actionpack 6.0.0

data/lib/action_controller/metal/content_security_policy.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module ContentSecurityPolicy
+    # TODO: Documentation
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers
+    include AbstractController::Callbacks
+
+    included do
+      helper_method :content_security_policy?
+      helper_method :content_security_policy_nonce
+    end
+
+    module ClassMethods
+      def content_security_policy(enabled = true, **options, &block)
+        before_action(options) do
+          if block_given?
+            policy = current_content_security_policy
+            yield policy
+            request.content_security_policy = policy
+          end
+
+          unless enabled
+            request.content_security_policy = nil
+          end
+        end
+      end
+
+      def content_security_policy_report_only(report_only = true, **options)
+        before_action(options) do
+          request.content_security_policy_report_only = report_only
+        end
+      end
+    end
+
+    private
+
+      def content_security_policy?
+        request.content_security_policy
+      end
+
+      def content_security_policy_nonce
+        request.content_security_policy_nonce
+      end
+
+      def current_content_security_policy
+        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+      end
+  end
+end

data/lib/action_controller/metal/cookies.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module Cookies
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :cookies if defined?(helper_method)
+    end
+
+    private
+      def cookies
+        request.cookie_jar
+      end
+  end
+end

data/lib/action_controller/metal/data_streaming.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "action_controller/metal/exceptions"
+require "action_dispatch/http/content_disposition"
+
+module ActionController #:nodoc:
+  # Methods for sending arbitrary data and for streaming files to the browser,
+  # instead of rendering.
+  module DataStreaming
+    extend ActiveSupport::Concern
+
+    include ActionController::Rendering
+
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" #:nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment" #:nodoc:
+
+    private
+      # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
+      # via the Rack::Sendfile middleware. The header to use is set via
+      # +config.action_dispatch.x_sendfile_header+.
+      # Your server can also configure this for you by setting the X-Sendfile-Type header.
+      #
+      # Be careful to sanitize the path parameter if it is coming from a web
+      # page. <tt>send_file(params[:path])</tt> allows a malicious user to
+      # download any file on your server.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      #   Defaults to <tt>File.basename(path)</tt>.
+      # * <tt>:type</tt> - specifies an HTTP content type.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
+      #   the URL, which is necessary for i18n filenames on certain browsers
+      #   (setting <tt>:filename</tt> overrides this option).
+      #
+      # The default Content-Type and Content-Disposition headers are
+      # set to download arbitrary binary files in as many browsers as
+      # possible. IE versions 4, 5, 5.5, and 6 are all known to have
+      # a variety of quirks (especially when downloading over SSL).
+      #
+      # Simple download:
+      #
+      #   send_file '/path/to.zip'
+      #
+      # Show a JPEG in the browser:
+      #
+      #   send_file '/path/to.jpeg', type: 'image/jpeg', disposition: 'inline'
+      #
+      # Show a 404 page in the browser:
+      #
+      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', status: 404
+      #
+      # Read about the other Content-* HTTP headers if you'd like to
+      # provide the user with more information (such as Content-Description) in
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      #
+      # Also be aware that the document may be cached by proxies and browsers.
+      # The Pragma and Cache-Control headers declare how the file may be cached
+      # by intermediaries. They default to require clients to validate with
+      # the server before releasing cached responses. See
+      # https://www.mnot.net/cache_docs/ for an overview of web caching and
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+      # for the Cache-Control header spec.
+      def send_file(path, options = {}) #:doc:
+        raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
+
+        options[:filename] ||= File.basename(path) unless options[:url_based_filename]
+        send_file_headers! options
+
+        self.status = options[:status] || 200
+        self.content_type = options[:content_type] if options.key?(:content_type)
+        response.send_file path
+      end
+
+      # Sends the given binary data to the browser. This method is similar to
+      # <tt>render plain: data</tt>, but also allows you to specify whether
+      # the browser should display the response as a file attachment (i.e. in a
+      # download dialog) or as inline data. You may also set the content type,
+      # the file name, and other things.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
+      #
+      # Generic data download:
+      #
+      #   send_data buffer
+      #
+      # Download a dynamically-generated tarball:
+      #
+      #   send_data generate_tgz('dir'), filename: 'dir.tgz'
+      #
+      # Display an image Active Record in the browser:
+      #
+      #   send_data image.data, type: image.content_type, disposition: 'inline'
+      #
+      # See +send_file+ for more information on HTTP Content-* headers and caching.
+      def send_data(data, options = {}) #:doc:
+        send_file_headers! options
+        render options.slice(:status, :content_type).merge(body: data)
+      end
+
+      def send_file_headers!(options)
+        type_provided = options.has_key?(:type)
+
+        content_type = options.fetch(:type, DEFAULT_SEND_FILE_TYPE)
+        self.content_type = content_type
+        response.sending_file = true
+
+        raise ArgumentError, ":type option required" if content_type.nil?
+
+        if content_type.is_a?(Symbol)
+          extension = Mime[content_type]
+          raise ArgumentError, "Unknown MIME type #{options[:type]}" unless extension
+          self.content_type = extension
+        else
+          if !type_provided && options[:filename]
+            # If type wasn't provided, try guessing from file extension.
+            content_type = Mime::Type.lookup_by_extension(File.extname(options[:filename]).downcase.delete(".")) || content_type
+          end
+          self.content_type = content_type
+        end
+
+        disposition = options.fetch(:disposition, DEFAULT_SEND_FILE_DISPOSITION)
+        if disposition
+          headers["Content-Disposition"] = ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: options[:filename])
+        end
+
+        headers["Content-Transfer-Encoding"] = "binary"
+
+        # Fix a problem with IE 6.0 on opening downloaded files:
+        # If Cache-Control: no-cache is set (which Rails does by default),
+        # IE removes the file it just downloaded from its cache immediately
+        # after it displays the "open/save" dialog, which means that if you
+        # hit "open" the file isn't there anymore when the application that
+        # is called for handling the download is run, so let's workaround that
+        response.cache_control[:public] ||= false
+      end
+  end
+end

