This ensures that the reader will get the information intended at the
time of linking. This also prevents dead links in the case that the
link targets are removed from future versions of the guides.
Removes kindlerb logic
Adds template for epub generator
Renames the kindle dir to /epub
Adds epub module to generator and replaces kindle
Fixes mimetype
Creates basic epub book
Deletes old kindle module
Adds zip package
Updates rubyzip gem name
Removes now unused gepub gem
Adds the required container file for epubs
Fixes media type
Adds new epub generation logic
Removes all buttons from output html
Refactors and generates valid epub files
Removes frontmatter logic used for kindlegen
Filters out epub files in zip
Updates link to kindle doc on sidebar
Fixes rubocop issues
Adds deprecation warning for the old kindle task
Refactors and cleans up epub module
Cleans up epub code
Cleans up private internal method code style
Removes unnecessary imagemagick check
Previously, BigDecimal was listed as not needing a serializer. However,
when used with an adapter storing the job arguments as JSON, it would get
serialized as a simple String, resulting in deserialization also producing
a String (instead of a BigDecimal).
By using a serializer, we ensure the round trip is safe.
During upgrade deployments of applications with multiple replicas making use of
BigDecimal job arguments with a queue adapter serializing to JSON, there exists
a possible race condition, whereby a "new" replica enqueues a job with an
argument serialized using `BigDecimalSerializer`, and an "old" replica fails to
deserialize it (as it does not have `BigDecimalSerializer`).
Therefore, to ensure safe upgrades, serialization will not use
`BigDecimalSerializer` until `config.active_job.use_big_decimal_serializer` is
enabled, which can be done safely after successful deployment of Rails 7.1.
This option will be removed in Rails 7.2, when it will become the default.
Previously, named variants could only be used when calling the
`variant` method on an attachment. For files that are not `variable?`
but `previewable?` those pre-defined variants could not be used.
With this patch, the methods `preview` and `representation` also allow
to be passed a variation name as a symbol.
class User < ActiveRecord::Base
has_one_attached :file do |attachable|
attachable.variant :thumb, resize_to_limit: [100, 100]
end
end
<%= image_tag user.file.representation(:thumb) %>
In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.
This default is configurable via ActiveRecord.use_yaml_unsafe_load
We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych 4.0.0
The list of safe_load permitted classes is configurable via
ActiveRecord.yaml_column_permitted_classes
[CVE-2022-32224]
The Active Record Validations guide use `Person < ApplicationRecord`
in all examples. When reading about Custom Validators, one of the
examples had a different configuration. By using the same example
everywhere, this change helps the user save time and feel more confident
using the feature.
The default strategy will continue to forward messages to the connection adapter,
but applications can configure a custom strategy class to use instead.
The only time #45163 and #45344 have an effect is when the hash value passed to `where` is a model object. The current sample code does not change behavior between Rails 7.0 and 7.1
When `main.css` is updated, it is easy for `main.rtl.css` to be
overlooked (see #45423).
This commit eliminates `main.rtl.css` in favor of a unified approach to
LTR / RTL styling in `main.css`. To accomplish this, the `<body>`
element is rendered with a [`dir` attribute][] (which has the same
effect as setting the CSS `direction` property), and LTR- / RTL-specific
styles are prefixed with `:where(body[dir="..."])` selectors. (The
[`:where()` pseudo-class][] ensures that selector specificity is not
changed.)
This change also paves the way for automatic detection and application
of LTR / RTL styles when the [`:dir()` pseudo-class][] gains widespread
browser support.
[`dir` attribute]: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/dir
[`:where()` pseudo-class]: https://developer.mozilla.org/en-US/docs/Web/CSS/:where
[`:dir()` pseudo-class]: https://developer.mozilla.org/en-US/docs/Web/CSS/:dir
activerecord-session_store was removed in 0ffe190, and has been
displaying a special error message when missing since Rails 4.0.
Replace the specific error message so that third party stores get nicer
error handling as well
Previously, there was a small amount of grouping of related config
options. However, the lack of an ordered list made options feel less
discoverable than when they are sorted.
In addition, filled in descriptions for a number of config options that
were missing.
Previously there seems to be a mix of alphabetical ordering with some
grouping around related options. This makes the discoverability of
options much easier when scrolling through the list.
This removes the singularize from `where` which runs on all `expand_from_hash` keys which might be reflections or column names. This saves a lot of time by avoiding singularizing column names.
Previously in https://github.com/rails/rails/pull/45163 the singularize was removed entirely. after some reflection, I think it is better to at least give a warning for one release since `where` is a very popular API and the problems you can run into with incorrect relation could be hard to debug.
Configurable with `ActiveRecord::Base.allow_deprecated_singular_assocaitions_name = false` / `config.active_record.allow_deprecated_singular_assocaitions_name = false`
The current Command Line guide has an advanced section describing
specifying git as SCM and PostgreSQL as the database. This section is
easily overlooked: https://github.com/rails/rails/issues/44325
By moving whole "advanced" section under the `rails new` section, it's
easier to find. Also specifying the database is pretty common I guess
and not an "advanced" topic.
