Rails Ruby on Rails

Rails team,

Thank you for your product and your time. If I may I'd like to submit a bug I came across with Rails 2.0.2 over the last day or so working with it.

This bug is presently described (as of this writing on 5/8/2008) at http://justbarebones.blogspot.com/2007_08_12_archive.html

It's still present as of Rails 2.0.2

The environment is a remote rails install, being accessed from another computer.

An example could be setting up Rails on a *nix box (such as an HPUX based machine) and accessing it from a Windows-based machine.

The problem seems to occur when accessing the properties URL linked to from the default front page:

http://:3000/rails/info/properties

The following message is received:

"For security purposes, this information is only available to local requests."

That is correct behaviour for a production machine, however when server is in development mode and the following environment variable is set in development.rb:

config.action_controller.consider_all_requests_local = true

The rails/info/properties page probably should respond and act as if the request is coming from a local machine. As of Rails 2.0.2 it presently does not.

Now if this is by design, even in the development mode, one might want to reconsider, because of the case where someone sets up a development server on a remote machine that there is no graphical console access to. It would be good to enforce consider_all_requests_local across all pages in that case.

The bug seems to be a minor oversight in the file:

builtin/rails_info/rails/info_controller.rb:

Which says (on line 3):

if local_request?

(which only checks for 127.0.0.1 origination)

To enforce consider_all_requests_local, it should say (on line 3):

if consider_all_requests_local || local_request?

that would mirror actionpack-2.0.2/lib/action_controller/rescue.rb, Line 122 (incidentally, it seems to be the same file where the method local_request? is defined).

--Matt