data/lib/action_controller/metal/default_headers.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ActionController
+  # Allows configuring default headers that will be automatically merged into
+  # each response.
+  module DefaultHeaders
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def make_response!(request)
+        ActionDispatch::Response.create.tap do |res|
+          res.request = request
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/metal/etag_with_flash.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module ActionController
+  # When you're using the flash, it's generally used as a conditional on the view.
+  # This means the content of the view depends on the flash. Which in turn means
+  # that the ETag for a response should be computed with the content of the flash
+  # in mind. This does that by including the content of the flash as a component
+  # in the ETag that's generated for a response.
+  module EtagWithFlash
+    extend ActiveSupport::Concern
+
+    include ActionController::ConditionalGet
+
+    included do
+      etag { flash unless flash.empty? }
+    end
+  end
+end

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module ActionController
+  # When our views change, they should bubble up into HTTP cache freshness
+  # and bust browser caches. So the template digest for the current action
+  # is automatically included in the ETag.
+  #
+  # Enabled by default for apps that use Action View. Disable by setting
+  #
+  #   config.action_controller.etag_with_template_digest = false
+  #
+  # Override the template to digest by passing +:template+ to +fresh_when+
+  # and +stale?+ calls. For example:
+  #
+  #   # We're going to render widgets/show, not posts/show
+  #   fresh_when @post, template: 'widgets/show'
+  #
+  #   # We're not going to render a template, so omit it from the ETag.
+  #   fresh_when @post, template: false
+  #
+  module EtagWithTemplateDigest
+    extend ActiveSupport::Concern
+
+    include ActionController::ConditionalGet
+
+    included do
+      class_attribute :etag_with_template_digest, default: true
+
+      ActiveSupport.on_load :action_view, yield: true do
+        etag do |options|
+          determine_template_etag(options) if etag_with_template_digest
+        end
+      end
+    end
+
+    private
+      def determine_template_etag(options)
+        if template = pick_template_for_etag(options)
+          lookup_and_digest_template(template)
+        end
+      end
+
+      # Pick the template digest to include in the ETag. If the +:template+ option
+      # is present, use the named template. If +:template+ is +nil+ or absent, use
+      # the default controller/action template. If +:template+ is false, omit the
+      # template digest from the ETag.
+      def pick_template_for_etag(options)
+        unless options[:template] == false
+          options[:template] || "#{controller_path}/#{action_name}"
+        end
+      end
+
+      def lookup_and_digest_template(template)
+        ActionView::Digestor.digest name: template, format: nil, finder: lookup_context
+      end
+  end
+end

