -05:00
Gosha Arinich
ae1f86fab5 access @path and @routes via reader methods in journey 2013-01-07 17:37:02 +03:00