Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
This reverts commit 8378a44.
This reverts commit b5cf2b4.
… second" This reverts commit a0c761d.
this can provide a significant performance boost during testing, by preventing the GC from running too frequently.
this prevents test state from accumulating, resulting in leaked objects and slow tests due to overactive GC.
… with attachments
…iation record is saved then in memory record attributes should be saved" This reverts commit 12bbc34. It caused errors when combined with attr_accessible, piggy back attributes fetched by :select, etc. Leaving it in 3.0, but removing from 2.3
…ets on associations, as that makes destroy_all destroy any created records that don't match the scope destroy_all is called on Signed-off-by: Michael Koziarski <firstname.lastname@example.org>
…ad of manually fiddling with the response headers [#4941 state:resolved] Signed-off-by: José Valim <email@example.com>
…n array, rather than as newline separated strings" This reverts commit 36b91e3. Conflicts: actionpack/test/activerecord/active_record_store_test.rb
… local_assigns [#1671 state:resolved]
… rather than as newline separated strings
Starting in 2.3.8 we stopped yielding to blocks passed in to find_or_create_by_x methods. This patch restores that behavior and adds a case to test it.
There was a bug with find_or_create_by_x introduced in 2.3.9 - if you included extra parameters for the create() then those parameters would confuse the find() so you'd never get to the create(). This patch filters the parameters so we only pass to find() the subset that it's interested in. The code for the filtering was modelled on the code in base.rb's method_missing().
…in the test name
…h build method [#3472 state:resolved]