actionpack 2.0.5 → 2.1.0

data/lib/action_controller/routing/segments.rb

@@ -0,0 +1,283 @@
+module ActionController
+  module Routing
+    class Segment #:nodoc:
+      RESERVED_PCHAR = ':@&=+$,;'
+      UNSAFE_PCHAR = Regexp.new("[^#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}]", false, 'N').freeze
+
+      attr_accessor :is_optional
+      alias_method :optional?, :is_optional
+
+      def initialize
+        self.is_optional = false
+      end
+
+      def extraction_code
+        nil
+      end
+
+      # Continue generating string for the prior segments.
+      def continue_string_structure(prior_segments)
+        if prior_segments.empty?
+          interpolation_statement(prior_segments)
+        else
+          new_priors = prior_segments[0..-2]
+          prior_segments.last.string_structure(new_priors)
+        end
+      end
+
+      def interpolation_chunk
+        URI.escape(value, UNSAFE_PCHAR)
+      end
+
+      # Return a string interpolation statement for this segment and those before it.
+      def interpolation_statement(prior_segments)
+        chunks = prior_segments.collect { |s| s.interpolation_chunk }
+        chunks << interpolation_chunk
+        "\"#{chunks * ''}\"#{all_optionals_available_condition(prior_segments)}"
+      end
+
+      def string_structure(prior_segments)
+        optional? ? continue_string_structure(prior_segments) : interpolation_statement(prior_segments)
+      end
+
+      # Return an if condition that is true if all the prior segments can be generated.
+      # If there are no optional segments before this one, then nil is returned.
+      def all_optionals_available_condition(prior_segments)
+        optional_locals = prior_segments.collect { |s| s.local_name if s.optional? && s.respond_to?(:local_name) }.compact
+        optional_locals.empty? ? nil : " if #{optional_locals * ' && '}"
+      end
+
+      # Recognition
+
+      def match_extraction(next_capture)
+        nil
+      end
+
+      # Warning
+
+      # Returns true if this segment is optional? because of a default. If so, then
+      # no warning will be emitted regarding this segment.
+      def optionality_implied?
+        false
+      end
+    end
+
+    class StaticSegment < Segment #:nodoc:
+      attr_accessor :value, :raw
+      alias_method :raw?, :raw
+
+      def initialize(value = nil)
+        super()
+        self.value = value
+      end
+
+      def interpolation_chunk
+        raw? ? value : super
+      end
+
+      def regexp_chunk
+        chunk = Regexp.escape(value)
+        optional? ? Regexp.optionalize(chunk) : chunk
+      end
+
+      def build_pattern(pattern)
+        escaped = Regexp.escape(value)
+        if optional? && ! pattern.empty?
+          "(?:#{Regexp.optionalize escaped}\\Z|#{escaped}#{Regexp.unoptionalize pattern})"
+        elsif optional?
+          Regexp.optionalize escaped
+        else
+          escaped + pattern
+        end
+      end
+
+      def to_s
+        value
+      end
+    end
+
+    class DividerSegment < StaticSegment #:nodoc:
+      def initialize(value = nil)
+        super(value)
+        self.raw = true
+        self.is_optional = true
+      end
+
+      def optionality_implied?
+        true
+      end
+    end
+
+    class DynamicSegment < Segment #:nodoc:
+      attr_accessor :key, :default, :regexp
+
+      def initialize(key = nil, options = {})
+        super()
+        self.key = key
+        self.default = options[:default] if options.key? :default
+        self.is_optional = true if options[:optional] || options.key?(:default)
+      end
+
+      def to_s
+        ":#{key}"
+      end
+
+      # The local variable name that the value of this segment will be extracted to.
+      def local_name
+        "#{key}_value"
+      end
+
+      def extract_value
+        "#{local_name} = hash[:#{key}] && hash[:#{key}].to_param #{"|| #{default.inspect}" if default}"
+      end
+      def value_check
+        if default # Then we know it won't be nil
+          "#{value_regexp.inspect} =~ #{local_name}" if regexp
+        elsif optional?
+          # If we have a regexp check that the value is not given, or that it matches.
+          # If we have no regexp, return nil since we do not require a condition.
+          "#{local_name}.nil? || #{value_regexp.inspect} =~ #{local_name}" if regexp
+        else # Then it must be present, and if we have a regexp, it must match too.
+          "#{local_name} #{"&& #{value_regexp.inspect} =~ #{local_name}" if regexp}"
+        end
