Update guide for render file:

Most of this section was written from the time that render file: was the default, before CVE-2016-0752. This updates the guide to the Rails 6 `render file:` behaviour, moves it to a more appropriate part of the file. [ci skip]

Update guide for render file:
Most of this section was written from the time that render file: was the default, before CVE-2016-0752. This updates the guide to the Rails 6 `render file:` behaviour, moves it to a more appropriate part of the file. [ci skip]
c185f793 · John Hawthorn · 211dd25e · c185f793
隐藏空白更改
内联并排

Showing with 17 addition and 19 deletion

guides/source/layouts_and_rendering.md guides/source/layouts_and_rendering.md +17 -19

未找到文件。
--- a/guides/source/layouts_and_rendering.md
+++ b/guides/source/layouts_and_rendering.md
@@ -149,25 +149,6 @@ Rails knows that this view belongs to a different controller because of the embe
 render template: "products/show"
 ```

-#### Rendering an Arbitrary File
-
-The `render` method can also use a view that's entirely outside of your application:
-
-```ruby
-render file: "/u/apps/warehouse_app/current/app/views/products/show"
-```
-
-The `:file` option takes an absolute file-system path. Of course, you need to have rights
-to the view that you're using to render the content.
-
-NOTE: Using the `:file` option in combination with users input can lead to security problems
-since an attacker could use this action to access security sensitive files in your file system.
-
-NOTE: By default, the file is rendered using the current layout.
-
-TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
-render a file, because Windows filenames do not have the same format as Unix filenames.
-
 #### Wrapping it up

 The above three ways of rendering (rendering another template within the controller, rendering a template within another controller, and rendering an arbitrary file on the file system) are actually variants of the same action.
@@ -279,6 +260,23 @@ time.
 NOTE: Unless overridden, your response returned from this render option will be
 `text/plain`, as that is the default content type of Action Dispatch response.

+#### Rendering raw file
+
+Rails can render a raw file from an absolute path. This is useful for
+conditionally rendering static files like error pages.
+
+```ruby
+render file: "#{Rails.root}/public/404.html", layout: false
+```
+
+This renders the raw file (it doesn't support ERB or other handlers). By
+default it is rendered within the current layout.
+
+WARNING: Using the `:file` option in combination with users input can lead to security problems
+since an attacker could use this action to access security sensitive files in your file system.
+
+TIP: `send_file` is often a faster and better option if a layout isn't required.
+
 #### Options for `render`

 Calls to the `render` method generally accept five options: