actionpack 1.13.3 → 1.13.4

data/CHANGELOG

@@ -1,6 +1,48 @@
+*1.13.4* (October 4th, 2007)
+
+* Only accept session ids from cookies, prevents session fixation attacks.  [bradediger]
+
+* Change the resource seperator from ; to / change the generated routes to use the new-style named routes.  e.g.  new_group_user_path(@group) instead of group_new_user_path(@group). [pixeltrix]
+
+* Integration tests: introduce methods for other HTTP methods.  #6353 [caboose]
+
+* Improve performance of action caching. Closes #8231 [skaes]
+
+* Fix errors with around_filters which do not yield, restore 1.1 behaviour with after filters. Closes #8891 [skaes]
+
+  After filters will *no longer* be run if an around_filter fails to yield, users relying on
+  this behaviour are advised to put the code in question after a yield statement in an around filter.
+
+* Allow you to delete cookies with options. Closes #3685 [josh, Chris Wanstrath]
+
+* Deprecate pagination. Install the classic_pagination plugin for forward compatibility, or move to the superior will_paginate plugin.  #8157 [Mislav Marohnic]
+
+* Fix filtered parameter logging with nil parameter values.  #8422 [choonkeat]
+
+* Integration tests: alias xhr to xml_http_request and add a request_method argument instead of always using POST.  #7124 [Nik Wakelin, Francois Beausoleil, Wizard]
+
+* Document caches_action.  #5419 [Jarkko Laine]
+
+* observe_form always sends the serialized form.  #5271 [manfred, normelton@gmail.com]
+
+* Update UrlWriter to accept :anchor parameter. Closes #6771. [octopod]
+
+* Replace the current block/continuation filter chain handling by an implementation based on a simple loop.  Closes #8226 [Stefan Kaes]
+
+* Return the string representation from an Xml Builder when rendering a partial.  #5044 [tpope]
+
+* Cleaned up, corrected, and mildly expanded ActionPack documentation.  Closes #7190 [jeremymcanally]
+
+* Small collection of ActionController documentation cleanups.  Closes #7319 [jeremymcanally]
+
+* Performance: patch cgi/session/pstore to require digest/md5 once rather than per #initialize.  #7583 [Stefan Kaes]
+
+* Deprecation: verification with :redirect_to => :named_route shouldn't be deprecated.  #7525 [Justin French]
+
+
 *1.13.3* (March 12th, 2007)
 
-* Apply [5709] to stable.
+* Fix a bug in Routing where a parameter taken from the path of the current request could not be used as a query parameter for the next.  #6752 [Nicholas Seckar]
 
 * session_enabled? works with session :off.  #6680 [Catfish]
 
@@ -440,7 +482,7 @@
 
 * Avoid naming collision among compiled view methods. [Jeremy Kemper]
 
-* Fix CGI extensions when they expect string but get nil in Windows. Closes #5276 [mislav@nippur.irb.hr]
+* Fix CGI extensions when they expect string but get nil in Windows. Closes #5276 [Mislav Marohnic]
 
 * Determine the correct template_root for deeply nested components.  #2841 [s.brink@web.de]
 

data/Rakefile

@@ -75,7 +75,7 @@ spec = Gem::Specification.new do |s|
   s.has_rdoc = true
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 1.4.2' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 1.4.3' + PKG_BUILD)
 
   s.require_path = 'lib'
   s.autorequire = 'action_controller'

data/lib/action_controller/assertions/dom_assertions.rb

@@ -1,7 +1,7 @@
 module ActionController
   module Assertions
     module DomAssertions
-      # test 2 html strings to be equivalent, i.e. identical up to reordering of attributes
+      # Test two HTML strings for equivalency (e.g., identical up to reordering of attributes)
       def assert_dom_equal(expected, actual, message="")
         clean_backtrace do
           expected_dom = HTML::Document.new(expected).root
@@ -11,7 +11,7 @@ module ActionController
         end
       end
       
