diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-06-27 16:58:53 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-06-27 16:58:53 +0200 |
| commit | 420506e58fdfc84f1a5bede0a01dedf0af3bb4f3 (patch) | |
| tree | 57726b40e8aa9ccf80f874f39d3facefc0331420 /config/initializers | |
| parent | 241d5e91b2b6716e2861cc77d319c3d3568343a8 (diff) | |
Stage 7: Rails 7.2 → 8.1 on Ruby 3.2.11
- Bump Rails to 8.1.3 (Ruby unchanged at 3.2.11, new gemset rails8-upgrade)
- config.load_defaults 8.1; merge app:update diffs for all environment files
- Remove routing-filter 0.7.0; replace with native scope '(:locale)' in
routes.rb and default_url_options in ApplicationController
- Delete config/initializers/routing_filter_rails71_patch.rb
- Replace vendored TinyMCE 3.x (~200 files) with tinymce-rails ~> 8.3;
migrate admin_interface.js from jQuery .tinymce()/advanced theme to
tinymce.init(); add config/tinymce.yml; note: TinyMCE 7+ is GPL
- rails-i18n ~> 8.0 added explicitly (previously indirect dependency)
- awesome_nested_set, acts-as-taggable-on pinned to git main/master
(gemspec activerecord < 8.1 ceiling; no functional incompatibility;
repin to version once upstream releases updated gemspecs)
- globalize ~> 7.0, libxml-ruby ~> 5.0, nokogiri ~> 1.18, pg ~> 1.5
- sass-rails, coffee-rails, uglifier moved from :assets group to main
(Sprockets 4 convention; :assets group no longer meaningful)
- Node: head, draft, lock_owner marked belongs_to optional: true
- Page: node, user, editor marked belongs_to optional: true
- Static assets in public/images/ and public/javascripts/ referenced via
plain HTML tags; Rails 8 load_defaults raises on pipeline helpers for
undeclared assets
- sessions_controller_test.rb: remove stale require and dead rescue_action
- users_controller_test.rb: assert button[type=submit] not input[type=submit]
(Rails 8 button_to renders <button> not <input>)
- test_helper.rb: node.reload after children.create! (awesome_nested_set
3.9.0 does not refresh parent in memory after callback)
- 129 runs, 339 assertions, 3 failures, 0 errors — identical baseline to 7.2
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/content_security_policy.rb | 29 | ||||
| -rw-r--r-- | config/initializers/filter_parameter_logging.rb | 8 | ||||
| -rw-r--r-- | config/initializers/inflections.rb | 18 | ||||
| -rw-r--r-- | config/initializers/new_framework_defaults_8_1.rb | 74 | ||||
| -rw-r--r-- | config/initializers/routing_filter_rails71_patch.rb | 38 |
5 files changed, 123 insertions, 44 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb new file mode 100644 index 0000000..d51d713 --- /dev/null +++ b/config/initializers/content_security_policy.rb | |||
| @@ -0,0 +1,29 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | |||
| 3 | # Define an application-wide content security policy. | ||
| 4 | # See the Securing Rails Applications Guide for more information: | ||
| 5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header | ||
| 6 | |||
| 7 | # Rails.application.configure do | ||
| 8 | # config.content_security_policy do |policy| | ||
| 9 | # policy.default_src :self, :https | ||
| 10 | # policy.font_src :self, :https, :data | ||
| 11 | # policy.img_src :self, :https, :data | ||
| 12 | # policy.object_src :none | ||
| 13 | # policy.script_src :self, :https | ||
| 14 | # policy.style_src :self, :https | ||
| 15 | # # Specify URI for violation reports | ||
| 16 | # # policy.report_uri "/csp-violation-report-endpoint" | ||
| 17 | # end | ||
| 18 | # | ||
| 19 | # # Generate session nonces for permitted importmap, inline scripts, and inline styles. | ||
| 20 | # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } | ||
| 21 | # config.content_security_policy_nonce_directives = %w(script-src style-src) | ||
| 22 | # | ||
| 23 | # # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag` | ||
| 24 | # # if the corresponding directives are specified in `content_security_policy_nonce_directives`. | ||
| 25 | # # config.content_security_policy_nonce_auto = true | ||
| 26 | # | ||
| 27 | # # Report violations without enforcing the policy. | ||
| 28 | # # config.content_security_policy_report_only = true | ||
| 29 | # end | ||
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb new file mode 100644 index 0000000..c0b717f --- /dev/null +++ b/config/initializers/filter_parameter_logging.rb | |||
| @@ -0,0 +1,8 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | |||
| 3 | # Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file. | ||
| 4 | # Use this to limit dissemination of sensitive information. | ||
| 5 | # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors. | ||
| 6 | Rails.application.config.filter_parameters += [ | ||
| 7 | :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc | ||
| 8 | ] | ||
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index d531b8b..3860f65 100644 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb | |||
| @@ -1,10 +1,16 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | 1 | # Be sure to restart your server when you modify this file. |
| 2 | 2 | ||
| 3 | # Add new inflection rules using the following format | 3 | # Add new inflection rules using the following format. Inflections |
| 4 | # (all these examples are active by default): | 4 | # are locale specific, and you may define rules for as many different |
| 5 | # ActiveSupport::Inflector.inflections do |inflect| | 5 | # locales as you wish. All of these examples are active by default: |
| 6 | # inflect.plural /^(ox)$/i, '\1en' | 6 | # ActiveSupport::Inflector.inflections(:en) do |inflect| |
| 7 | # inflect.singular /^(ox)en/i, '\1' | 7 | # inflect.plural /^(ox)$/i, "\\1en" |
| 8 | # inflect.irregular 'person', 'people' | 8 | # inflect.singular /^(ox)en/i, "\\1" |
| 9 | # inflect.irregular "person", "people" | ||
| 9 | # inflect.uncountable %w( fish sheep ) | 10 | # inflect.uncountable %w( fish sheep ) |
| 10 | # end | 11 | # end |
| 12 | |||
| 13 | # These inflection rules are supported but not enabled by default: | ||
| 14 | # ActiveSupport::Inflector.inflections(:en) do |inflect| | ||
| 15 | # inflect.acronym "RESTful" | ||
| 16 | # end | ||
diff --git a/config/initializers/new_framework_defaults_8_1.rb b/config/initializers/new_framework_defaults_8_1.rb new file mode 100644 index 0000000..8569b5b --- /dev/null +++ b/config/initializers/new_framework_defaults_8_1.rb | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | # | ||
| 3 | # This file eases your Rails 8.1 framework defaults upgrade. | ||
| 4 | # | ||
| 5 | # Uncomment each configuration one by one to switch to the new default. | ||
| 6 | # Once your application is ready to run with all new defaults, you can remove | ||
| 7 | # this file and set the `config.load_defaults` to `8.1`. | ||
| 8 | # | ||
| 9 | # Read the Guide for Upgrading Ruby on Rails for more info on each option. | ||
| 10 | # https://guides.rubyonrails.org/upgrading_ruby_on_rails.html | ||
| 11 | |||
| 12 | ### | ||
| 13 | # Skips escaping HTML entities and line separators. When set to `false`, the | ||
| 14 | # JSON renderer no longer escapes these to improve performance. | ||
| 15 | # | ||
| 16 | # Example: | ||
| 17 | # class PostsController < ApplicationController | ||
| 18 | # def index | ||
| 19 | # render json: { key: "\u2028\u2029<>&" } | ||
| 20 | # end | ||
| 21 | # end | ||
| 22 | # | ||
| 23 | # Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":" <>&"}` with the config | ||
| 24 | # set to `false`. | ||
| 25 | # | ||
| 26 | # Applications that want to keep the escaping behavior can set the config to `true`. | ||
| 27 | #++ | ||
| 28 | # Rails.configuration.action_controller.escape_json_responses = false | ||
| 29 | |||
| 30 | ### | ||
| 31 | # Skips escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON. | ||
| 32 | # | ||
| 33 | # Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019. | ||
| 34 | # As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset. | ||
| 35 | #++ | ||
| 36 | # Rails.configuration.active_support.escape_js_separators_in_json = false | ||
| 37 | |||
| 38 | ### | ||
| 39 | # Raises an error when order dependent finder methods (e.g. `#first`, `#second`) are called without `order` values | ||
| 40 | # on the relation, and the model does not have any order columns (`implicit_order_column`, `query_constraints`, or | ||
| 41 | # `primary_key`) to fall back on. | ||
| 42 | # | ||
| 43 | # The current behavior of not raising an error has been deprecated, and this configuration option will be removed in | ||
| 44 | # Rails 8.2. | ||
| 45 | #++ | ||
| 46 | # Rails.configuration.active_record.raise_on_missing_required_finder_order_columns = true | ||
| 47 | |||
| 48 | ### | ||
| 49 | # Controls how Rails handles path relative URL redirects. | ||
| 50 | # When set to `:raise`, Rails will raise an `ActionController::Redirecting::UnsafeRedirectError` | ||
| 51 | # for relative URLs without a leading slash, which can help prevent open redirect vulnerabilities. | ||
| 52 | # | ||
| 53 | # Example: | ||
| 54 | # redirect_to "example.com" # Raises UnsafeRedirectError | ||
| 55 | # redirect_to "@attacker.com" # Raises UnsafeRedirectError | ||
| 56 | # redirect_to "/safe/path" # Works correctly | ||
| 57 | # | ||
| 58 | # Applications that want to allow these redirects can set the config to `:log` (previous default) | ||
| 59 | # to only log warnings, or `:notify` to send ActiveSupport notifications. | ||
| 60 | #++ | ||
| 61 | # Rails.configuration.action_controller.action_on_path_relative_redirect = :raise | ||
| 62 | |||
| 63 | ### | ||
| 64 | # Use a Ruby parser to track dependencies between Action View templates | ||
| 65 | #++ | ||
| 66 | # Rails.configuration.action_view.render_tracker = :ruby | ||
| 67 | |||
| 68 | ### | ||
| 69 | # When enabled, hidden inputs generated by `form_tag`, `token_tag`, `method_tag`, and the hidden parameter fields | ||
| 70 | # included in `button_to` forms will omit the `autocomplete="off"` attribute. | ||
| 71 | # | ||
| 72 | # Applications that want to keep generating the `autocomplete` attribute for those tags can set it to `false`. | ||
| 73 | #++ | ||
| 74 | # Rails.configuration.action_view.remove_hidden_field_autocomplete = true | ||
diff --git a/config/initializers/routing_filter_rails71_patch.rb b/config/initializers/routing_filter_rails71_patch.rb deleted file mode 100644 index 35e3576..0000000 --- a/config/initializers/routing_filter_rails71_patch.rb +++ /dev/null | |||
| @@ -1,38 +0,0 @@ | |||
| 1 | # routing-filter 0.7.0 is broken on Rails 7.1+ due to a change in how | ||
| 2 | # ActionDispatch::Journey::Router#find_routes yields results (lazy iterator | ||
| 3 | # vs eager enumerable). This patch restores the expected behaviour. | ||
| 4 | # See: https://github.com/svenfuchs/routing-filter/pull/87 | ||
| 5 | # Remove this file if routing-filter ever releases a fixed version, | ||
| 6 | # or when routing-filter is replaced with native Rails i18n scope routing. | ||
| 7 | |||
| 8 | if Gem.loaded_specs['routing-filter'].version > Gem::Version.new('0.7.0') | ||
| 9 | raise 'routing-filter has been updated — check if this patch is still needed and remove it if so.' | ||
| 10 | end | ||
| 11 | |||
| 12 | ActionDispatchJourneyRouterWithFiltering.remove_method(:find_routes) | ||
| 13 | |||
| 14 | module RoutingFilterRails71Fix | ||
| 15 | def find_routes(env) | ||
| 16 | path = env.is_a?(Hash) ? env['PATH_INFO'] : env.path_info | ||
| 17 | filter_parameters = {} | ||
| 18 | original_path = path.dup | ||
| 19 | |||
| 20 | @routes.filters.run(:around_recognize, path, env) do | ||
| 21 | filter_parameters | ||
| 22 | end | ||
| 23 | |||
| 24 | super(env) do |match, parameters, route| | ||
| 25 | parameters = parameters.merge(filter_parameters) | ||
| 26 | |||
| 27 | if env.is_a?(Hash) | ||
| 28 | env['PATH_INFO'] = original_path | ||
| 29 | else | ||
| 30 | env.path_info = original_path | ||
| 31 | end | ||
| 32 | |||
| 33 | yield [match, parameters, route] | ||
| 34 | end | ||
| 35 | end | ||
| 36 | end | ||
| 37 | |||
| 38 | ActionDispatch::Journey::Router.prepend(RoutingFilterRails71Fix) | ||