All mentions of the SCM option have been removed, as it seems to no
longer be an option and we always initialize with Git only.
This used to be `config.secret_key_base` but was changed to
`secrets.secret_key_base` in ae75289 and the `secrets.` prefix was
removed in ca18922 when credentials were added.
`secret_key_base` by itself doesn't really fit with the rest of this
section, so the header and description were changed to document the
config value explicitly, and a reference was added to the api docs for
the recommended approaches at setting its value.
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
https://github.com/rails/rails/pull/45235 is a new default, and while it is a better default I think it is still worth alerting users to it. If we aren't adding a new config for it then I think we should note it in the upgrade guide so it doesn't get lost in the changelog.
This change to the guides reflects that the PostgreSQL function used to generate UUIDs `gen_random_uuid ()` is part of PostgreSQL core beginning with version 13.0.
No special extensions are needed for users who want to use UUIDs with PostgreSQL equal or greater version 13.0.
See https://www.postgresql.org/docs/current/functions-uuid.html and https://www.postgresql.org/docs/release/13.0/ (look for `gen_random_uuid()` in release notes) for further reference.
On small screens the guides index is shown as a select dropdown.
The Guides Index option has the value 'index.html'.
When visiting `https://guides.rubyonrails.org/` this option won't be
selected as the pathname doesn't include index.html.
Javascript treats empty strings as falsey, so for the root path we can
return `index.html` instead of a empty string.
The way the guide is written now, it's not clear if the first counter value will be `0` or `1`, so I made it explicit that it's `0`.
Co-authored-by: Petrik de Heus <petrik@deheus.net>
- installing packages requires sudo
- imagemagick package was not found, corrected with imagemagick6
(eventually we may want imagemagick7 but this is consistent with
stable releases on other distros for now)
Co-authored-by: Yasuo Honda <yasuo.honda@gmail.com>
The edits in section 1.2.1 of this guide are being proposed as the value argument passed to `check_box` is not in the second position, it is the third argument as shown [here](https://api.rubyonrails.org/v7.0.3/classes/ActionView/Helpers/FormBuilder.html#method-i-check_box) and in turn the language around the argument list for `radio_button` in section 1.2.2 needed to be altered as well.
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
* add section for host header attack prevention in rails security guide
* Fix wrong rails setting key for HostAuthorization middleware
The original documention was wrong, the rails configuration key is called host_authorization.
* add a short intro on how dns rebinding attacks work
* Apply suggestions from code review
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* add header for devcontainers, this serves two purposes:
* Despite what was previously implied, it indeed *is* possible to use
local devcontainers even if you are a member of an organization that
has codespaces enabled
* More importantly, adding a separate heading makes the option more
likely to be found by people who are *not* a member of an organization
that has codespaces enabled and therefore skip over to the next
bullet based on the heading.
* Update guides/source/contributing_to_ruby_on_rails.md
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
* Update guides/source/contributing_to_ruby_on_rails.md
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
This adds `:db_runtime` to `perform.active_job` notification payloads,
which is the total time taken by database queries while performing a
job. This value can be used to better understand how a job's time is
spent.
This is similar to the `:db_runtime` value added to
`process_action.action_controller` notification payloads by
`ActiveRecord::Railties::ControllerRuntime`.
Closes#35354.
Co-authored-by: Cory Gwin <gwincr11@github.com>
The current example is ambiguous as it uses 'admin' for both the scope
and `:as` option.
This change clarifies the example by explaining what `scope` does and
what the `:as` option does.
Co-authored-by: Hartley McGuire <skipkayhil@gmail.com>
Adds more details to several HTTP security headers.
The X-Content-Security-Policy header was removed from the list of common
headers as it already has its own section.
The Strict-Transport-Security header was moved from the list of common
headers to its own section.
The Referrer-Policy and X-Permitted-Cross-Domain-Policies headers were
added to the list as they are part of the defaults.
Changed the example for configuring the default headers to overriding
single headers instead of all headers. This could help avoid
unsetting headers by accident.
Sdoc 2.4.0 supports a CSS badge that can be set by passing the version
as the HORO_BADGE_VERSION env variable.
The old badge image can be removed, as it no longer needs to be copied
by the docs server: https://github.com/rails/rails-docs-server/pull/28
Clarify to users what objects may be cached, and highlight the option used to cache default non-serializable data.
Purpose: Improving new-to-Rails users' experience, as this detail may not be obvious, costing them time and effort spent debugging.
Co-authored-by: Hartley McGuire <skipkayhil@gmail.com>
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
* Improve upgrade guide section on cookies rotator
The Rails upgrade guide, in the section about upgrading from Rails 6.1 to Rails 7.0, contains some example code defining a cookie rotator for encrypted cookies, as Rails 7 changed the default digest for the key generator from `SHA1` to `SHA256`. The problem is that the provided example code only rotates encrypted cookies, and not signed ones. Rotating signed cookies is also usually necessary for the same reason, and failure to do so results in old cookies not being read. For example, when using the popular Rails authentication framework [Devise](https://github.com/heartcombo/devise) with the `rememberable` strategy, the "remember me" token is saved as a signed cookie, and without defining a rotator all users would be logged out following an upgrade to Rails 7.
