In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes#5964
config.action_view.prefix_partial_path_with_controller_namespace
This allows you to choose to render @post using
/posts/_post.erb instead of /admin/posts/_post.erb
inside Admin::PostsController.
I have found that Rails will take an invalid session ID specified by the
client and materialize a session based on that session ID. This means
that it is possible, among other things, for a client to use an
arbitrarily weak session ID or for a client to resurrect a previous used
session ID. In other words, we cannot guarantee that all session IDs are
generated by the server and that they are (statistically) unique through
time.
The fix is to always generate a new session ID in #get_session if an
existing session cannot be found under the incoming session ID.
Also added new tests that make sure that an invalid session ID is never
materialized into a new session, regardless of whether it comes in via a
cookie or a URL parameter (when :cookie_only => false).
Previously the runtime was reset implicitly when #cleanup_view_runtime was called at the end of most requests. However, this doesn't happen when the request redirects, or send_file is called. Consequently, the ActiveRecord runtime recorded in the logs included the time taken for both the current request and the previous redirect. Explicitly resetting at the start of each request ensures that this can't happen, no matter what occurs previously.
This removes all deprecated classes in ActionController related to
Routing, Abstract Request/Response and Integration/IntegrationTest.
All tests and docs were changed to ActionDispatch instead of ActionController.
This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.
Signed-off-by: José Valim <jose.valim@gmail.com>
This allows the following setup to work:
# app/controllers/application_controller.rb
class ApplicationController
def default_url_options(options=nil)
{ :locale => I18n.locale }
end
end
# From your views and controllers:
I18n.locale #=> :en
users_url #=> "/en/users"
users_url(:pl) #=> "/pl/users"
user_url(1) #=> "/en/users/1"
user_url(:pl, 1) #=> "/pl/users/1"
user_url(1, :locale => :pl) #=> "/pl/users/1"
If you provide all expected parameters, it still works as previously.
But if any parameter is missing, it tries to assign all possible ones
with the hash returned in default_url_options or the one passed straight
to the named route method.
Beware that default_url_options in ApplicationController is not shared
with ActionMailer, so you are required to always give the locale in your
email views.