-      # negated form of +assert_dom_equivalent+
+      # The negated form of +assert_dom_equivalent+.
       def assert_dom_not_equal(expected, actual, message="")
         clean_backtrace do
           expected_dom = HTML::Document.new(expected).root

data/lib/action_controller/assertions/model_assertions.rb

@@ -1,7 +1,7 @@
 module ActionController
   module Assertions
     module ModelAssertions
-      # ensures that the passed record is valid by active record standards. returns the error messages if not
+      # Ensures that the passed record is valid by ActiveRecord standards and returns any error messages if it is not.
       def assert_valid(record)
         clean_backtrace do
           assert record.valid?, record.errors.full_messages.join("\n")

data/lib/action_controller/assertions/response_assertions.rb

@@ -120,6 +120,7 @@ module ActionController
       end
 
       private
+        # Recognizes the route for a given path.
         def recognized_request_for(path, request_method = nil)
           path = "/#{path}" unless path.first == '/'
 
@@ -132,6 +133,7 @@ module ActionController
           request
         end
 
+        # Proxy to to_param if the object will respond to it.
         def parameterize(value)
           value.respond_to?(:to_param) ? value.to_param : value
         end

data/lib/action_controller/assertions/routing_assertions.rb

@@ -82,6 +82,7 @@ module ActionController
       end
 
       private
+        # Recognizes the route for a given path.
         def recognized_request_for(path, request_method = nil)
           path = "/#{path}" unless path.first == '/'
 

data/lib/action_controller/base.rb

@@ -292,6 +292,10 @@ module ActionController #:nodoc:
     # Turn on +ignore_missing_templates+ if you want to unit test actions without making the associated templates.
     cattr_accessor :ignore_missing_templates
 
+    # Controls the resource action separator
+    @@resource_action_separator = "/"
+    cattr_accessor :resource_action_separator
+
     # Holds the request object that's primarily used to get environment variables through access like
     # <tt>request.env["REQUEST_URI"]</tt>.
     attr_internal :request
@@ -393,7 +397,8 @@ module ActionController #:nodoc:
             elsif value.is_a?(Hash)
               filtered_parameters[key] = filter_parameters(value)
             elsif block_given?
-              key, value = key.dup, value.dup
+              key = key.dup
+              value = value.dup if value
               yield key, value
               filtered_parameters[key] = value
             else
@@ -538,6 +543,7 @@ module ActionController #:nodoc:
         self.class.controller_path
       end
 
+      # Test whether the session is enabled for this request.
       def session_enabled?
         request.session_options && request.session_options[:disabled] != false
       end

data/lib/action_controller/caching.rb

@@ -1,5 +1,6 @@
 require 'fileutils'
 require 'uri'
+require 'set'
 
 module ActionController #:nodoc:
   # Caching is a cheap way of speeding up slow applications by keeping the result of calculations, renderings, and database calls
@@ -163,13 +164,24 @@ module ActionController #:nodoc:
     module Actions
       def self.included(base) #:nodoc:
         base.extend(ClassMethods)
-        base.send(:attr_accessor, :rendered_action_cache)
+        base.class_eval do
+          attr_accessor :rendered_action_cache, :action_cache_path
+          alias_method_chain :protected_instance_variables, :action_caching
+        end
       end
 
-      module ClassMethods #:nodoc:
+      def protected_instance_variables_with_action_caching
+        protected_instance_variables_without_action_caching + %w(@action_cache_path)
+      end
+
+      module ClassMethods
+        # Declares that +actions+ should be cached.
+        # See ActionController::Caching::Actions for details.
         def caches_action(*actions)
           return unless perform_caching
-          around_filter(ActionCacheFilter.new(*actions))
+          action_cache_filter = ActionCacheFilter.new(*actions)
+          before_filter action_cache_filter
+          after_filter action_cache_filter
         end
       end
 
@@ -185,70 +197,59 @@ module ActionController #:nodoc:
       end
 
       class ActionCacheFilter #:nodoc:
-        def initialize(*actions, &block)
-          @actions = actions
+        def initialize(*actions)
+          @actions = Set.new actions
         end
 
         def before(controller)
-          return unless @actions.include?(controller.action_name.intern)
-          action_cache_path = ActionCachePath.new(controller)
-          if cache = controller.read_fragment(action_cache_path.path)
+          return unless @actions.include?(controller.action_name.to_sym)
+          cache_path = ActionCachePath.new(controller, {})
+          if cache = controller.read_fragment(cache_path.path)
             controller.rendered_action_cache = true
-            set_content_type!(action_cache_path)
+            set_content_type!(controller, cache_path.extension)
             controller.send(:render_text, cache)
             false
+          else
+            controller.action_cache_path = cache_path
           end
         end
 
         def after(controller)
-          return if !@actions.include?(controller.action_name.intern) || controller.rendered_action_cache
-          controller.write_fragment(ActionCachePath.path_for(controller), controller.response.body)
+          return if !@actions.include?(controller.action_name.to_sym) || controller.rendered_action_cache
+          controller.write_fragment(controller.action_cache_path.path, controller.response.body)
         end
         
         private
-          
-          def set_content_type!(action_cache_path)
-            if extention = action_cache_path.extension
-              content_type = Mime::EXTENSION_LOOKUP[extention]
-              action_cache_path.controller.response.content_type = content_type.to_s
-            end
+          def set_content_type!(controller, extension)
+            controller.response.content_type = Mime::EXTENSION_LOOKUP[extension].to_s if extension
           end
           
       end
       
       class ActionCachePath
-        attr_reader :controller, :options
+        attr_reader :path, :extension
         
         class << self
-          def path_for(*args, &block)
-            new(*args).path
+          def path_for(controller, options)
+            new(controller, options).path
           end
         end
         
         def initialize(controller, options = {})
-          @controller = controller
-          @options    = options
-        end
-        
-        def path
-          return @path if @path
-          @path = controller.url_for(options).split('://').last
-          normalize!
-          add_extension!
-          URI.unescape(@path)
-        end
-        
-        def extension
-          @extension ||= extract_extension(controller.request.path)
+          @extension = extract_extension(controller.request.path)
+          path = controller.url_for(options).split('://').last
+          normalize!(path)
+          add_extension!(path, @extension)
+          @path = URI.unescape(path)
         end
         
         private
-          def normalize!
-            @path << 'index' if @path.last == '/'
+          def normalize!(path)
+            path << 'index' if path[-1] == ?/
           end
         
-          def add_extension!
-            @path << ".#{extension}" if extension
+          def add_extension!(path, extension)
+            path << ".#{extension}" if extension
           end
           
           def extract_extension(file_path)

data/lib/action_controller/cgi_ext/pstore_performance_fix.rb

@@ -0,0 +1,30 @@
+# CGI::Session::PStore.initialize requires 'digest/md5' on every call.
+# This makes sense when spawning processes per request, but is
+# unnecessarily expensive when serving requests from a long-lived
+# process.
+require 'cgi/session'
+require 'cgi/session/pstore'
+require 'digest/md5'
+
+class CGI::Session::PStore #:nodoc:
+  def initialize(session, option={})
+    dir = option['tmpdir'] || Dir::tmpdir
+    prefix = option['prefix'] || ''
+    id = session.session_id
+    md5 = Digest::MD5.hexdigest(id)[0,16]
+    path = dir+"/"+prefix+md5
+    path.untaint
+    if File::exist?(path)
+      @hash = nil
+    else
+      unless session.new_session
+        raise CGI::Session::NoSession, "uninitialized session"
+      end
+      @hash = {}
+    end
+    @p = ::PStore.new(path)
+    @p.transaction do |p|
+      File.chmod(0600, p.path)
+    end
+  end
+end

data/lib/action_controller/cgi_ext/raw_post_data_fix.rb

@@ -65,7 +65,7 @@ class CGI #:nodoc:
           if env_qs.blank? && !(uri = env_table['REQUEST_URI']).blank?
             uri.split('?', 2)[1] || ''
           else
-            env_qs
+            env_qs || ''
           end
         end
       end

data/lib/action_controller/cgi_process.rb

@@ -2,6 +2,7 @@ require 'action_controller/cgi_ext/cgi_ext'
 require 'action_controller/cgi_ext/cookie_performance_fix'
 require 'action_controller/cgi_ext/raw_post_data_fix'
 require 'action_controller/cgi_ext/session_performance_fix'
+require 'action_controller/cgi_ext/pstore_performance_fix'
 
