This is a partial revert of #41083.
`puma.rb` may update by users, but Rails has improved `puma.rb` sometimes.
For example, 06d614ada9 and f719787c58.
To allow users to know those improvements, I think we should update
`puma.rb` by `app:update`.
The [deprecated secrets removal][1] ended up removing a bit of
non-deprecated functionality related to config.secret_key_base:
- the original implementation prioritized the value of
config.secret_key_base over other sources in all environments
- if unset, the value of config.secret_key_base would be updated to
whichever fallback value was found
The new implementation only sets config.secret_key_base to a fallback
value when Rails.env.local?, and never considers it at all in
production.
This commit aims to restore this missing functionality as well as
simplify the implementation:
- Rails.application.secret_key_base now always delegates to
config.secret_key_base (like the pre-secret-removal implementation)
- secret_key_base validation was moved from the reader to the writer
- config.secret_key_base now handles setting itself to a fallback value
when unset
- In addition, generate_local_secret was simplified because it
previously did 3 things: file manipulation, setting
config.secret_key_base, and returning a value. Now it only creates the
file if necessary and returns the value stored in it
The new implementation has an additional benefit, which is that manually
set config.secret_key_base values are now validated, whereas previously
only fallback values were validated.
[1]: 0c76f17f2d
Co-authored-by: Petrik <petrik@deheus.net>
Review and improve Action View Overview guide. [ci-skip]
* Samples that use Proc.new {} can likely be simplified to just use proc {}
* Link to the validations guide where we mention it under conditional callbacks
* after_find callbacks are also triggered by a few other methods: take, sole, find_by!
* We could potentially add some more examples on different types of callbacks that aren't there.
* Updated some sections for clarity
Co-authored-by: Petrik de Heus <petrik@deheus.net>
Co-authored-by: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
Co-authored-by: hatsu <hajiwata0308@gmail.com>
Previously if `assert_difference` called with a proc fails, the inspect
output of the proc object was shown. This is not helpful to identify
what went wrong.
With this commit we leverage the experimental
`RubyVM::AbstractSyntaxTree` api of MRI to print the source code of the
proc that was passed to `assert_difference`. On all other platforms the
behavior stays the same.
The same applies to `assert_changes`.
Add examples and explain that RecordNotDestroyed triggered by throwing
:abort in callbacks.
Co-authored-by: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
Improve RTL language support, specifically focused on Arabic (MSA), Farsi, and Hebrew languages, including custom fonts for those languages, a javascript to detect auto-translation and shift the dir attribute, and other cleanup based on volunteer feedback.
Co-authored-by: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
As of Ruby 2.6, ::Time supports rich timezone objects and expects them
to follow a similar API to tzinfo. Mostly we already do this with
ActiveSupport::TimeZone, delegating to the underlying tzinfo object,
except we were missing the API to display the timezone's name.
Calling strftime with "%Z" will try the following on the timezone:
* zone.abbr(time)
* zone.strftime("%Z", time)
* zone.name
Because we only implemented name, a ::Time created with an
ActiveSupport::TimeZone would "abbreviate" awkwardly to the full tz
identifier (like "12:34:00 America/Vancouver" instead of "12:34:00
PDT"). This commit implements abbr to make these Times format the same
way as TimeWithZone.
Co-authored-by: Jason Kim <jasonkim@github.com>
This is getting the same treatment as `base64`, `mutex_m`, etc.
In Ruby 3.4 it will start to warn: d7e558e3c4
Remoce require from two files that don't seem to need it
And stop exposing the capybara server port to all interfaces.
We were using this just to make sure the selenium container can access
the capybara server but it can with the default bridge network.
[CVE-2024-32464]
Instances of ActionText::Attachable::ContentAttachment included
within a rich_text_area tag could potentially contain unsanitized
HTML. This could lead to a potential cross site scripting issue
within the Trix editor.
This change enforces existing sanitization routines on
ActionText::Attachable::ContentAttachment attachments.
[CVE-2024-28103]
The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.
This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)
Executes the first routes reload in middleware, or when the route set
url_helpers is called. Previously, this was executed unconditionally on
boot, which can slow down boot time unnecessarily for larger apps with
lots of routes.
Zack Deveau