data/lib/action_controller/metal/exceptions.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module ActionController
+  class ActionControllerError < StandardError #:nodoc:
+  end
+
+  class BadRequest < ActionControllerError #:nodoc:
+    def initialize(msg = nil)
+      super(msg)
+      set_backtrace $!.backtrace if $!
+    end
+  end
+
+  class RenderError < ActionControllerError #:nodoc:
+  end
+
+  class RoutingError < ActionControllerError #:nodoc:
+    attr_reader :failures
+    def initialize(message, failures = [])
+      super(message)
+      @failures = failures
+    end
+  end
+
+  class UrlGenerationError < ActionControllerError #:nodoc:
+  end
+
+  class MethodNotAllowed < ActionControllerError #:nodoc:
+    def initialize(*allowed_methods)
+      super("Only #{allowed_methods.to_sentence(locale: :en)} requests are allowed.")
+    end
+  end
+
+  class NotImplemented < MethodNotAllowed #:nodoc:
+  end
+
+  class MissingFile < ActionControllerError #:nodoc:
+  end
+
+  class SessionOverflowError < ActionControllerError #:nodoc:
+    DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
+
+    def initialize(message = nil)
+      super(message || DEFAULT_MESSAGE)
+    end
+  end
+
+  class UnknownHttpMethod < ActionControllerError #:nodoc:
+  end
+
+  class UnknownFormat < ActionControllerError #:nodoc:
+  end
+
+  # Raised when a nested respond_to is triggered and the content types of each
+  # are incompatible. For example:
+  #
+  #  respond_to do |outer_type|
+  #    outer_type.js do
+  #      respond_to do |inner_type|
+  #        inner_type.html { render body: "HTML" }
+  #      end
+  #    end
+  #  end
+  class RespondToMismatchError < ActionControllerError
+    DEFAULT_MESSAGE = "respond_to was called multiple times and matched with conflicting formats in this action. Please note that you may only call respond_to and match on a single format per action."
+
+    def initialize(message = nil)
+      super(message || DEFAULT_MESSAGE)
+    end
+  end
+
+  class MissingExactTemplate < UnknownFormat #:nodoc:
+  end
+end

data/lib/action_controller/metal/flash.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module Flash
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_flash_types, instance_accessor: false, default: []
+
+      delegate :flash, to: :request
+      add_flash_types(:alert, :notice)
+    end
+
+    module ClassMethods
+      # Creates new flash types. You can pass as many types as you want to create
+      # flash types other than the default <tt>alert</tt> and <tt>notice</tt> in
+      # your controllers and views. For instance:
+      #
+      #   # in application_controller.rb
+      #   class ApplicationController < ActionController::Base
+      #     add_flash_types :warning
+      #   end
+      #
+      #   # in your controller
+      #   redirect_to user_path(@user), warning: "Incomplete profile"
+      #
+      #   # in your view
+      #   <%= warning %>
+      #
+      # This method will automatically define a new method for each of the given
+      # names, and it will be available in your views.
+      def add_flash_types(*types)
+        types.each do |type|
+          next if _flash_types.include?(type)
+
+          define_method(type) do
+            request.flash[type]
+          end
+          helper_method(type) if respond_to?(:helper_method)
+
+          self._flash_types += [type]
+        end
+      end
+    end
+
+    private
+      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
+        self.class._flash_types.each do |flash_type|
+          if type = response_options_and_flash.delete(flash_type)
+            flash[flash_type] = type
+          end
+        end
+
+        if other_flashes = response_options_and_flash.delete(:flash)
+          flash.update(other_flashes)
+        end
+
+        super(options, response_options_and_flash)
+      end
+  end
+end