 module ActionController #:nodoc:
   class Base
@@ -12,8 +13,8 @@ module ActionController #:nodoc:
     #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
     #   lib/action_controller/session.
     # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
-    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ parameter
-    #   of the request, or automatically generated for a new session.
+    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or 
+    #   automatically generated for a new session.
     # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
     #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
     #   an ArgumentError is raised.
@@ -23,6 +24,8 @@ module ActionController #:nodoc:
     #   server.
     # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
     # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
+    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
+    #   the query string or POST parameters. This protects against session fixation attacks.
     def self.process_cgi(cgi = CGI.new, session_options = {})
       new.process_cgi(cgi, session_options)
     end
@@ -33,18 +36,21 @@ module ActionController #:nodoc:
   end
 
   class CgiRequest < AbstractRequest #:nodoc:
-    attr_accessor :cgi, :session_options
+    attr_accessor :cgi, :session_options, :cookie_only
+    class SessionFixationAttempt < StandardError; end #:nodoc:
 
     DEFAULT_SESSION_OPTIONS = {
       :database_manager => CGI::Session::PStore,
       :prefix           => "ruby_sess.",
-      :session_path     => "/"
+      :session_path     => "/",
+      :cookie_only      => true
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
 
     def initialize(cgi, session_options = {})
       @cgi = cgi
       @session_options = session_options
       @env = @cgi.send(:env_table)
+      @cookie_only = session_options.delete :cookie_only
       super()
     end
 
@@ -108,6 +114,9 @@ module ActionController #:nodoc:
           @session = Hash.new
         else
           stale_session_check! do
+            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
+              raise SessionFixationAttempt
+            end
             case value = session_options_with_string_keys['new_session']
               when true
                 @session = new_session

data/lib/action_controller/cookies.rb

@@ -62,9 +62,11 @@ module ActionController #:nodoc:
     end
 
     # Removes the cookie on the client machine by setting the value to an empty string
-    # and setting its expiration date into the past
-    def delete(name)
-      set_cookie("name" => name.to_s, "value" => "", "expires" => Time.at(0))
+    # and setting its expiration date into the past.  Like []=, you can pass in an options
+    # hash to delete cookies with extra data such as a +path+.
+    def delete(name, options = {})
+      options.stringify_keys!
+      set_cookie(options.merge("name" => name.to_s, "value" => "", "expires" => Time.at(0)))
     end
 
     private

data/lib/action_controller/filters.rb

@@ -214,9 +214,10 @@ module ActionController #:nodoc:
     # == Filter Chain Halting
     #
     # <tt>before_filter</tt> and <tt>around_filter</tt> may halt the request
-    # before controller action is run. This is useful, for example, to deny
+    # before a controller action is run. This is useful, for example, to deny
     # access to unauthenticated users or to redirect from http to https.
     # Simply return false from the filter or call render or redirect.
+    # After filters will not be executed if the filter chain is halted.
     #
     # Around filters halt the request unless the action block is called.
     # Given these filters
@@ -238,12 +239,12 @@ module ActionController #:nodoc:
     #   .  .  /
     #   .  #around (code after yield)
     #   . /
-    #   #after (actual filter code is run)
+    #   #after (actual filter code is run, unless the around filter does not yield)
     #
-    # If #around returns before yielding, only #after will be run. The #before
-    # filter and controller action will not be run.  If #before returns false,
-    # the second half of #around and all of #after will still run but the
-    # action will not.
+    # If #around returns before yielding, #after will still not be run. The #before
+    # filter and controller action will not be run. If #before returns false,
+    # the second half of #around and will still run but #after and the
+    # action will not. If #around does not yield, #after will not be run.
     module ClassMethods
       # The passed <tt>filters</tt> will be appended to the filter_chain and
       # will execute before the action on this controller is performed.
@@ -263,13 +264,13 @@ module ActionController #:nodoc:
       # The passed <tt>filters</tt> will be appended to the array of filters
       # that run _after_ actions on this controller are performed.
       def append_after_filter(*filters, &block)
-        prepend_filter_to_chain(filters, :after, &block)
+        append_filter_to_chain(filters, :after, &block)
       end
 