This change improves the example code in the documentation by also rotating signed cookies. Note that providing an example is important, because rotating the signed cookies involves some technicality that is not obvious to users who are not comfortable with reading the [relevant Rails internal code](649516ce0f/actionpack/lib/action_dispatch/middleware/cookies.rb (L615)) (a different salt is used for signed cookies, and the `key_len` argument is omitted when generating the secret).
The improved example code should hopefully save some mistakes for users following the upgrade guide.
* Apply suggestions from code review
Better naming for the signed cookie salt variable
Co-authored-by: Vipul A M <vipul@hey.com>
* Apply suggestions from code review
Better naming also for the authenticated encrypted cookie salt variable
Co-authored-by: Vipul A M <vipul@hey.com>
Co-authored-by: Vipul A M <vipul@hey.com>
`active_storage_service` needs version `"~> 2.0"` of `azure-storage-blob` because version 1.1.0 of the gem doesn't support Ruby > 2.5 0920b02c1d
Credit for this goes to @SkipKayhil for spotting this in issue I raised https://github.com/rails/rails/issues/44960
This will ensure the guide is aligned with the doc on some things that I believe it's useful. Some folks do go for the guides more of than the api for a quick reference.
Order alphabetically
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
Add change colum and table comment links for reference in guide
Update working so we know this list may keep changing
Every time I write `config.cache_classes` I have to pause for a moment to make
sure I get it right. It makes you think.
On the other hand, if you read `config.enable_reloading = true`, does the
application reload? You do not need to spend 1 cycle of brain CPU to nod.
The Middleware `ActionDispatch::HostAuthorization` configuration documentation references `config.host_configuration`. Correct this to `config.host_authorization` to match the source code documentation in `action_dispatch/middleware/host_authorization.rb`.
`secrets.secret_key_base` can be one of the many different places where `secret_key_base` is set and therefore it might not work with your application.
Updating the docs to use `Rails.application.secret_key_base` fixes the issue.
Rails `secret_key_base` - [docs](https://api.rubyonrails.org/classes/Rails/Application.html#method-i-secret_key_base)
* Add docs about how to use remote browser in test
* Update guides/source/testing.md
Co-authored-by: Lewis Buckley <lewis@lewisbuckley.co.uk>
Co-authored-by: Lewis Buckley <lewis@lewisbuckley.co.uk>
The content_security_policy initializer template was updated in 40b25fd
to suggest a method compatible with conditional GET requests by default,
so this updates the security documentation to describe the difference
between the original value and the "etag compatible" value and when
they should be used.
This functionality has been deprecated since Rails 6.1 and can now be
removed. I've deleted all code, docs, references, and tests related to
this feature.
`validates_associated` makes sure that passed associations are validated
everytime the record is saved. This is unlike other validations that
validate an attribute/association has a certain value.
Typically you won't call:
validates :books, associated: true
By grouping `validates_associated` with `validates_with` and
`validates_each` it's made clearer `validates_associated` is a bit
different.
With this change the validations are sorted alphabetically.
* Remove outdated information
* Clean up language and sentence structure to be clearer
* Remove commands that are no longer necessary
* Add note about how to move past the native extension issues with
mysql2 since it's become a big problem.
Condition arguments are escaped to prevent SQL injection, SQL LIKE
wildcards (i.e., `%` and `_`) are not escaped. But there are no
description about SQL LIKE escape in the rails querying guide. So,
this adds a description about SQL LIKE escape to the guide.
I read through these and found that some of the advice was old and/or
outdated. This change takes a pass at improving the contributing guide.
I'll tackle the local development process next.
In my changes I aimed to:
* Remove outdated information about how to do something (for example
backports should be done with `cherry-pick`, not `.patch` files).
* Rewrite the easiest, easy, and hard way to better explain each version
rather than refer to them as easy/hard. I also recommend against the
rails-dev-box for M1's.
* Remove any language that is flippant or dismissive of contribution
efforts to better.
* Recommend more modern tools and documentation where appropriate.
Ruby 2.7+ includes DidYouMean::SpellChecker, so we can use that for
suggesting corrections for broken links instead of a vendored
Levenshtein algorithm.
The `ChatRelayJob` under "14.3 Custom Assertions And Testing Broadcasts Inside Other Components" defined a `perform_later` method, which I think should just be `perform`.
This allows applications to specify the maximum number of records that
will be destroyed in a single background job by the `dependent:
:destroy_async` association option. By default, the current behavior
will remain the same: when a parent record is destroyed, all dependent
records will be destroyed in a single background job. If the number of
dependent records is greater than this configuration, the records will
be destroyed in multiple background jobs.
At GitHub, we have a custom method for destroying associated records
in the background that we'd like to replace with
`dependent: :destroy_async`. Some associations have a large number of
dependent records, and our infrastructure requires that background jobs
complete quickly, so we limit the maximum number of dependent records
destroyed in a single background job and enqueue additional jobs when
the number of records exceeds that limit.