提交 · c680080967c8941e8a7a6eb44ee3d9e697dd3c91 · 张重言 / rails

30 3月, 2018 1 次提交

Deprecate controller level force_ssl · 4701a50b

由 Derek Prior 提交于 3月 17, 2018

Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:

* `config.force_ssl` is a setting in environment configurations that
  enables the `ActionDispatch::SSL` middleware. With this middleware
  enabled, all HTTP communication to your application will be redirected
  to HTTPS. The middleware also takes care of other best practices by
  setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
  controllers to HTTPS.

As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.

The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.

HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.

4701a50b

26 3月, 2018 1 次提交
- I
  
  Readability fix [ci skip] · 2273f522
  由 Isaac Orme 提交于 3月 25, 2018
  
  2273f522
12 3月, 2018 1 次提交
- Y
  
  Fix note marks [ci skip] · f1b14944
  由 Yauheni Dakuka 提交于 3月 12, 2018
  
  f1b14944
28 11月, 2017 1 次提交
- D
  
  [ci skip] Update MVC wiki link · ce180231
  由 Dixit Patel 提交于 11月 28, 2017
  
  ce180231
25 10月, 2017 1 次提交
- W
  
  [ci skip]Add space before closing curly brace · 4db3449d
  由 willnet 提交于 10月 25, 2017
  
  4db3449d
09 10月, 2017 1 次提交
- Y
  
  Use `form_with` instead of `form_for` in engine guide [ci skip] · 639fded7
  由 Yoshiyuki Hirano 提交于 10月 09, 2017
  
  639fded7
06 10月, 2017 1 次提交
- Y
  
  Cosmetic fixes [ci skip] · de2afdc4
  由 Yauheni Dakuka 提交于 10月 06, 2017
  
  de2afdc4
20 9月, 2017 1 次提交

Use credentials, not secrets, for Active Storage (#30650) · 2f8ecdb2

由 Claudio B 提交于 9月 19, 2017

According to #30067:

> This PR will deprecate secrets.yml* and instead adopt
> config/credentials.yml.enc to signify what these secrets are specifically
> for: Keeping API keys, database passwords, and any other integration
> credentials in one place.

[ci skip] since only comments are being edited.

2f8ecdb2

19 9月, 2017 1 次提交
- Y
  
  Update action_controller_overview.md [ci skip] · fe151750
  由 Yauheni Dakuka 提交于 9月 19, 2017
  
  fe151750
14 9月, 2017 1 次提交

[ci skip] Prefer credentials to secrets in docs. · ca18922a

由 Kasper Timm Hansen 提交于 9月 13, 2017

Removes most mentions of secrets.secret_key_base and explains
credentials instead.

Also removes some very stale upgrade notices about Rails 3/4.

ca18922a

23 8月, 2017 1 次提交
- Y
  
  Use https instead of http in guide [ci skip] · bf48e90e
  由 Yoshiyuki Hirano 提交于 8月 23, 2017
  
  bf48e90e
12 7月, 2017 1 次提交
- Y
  
  Fix english for the rescue_from warning [ci skip] · 57add373
  由 Yuki Nishijima 提交于 7月 11, 2017
  
  57add373
22 5月, 2017 1 次提交
- D
  Improving docs for callbacks execution order [ci skip] · 4f395565
  由 dixpac 提交于 5月 13, 2017
```
When define callbacks latest definition on the same callback/method
overwrites previous ones.
```
  4f395565
30 3月, 2017 1 次提交
- J
  Small grammar fix · f77a6be8
  由 Jon Moss 提交于 3月 29, 2017
```
Add comma and change verb.

[ci skip]
```
  f77a6be8
29 3月, 2017 1 次提交

add hint on after_action filters · 2b3a3738

由 Frederik Wille 提交于 3月 29, 2017

Adds a hint that ``after_action``-callbacks are not executed when an
exception was raised in the rest of the request cycle. The
``before_action`` section mentions "If there are additional filters
scheduled to run after that filter, they are also cancelled." but this
is IMO not sufficient.

2b3a3738

23 11月, 2016 1 次提交

Add link to API documentation · 30433253

由 Kirill Zhuravlov 提交于 11月 23, 2016

Add a link to http://api.rubyonrails.org/classes/ActionController.html in the beginning of an article.

30433253

12 11月, 2016 1 次提交
- X
  
  adds support for arbitrary hashes in strong parameters · e86524c0
  由 Xavier Noria 提交于 11月 08, 2016
  
  e86524c0
17 7月, 2016 1 次提交

Setup default session store internally, no longer through an application initializer · e5a6f7ee

由 Prathamesh Sonpatki 提交于 7月 17, 2016

- By default the session store will be set to cookie store with
  application name as session key.
- Older apps are not affected as they will have the session store
  initializer generated by Rails in older versions, and Rails will not
  overwrite the session store if it is already set or disabled.
- But new apps will not have the initializer, instead the session store
  will be set to cookie store by default.
- Based on comment by DHH here - https://github.com/rails/rails/issues/25181#issuecomment-222312764.