       # The passed <tt>filters</tt> will be prepended to the array of filters
       # that run _after_ actions on this controller are performed.
       def prepend_after_filter(*filters, &block)
-        append_filter_to_chain(filters, :after, &block)
+        prepend_filter_to_chain(filters, :after, &block)
       end
 
       # Shorthand for append_after_filter since it's the most common.
@@ -362,12 +363,12 @@ module ActionController #:nodoc:
 
       # Returns a mapping between filters and the actions that may run them.
       def included_actions #:nodoc:
-        read_inheritable_attribute("included_actions") || {}
+        @included_actions ||= read_inheritable_attribute("included_actions") || {}
       end
 
       # Returns a mapping between filters and actions that may not run them.
       def excluded_actions #:nodoc:
-        read_inheritable_attribute("excluded_actions") || {}
+        @excluded_actions ||= read_inheritable_attribute("excluded_actions") || {}
       end
 
       # Find a filter in the filter_chain where the filter method matches the _filter_ param
@@ -381,10 +382,11 @@ module ActionController #:nodoc:
 
       # Returns true if the filter is excluded from the given action
       def filter_excluded_from_action?(filter,action) #:nodoc:
-        if (ia = included_actions[filter]) && !ia.empty?
+        case
+        when ia = included_actions[filter]
           !ia.include?(action)
-        else
-          (excluded_actions[filter] || []).include?(action)
+        when ea = excluded_actions[filter]
+          ea.include?(action)
         end
       end
 
@@ -397,20 +399,28 @@ module ActionController #:nodoc:
           @filter = filter
         end
 
+        def type
+          :around
+        end
+
         def before?
-          false
+          type == :before
         end
 
         def after?
-          false
+          type == :after
         end
 
         def around?
-          true
+          type == :around
+        end
+
+        def run(controller)
+          raise ActionControllerError, 'No filter type: Nothing to do here.'
         end
 
         def call(controller, &block)
-          raise(ActionControllerError, 'No filter type: Nothing to do here.')
+          run(controller)
         end
       end
 
@@ -420,35 +430,38 @@ module ActionController #:nodoc:
         def filter
           @filter.filter
         end
-
-        def around?
-          false
-        end
       end
 
       class BeforeFilterProxy < FilterProxy #:nodoc:
-        def before?
-          true
+        def type
+          :before
         end
 
-        def call(controller, &block)
-          if false == @filter.call(controller) # must only stop if equal to false. only filters returning false are halted.
-            controller.halt_filter_chain(@filter, :returned_false)
-          else
-            yield
+        def run(controller)
+          # only filters returning false are halted.
+          if false == @filter.call(controller)
+            controller.send :halt_filter_chain, @filter, :returned_false
           end
         end
+
+        def call(controller)
+          yield unless run(controller)
+        end
       end
 
       class AfterFilterProxy < FilterProxy #:nodoc:
-        def after?
-          true
+        def type
+          :after
         end
 
-        def call(controller, &block)
-          yield
+        def run(controller)
           @filter.call(controller)
         end
+
+        def call(controller)
+          yield
+          run(controller)
+        end
       end
 
       class SymbolFilter < Filter #:nodoc:
@@ -485,29 +498,72 @@ module ActionController #:nodoc:
         end
       end
 
+      class ClassBeforeFilter < Filter #:nodoc:
+        def call(controller, &block)
+          @filter.before(controller)
+        end
+      end
+
+      class ClassAfterFilter < Filter #:nodoc:
+        def call(controller, &block)
+          @filter.after(controller)
+        end
+      end
+
       protected
-        def append_filter_to_chain(filters, position = :around, &block)
-          write_inheritable_array('filter_chain', create_filters(filters, position, &block) )
+        def append_filter_to_chain(filters, filter_type = :around, &block)
+          pos = find_filter_append_position(filters, filter_type)
+          update_filter_chain(filters, filter_type, pos, &block)
         end
 