+      end
+      def expiry_statement
+        "expired, hash = true, options if !expired && expire_on[:#{key}]"
+      end
+
+      def extraction_code
+        s = extract_value
+        vc = value_check
+        s << "\nreturn [nil,nil] unless #{vc}" if vc
+        s << "\n#{expiry_statement}"
+      end
+
+      def interpolation_chunk(value_code = "#{local_name}")
+        "\#{URI.escape(#{value_code}.to_s, ActionController::Routing::Segment::UNSAFE_PCHAR)}"
+      end
+
+      def string_structure(prior_segments)
+        if optional? # We have a conditional to do...
+          # If we should not appear in the url, just write the code for the prior
+          # segments. This occurs if our value is the default value, or, if we are
+          # optional, if we have nil as our value.
+          "if #{local_name} == #{default.inspect}\n" +
+            continue_string_structure(prior_segments) +
+          "\nelse\n" + # Otherwise, write the code up to here
+            "#{interpolation_statement(prior_segments)}\nend"
+        else
+          interpolation_statement(prior_segments)
+        end
+      end
+
+      def value_regexp
+        Regexp.new "\\A#{regexp.to_s}\\Z" if regexp
+      end
+
+      def regexp_chunk
+        if regexp 
+          if regexp_has_modifiers?
+            "(#{regexp.to_s})"
+          else
+            "(#{regexp.source})"
+          end
+        else
+          "([^#{Routing::SEPARATORS.join}]+)"
+        end
+      end
+
+      def build_pattern(pattern)
+        chunk = regexp_chunk
+        chunk = "(#{chunk})" if Regexp.new(chunk).number_of_captures == 0
+        pattern = "#{chunk}#{pattern}"
+        optional? ? Regexp.optionalize(pattern) : pattern
+      end
+
+      def match_extraction(next_capture)
+        # All non code-related keys (such as :id, :slug) are URI-unescaped as
+        # path parameters.
+        default_value = default ? default.inspect : nil
+        %[
+          value = if (m = match[#{next_capture}])
+            URI.unescape(m)
+          else
+            #{default_value}
+          end
+          params[:#{key}] = value if value
+        ]
+      end
+
+      def optionality_implied?
+        [:action, :id].include? key
+      end
+
+      def regexp_has_modifiers?
+        regexp.options & (Regexp::IGNORECASE | Regexp::EXTENDED) != 0
+      end
+
+    end
+
+    class ControllerSegment < DynamicSegment #:nodoc:
+      def regexp_chunk
+        possible_names = Routing.possible_controllers.collect { |name| Regexp.escape name }
+        "(?i-:(#{(regexp || Regexp.union(*possible_names)).source}))"
+      end
+
+      # Don't URI.escape the controller name since it may contain slashes.
+      def interpolation_chunk(value_code = "#{local_name}")
+        "\#{#{value_code}.to_s}"
+      end
+
+      # Make sure controller names like Admin/Content are correctly normalized to
+      # admin/content
+      def extract_value
+        "#{local_name} = (hash[:#{key}] #{"|| #{default.inspect}" if default}).downcase"
+      end
+
+      def match_extraction(next_capture)
+        if default
+          "params[:#{key}] = match[#{next_capture}] ? match[#{next_capture}].downcase : '#{default}'"
+        else
+          "params[:#{key}] = match[#{next_capture}].downcase if match[#{next_capture}]"
+        end
+      end
+    end
+
+    class PathSegment < DynamicSegment #:nodoc:
+      def interpolation_chunk(value_code = "#{local_name}")
+        "\#{#{value_code}}"
+      end
+
+      def extract_value
+        "#{local_name} = hash[:#{key}] && hash[:#{key}].collect { |path_component| URI.escape(path_component.to_param, ActionController::Routing::Segment::UNSAFE_PCHAR) }.to_param #{"|| #{default.inspect}" if default}"
+      end
+
+      def default
+        ''
+      end
+
+      def default=(path)
+        raise RoutingError, "paths cannot have non-empty default values" unless path.blank?
+      end
+
+      def match_extraction(next_capture)
+        "params[:#{key}] = PathSegment::Result.new_escaped((match[#{next_capture}]#{" || " + default.inspect if default}).split('/'))#{" if match[" + next_capture + "]" if !default}"
+      end
+
+      def regexp_chunk
+        regexp || "(.*)"
+      end
+
+      def optionality_implied?
+        true
+      end
+
+      class Result < ::Array #:nodoc:
+        def to_s() join '/' end
+        def self.new_escaped(strings)
+          new strings.collect {|str| URI.unescape str}
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/session/active_record_store.rb