e5a6f7ee

14 6月, 2016 1 次提交
- J
  
  Add Rack doc link for request and response object [ci skip] · bce690a4
  由 Jun Wan Goh 提交于 6月 14, 2016
  
  bce690a4
28 5月, 2016 1 次提交
- Y
  
  fix incorrect class name [ci skip] · 5e87e1fa
  由 yuuji.yaginuma 提交于 5月 28, 2016
  
  5e87e1fa
21 5月, 2016 1 次提交
- J
  Small grammar fixes for Action Controller Overview · 9c0791b0
  由 Jon Moss 提交于 5月 21, 2016
```
[ci skip]
```
  9c0791b0
31 3月, 2016 1 次提交
- A
  
  [ci skip] Parameter filter performs regular expression partial matching · 02ead643
  由 Andrew Babichev 提交于 3月 31, 2016
  
  02ead643
15 3月, 2016 1 次提交
- S
  
  Update action_controller_overview.md · 3c688c73
  由 Sandeep Navghane 提交于 3月 15, 2016
  
  3c688c73
20 1月, 2016 1 次提交
- G
  [ci skip] update guide for Puma web server instead of Webrick · 14746191
  由 Gaurav Sharma 提交于 1月 20, 2016
```
Rails 5.0 default server puma web server. following commit - https://github.com/rails/rails/commit/ae48ea69
```
  14746191
12 1月, 2016 1 次提交
- M
  Add a note on ActionController guide about 404 · 43800057
  由 Mauro George 提交于 7月 02, 2015
```
[ci skip]
```
  43800057
18 12月, 2015 1 次提交
- D
  Refer to rails command instead of rake in a bunch of places · ea4f0e2b
  由 David Heinemeier Hansson 提交于 12月 18, 2015
```
Still more to do. Please assist!
```
  ea4f0e2b
17 12月, 2015 1 次提交

Add `redirect_back` for safer referrer redirects · 13fd5586

由 Derek Prior 提交于 12月 15, 2015

`redirect_to :back` is a somewhat common pattern in Rails apps, but it
is not completely safe. There are a number of circumstances where HTTP
referrer information is not available on the request. This happens often
with bot traffic and occasionally to user traffic depending on browser
security settings.

When there is no referrer available on the request, `redirect_to :back`
will raise `ActionController::RedirectBackError`, usually resulting in
an application error.

`redirect_back` takes a required `fallback_location` keyword argument
that specifies the redirect when the referrer information is not
available.  This prevents 500 errors caused by
`ActionController::RedirectBackError`.

13fd5586

18 9月, 2015 1 次提交
- B
  Change AbstractRequest to ActionDispatch::Request · 119f38f7
  由 Bradley D 提交于 9月 17, 2015
```
AbstractRequest has been deprecated, updating to refer to ActionDispatch::Request instead.

[ci skip]
```
  119f38f7
11 9月, 2015 1 次提交
- L
  
  Remove RHTML reference in Action Controller docs [ci skip] · 0ab07181
  由 Lachlan Campbell 提交于 9月 10, 2015
  
  0ab07181
02 9月, 2015 1 次提交
- K
  typo "description not clear corrected with proper description and... · cf82b2e0
  由 kishore-mohan 提交于 9月 01, 2015
```
typo "description not clear corrected with proper description and action_controller_overview file Rails' ->  Rails" [ci skip]
```
  cf82b2e0
30 8月, 2015 1 次提交
- Y
  
  fix typo in method name [ci skip] · 341151da
  由 yuuji.yaginuma 提交于 8月 30, 2015
  
  341151da
23 8月, 2015 1 次提交
- S
  Remove a link to the site that seems to be gone. [ci skip] · 10c73386
  由 shunsukeaida 提交于 8月 23, 2015
```
Followup to #20637.
```
  10c73386
28 6月, 2015 1 次提交
- Y
  
  [ci skip] Fix action_controller_overview · d9212f64
  由 yui-knk 提交于 6月 28, 2015
  
  d9212f64
16 6月, 2015 1 次提交
- X
  
  document that default_url_options is cached per request [ci skip] · c865b829
  由 Xavier Noria 提交于 6月 15, 2015
  
  c865b829
05 5月, 2015 1 次提交
- A
  
  Tiny grammar correction in documentation [ci skip] · 72c5b517
  由 Ankit gupta 提交于 5月 05, 2015
  
  72c5b517
10 4月, 2015 2 次提交
- Y
  
  [ci skip] Wrap with double quotation · fdcc71d0
  由 yui-knk 提交于 4月 10, 2015
  
  fdcc71d0
- Y
  
  [ci skip] Downcases filter names · e9df1843
  由 yui-knk 提交于 4月 10, 2015
  
  e9df1843
12 3月, 2015 1 次提交
- A
  
  Edits for grammar and clarity, with help from georgeclaghorn and robin850. · 54bc2de7
  由 Andrew Cantino 提交于 1月 11, 2015
  
  54bc2de7
13 2月, 2015 1 次提交
- Y
  
  [ci skip] escape under score · 6b4c5aeb
  由 yui-knk 提交于 2月 13, 2015
  
  6b4c5aeb
14 1月, 2015 1 次提交
- V
  - Changed `IN` to `ON` in markdown renderer condition · 5cfaf5a4
  由 Vipul A M 提交于 1月 14, 2015
```
- Changed `IN` to `ON` in all note sentences in guides.
```
  5cfaf5a4