-        def prepend_filter_to_chain(filters, position = :around, &block)
-          write_inheritable_attribute('filter_chain', create_filters(filters, position, &block) + filter_chain)
+        def prepend_filter_to_chain(filters, filter_type = :around, &block)
+          pos = find_filter_prepend_position(filters, filter_type)
+          update_filter_chain(filters, filter_type, pos, &block)
         end
 
-        def create_filters(filters, position, &block) #:nodoc:
+        def update_filter_chain(filters, filter_type, pos, &block)
+          new_filters = create_filters(filters, filter_type, &block)
+          new_chain = filter_chain.insert(pos, new_filters).flatten
+          write_inheritable_attribute('filter_chain', new_chain)
+        end
+
+        def find_filter_append_position(filters, filter_type)
+          # appending an after filter puts it at the end of the call chain
+          # before and around filters go before the first after filter in the chain
+          unless filter_type == :after
+            filter_chain.each_with_index do |f,i|
+              return i if f.after?
+            end
+          end
+          return -1
+        end
+
+        def find_filter_prepend_position(filters, filter_type)
+          # prepending a before or around filter puts it at the front of the call chain
+          # after filters go before the first after filter in the chain
+          if filter_type == :after
+            filter_chain.each_with_index do |f,i|
+              return i if f.after?
+            end
+            return -1
+          end
+          return 0
+        end
+
+        def create_filters(filters, filter_type, &block) #:nodoc:
           filters, conditions = extract_conditions(filters, &block)
-          filters.map! { |filter| find_or_create_filter(filter,position) }
+          filters.map! { |filter| find_or_create_filter(filter, filter_type) }
           update_conditions(filters, conditions)
           filters
         end
 
-        def find_or_create_filter(filter,position)
-          if found_filter = find_filter(filter) { |f| f.send("#{position}?") }
+        def find_or_create_filter(filter, filter_type)
+          if found_filter = find_filter(filter) { |f| f.type == filter_type }
             found_filter
           else
-            f = class_for_filter(filter).new(filter)
+            f = class_for_filter(filter, filter_type).new(filter)
             # apply proxy to filter if necessary
-            case position
+            case filter_type
             when :before
               BeforeFilterProxy.new(f)
             when :after
@@ -520,7 +576,7 @@ module ActionController #:nodoc:
 
         # The determination of the filter type was once done at run time.
         # This method is here to extract as much logic from the filter run time as possible
-        def class_for_filter(filter) #:nodoc:
+        def class_for_filter(filter, filter_type) #:nodoc:
           case
           when filter.is_a?(Symbol)
             SymbolFilter
@@ -534,8 +590,12 @@ module ActionController #:nodoc:
             end
           when filter.respond_to?(:filter)
             ClassFilter
+          when filter.respond_to?(:before) && filter_type == :before
+            ClassBeforeFilter
+          when filter.respond_to?(:after) && filter_type == :after
+            ClassAfterFilter
           else
-            raise(ActionControllerError, 'A filters must be a Symbol, Proc, Method, or object responding to filter.')
+            raise(ActionControllerError, 'A filter must be a Symbol, Proc, Method, or object responding to filter, after or before.')
           end
         end
 
@@ -550,8 +610,8 @@ module ActionController #:nodoc:
           return if conditions.empty?
           if conditions[:only]
             write_inheritable_hash('included_actions', condition_hash(filters, conditions[:only]))
-          else
-            write_inheritable_hash('excluded_actions', condition_hash(filters, conditions[:except])) if conditions[:except]
+          elsif conditions[:except]
+            write_inheritable_hash('excluded_actions', condition_hash(filters, conditions[:except]))
           end
         end
 