@@ -13,7 +13,7 @@ class CGI
 
 
     # A session store backed by an Active Record class.  A default class is
-    # provided, but any object duck-typing to an Active Record +Session+ class
+    # provided, but any object duck-typing to an Active Record Session class
     # with text +session_id+ and +data+ attributes is sufficient.
     #
     # The default assumes a +sessions+ tables with columns:
@@ -26,13 +26,13 @@ class CGI
     # ActionController::SessionOverflowError will be raised.
     #
     # You may configure the table name, primary key, and data column.
-    # For example, at the end of config/environment.rb:
+    # For example, at the end of <tt>config/environment.rb</tt>:
     #   CGI::Session::ActiveRecordStore::Session.table_name = 'legacy_session_table'
     #   CGI::Session::ActiveRecordStore::Session.primary_key = 'session_id'
     #   CGI::Session::ActiveRecordStore::Session.data_column_name = 'legacy_session_data'
-    # Note that setting the primary key to the session_id frees you from
-    # having a separate id column if you don't want it.  However, you must
-    # set session.model.id = session.session_id by hand!  A before_filter
+    # Note that setting the primary key to the +session_id+ frees you from
+    # having a separate +id+ column if you don't want it.  However, you must
+    # set <tt>session.model.id = session.session_id</tt> by hand!  A before filter
     # on ApplicationController is a good place.
     #
     # Since the default class is a simple Active Record, you get timestamps
@@ -42,7 +42,7 @@ class CGI
     # You may provide your own session class implementation, whether a
     # feature-packed Active Record or a bare-metal high-performance SQL
     # store, by setting
-    #   +CGI::Session::ActiveRecordStore.session_class = MySessionClass+
+    #   CGI::Session::ActiveRecordStore.session_class = MySessionClass
     # You must implement these methods:
     #   self.find_by_session_id(session_id)
     #   initialize(hash_of_session_id_and_data)
@@ -154,8 +154,13 @@ class CGI
       # The database connection, table name, and session id and data columns
       # are configurable class attributes.  Marshaling and unmarshaling
       # are implemented as class methods that you may override.  By default,
-      # marshaling data is +ActiveSupport::Base64.encode64(Marshal.dump(data))+ and
-      # unmarshaling data is +Marshal.load(ActiveSupport::Base64.decode64(data))+.
+      # marshaling data is
+      #
+      #   ActiveSupport::Base64.encode64(Marshal.dump(data))
+      #
+      # and unmarshaling data is
+      #
+      #   Marshal.load(ActiveSupport::Base64.decode64(data))
       #
       # This marshaling behavior is intended to store the widest range of
       # binary session data in a +text+ column.  For higher performance,