@@ -576,9 +636,9 @@ module ActionController #:nodoc:
 
         def remove_actions_from_included_actions!(filters,*actions)
           actions = actions.flatten.map(&:to_s)
-          updated_hash = filters.inject(included_actions) do |hash,filter|
+          updated_hash = filters.inject(read_inheritable_attribute('included_actions')||{}) do |hash,filter|
             ia = (hash[filter] || []) - actions
-            ia.blank? ? hash.delete(filter) : hash[filter] = ia
+            ia.empty? ? hash.delete(filter) : hash[filter] = ia
             hash
           end
           write_inheritable_attribute('included_actions', updated_hash)
@@ -595,7 +655,9 @@ module ActionController #:nodoc:
         def proxy_before_and_after_filter(filter) #:nodoc:
           return filter unless filter_responds_to_before_and_after(filter)
           Proc.new do |controller, action|
-            unless filter.before(controller) == false
+            if filter.before(controller) == false
+              controller.send :halt_filter_chain, filter, :returned_false
+            else
               begin
                 action.call
               ensure
@@ -615,53 +677,90 @@ module ActionController #:nodoc:
         end
       end
 
-      def perform_action_with_filters
-        call_filter(self.class.filter_chain, 0)
-      end
+      protected
 
       def process_with_filters(request, response, method = :perform_action, *arguments) #:nodoc:
         @before_filter_chain_aborted = false
         process_without_filters(request, response, method, *arguments)
       end
 
-      def filter_chain
-        self.class.filter_chain
+      def perform_action_with_filters
+        call_filters(self.class.filter_chain, 0, 0)
       end
 
-      def call_filter(chain, index)
-        return (performed? || perform_action_without_filters) if index >= chain.size
-        filter = chain[index]
-        return call_filter(chain, index.next) if self.class.filter_excluded_from_action?(filter,action_name)
+      private
 
-        halted = false
-        filter.call(self) do
-          halted = call_filter(chain, index.next)
+      def call_filters(chain, index, nesting)
+        index = run_before_filters(chain, index, nesting)
+        aborted = @before_filter_chain_aborted
+        perform_action_without_filters unless performed? || aborted
+        return index if nesting != 0 || aborted
+        run_after_filters(chain, index)
+      end
+
+      def skip_excluded_filters(chain, index)
+        while (filter = chain[index]) && self.class.filter_excluded_from_action?(filter, action_name)
+          index = index.next
         end
-        halt_filter_chain(filter.filter, :no_yield) if halted == false unless @before_filter_chain_aborted
-        halted
+        [filter, index]
       end
 
-      def halt_filter_chain(filter, reason)
-        if logger
-          case reason
-          when :no_yield
-            logger.info "Filter chain halted as [#{filter.inspect}] did not yield."
-          when :returned_false
-            logger.info "Filter chain halted as [#{filter.inspect}] returned false."
+      def run_before_filters(chain, index, nesting)
+        while chain[index]
+          filter, index = skip_excluded_filters(chain, index)
+          break unless filter # end of call chain reached
+          case filter.type
+          when :before
+            filter.run(self)  # invoke before filter
+            index = index.next
+            break if @before_filter_chain_aborted
+          when :around
+            yielded = false
+            filter.call(self) do
+              yielded = true
+              # all remaining before and around filters will be run in this call
+              index = call_filters(chain, index.next, nesting.next)
+            end
+            halt_filter_chain(filter, :did_not_yield) unless yielded
+            break
+          else
+            break  # no before or around filters left
           end
         end
-        @before_filter_chain_aborted = true
-        return false
+        index
       end
 
-      private
-        def process_cleanup_with_filters
-          if @before_filter_chain_aborted
-            close_session
+      def run_after_filters(chain, index)
+        seen_after_filter = false
+        while chain[index]
+          filter, index = skip_excluded_filters(chain, index)
+          break unless filter # end of call chain reached
+          case filter.type
+          when :after
+            seen_after_filter = true
+            filter.run(self)  # invoke after filter
           else
-            process_cleanup_without_filters
+            # implementation error or someone has mucked with the filter chain
+            raise ActionControllerError, "filter #{filter.inspect} was in the wrong place!" if seen_after_filter
           end
+          index = index.next
+        end
+        index.next
+      end
+
+      def halt_filter_chain(filter, reason)
+        @before_filter_chain_aborted = true
+        logger.info "Filter chain halted as [#{filter.inspect}] #{reason}." if logger
+        false
+      end
+
+      def process_cleanup_with_filters
+        if @before_filter_chain_aborted
+          close_session
+        else
+          process_cleanup_without_filters
         end
+      end
     end
   end
 end