data/lib/action_controller/session/cookie_store.rb

@@ -14,27 +14,27 @@ require 'openssl'       # to generate the HMAC message digest
 # TamperedWithCookie is raised if the data integrity check fails.
 #
 # A message digest is included with the cookie to ensure data integrity:
-# a user cannot alter his user_id without knowing the secret key included in
+# a user cannot alter his +user_id+ without knowing the secret key included in
 # the hash. New apps are generated with a pregenerated secret in
 # config/environment.rb. Set your own for old apps you're upgrading.
 #
 # Session options:
-#   :secret   An application-wide key string or block returning a string
-#             called per generated digest. The block is called with the
-#             CGI::Session instance as an argument. It's important that the
-#             secret is not vulnerable to a dictionary attack. Therefore,
-#             you should choose a secret consisting of random numbers and
-#             letters and more than 30 characters.
 #
-#             Example:  :secret => '449fe2e7daee471bffae2fd8dc02313d'
-#                       :secret => Proc.new { User.current_user.secret_key }
+# * <tt>:secret</tt>: An application-wide key string or block returning a string
+#   called per generated digest. The block is called with the CGI::Session
+#   instance as an argument. It's important that the secret is not vulnerable to
+#   a dictionary attack. Therefore, you should choose a secret consisting of
+#   random numbers and letters and more than 30 characters. Examples:
 #
-#   :digest   The message digest algorithm used to verify session integrity
-#             defaults to 'SHA1' but may be any digest provided by OpenSSL,
-#             such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+#     :secret => '449fe2e7daee471bffae2fd8dc02313d'
+#     :secret => Proc.new { User.current_user.secret_key }
+#
+# * <tt>:digest</tt>: The message digest algorithm used to verify session
+#   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
+#   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
 #
 # To generate a secret key for an existing application, run
-# `rake secret` and set the key in config/environment.rb
+# "rake secret" and set the key in config/environment.rb.
 #
 # Note that changing digest or secret invalidates all existing sessions!
 class CGI::Session::CookieStore
@@ -117,7 +117,7 @@ class CGI::Session::CookieStore
   def delete
     @data = nil
     clear_old_cookie_value
-    write_cookie('value' => '', 'expires' => 1.year.ago)
+    write_cookie('value' => nil, 'expires' => 1.year.ago)
   end
 
   # Generate the HMAC keyed message digest. Uses SHA1 by default.
@@ -130,17 +130,20 @@ class CGI::Session::CookieStore
     # Marshal a session hash into safe cookie data. Include an integrity hash.
     def marshal(session)
       data = ActiveSupport::Base64.encode64(Marshal.dump(session)).chop
-      CGI.escape "#{data}--#{generate_digest(data)}"
+      "#{data}--#{generate_digest(data)}"
     end
 
     # Unmarshal cookie data to a hash and verify its integrity.
     def unmarshal(cookie)
       if cookie
-        data, digest = CGI.unescape(cookie).split('--')
-        unless digest == generate_digest(data)
+        data, digest = cookie.split('--')
+
+        # Do two checks to transparently support old double-escaped data.
+        unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data))
           delete
           raise TamperedWithCookie
         end
+
         Marshal.load(ActiveSupport::Base64.decode64(data))
       end
     end

data/lib/action_controller/session_management.rb

@@ -16,9 +16,11 @@ module ActionController #:nodoc:
     end
 
     module ClassMethods
-      # Set the session store to be used for keeping the session data between requests. By default, sessions are stored
-      # in browser cookies (:cookie_store), but you can also specify one of the other included stores
-      # (:active_record_store, :p_store, drb_store, :mem_cache_store, or :memory_store) or your own custom class.
+      # Set the session store to be used for keeping the session data between requests.
+      # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
+      # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
+      # <tt>:p_store</tt>, <tt>:drb_store</tt>, <tt>:mem_cache_store</tt>, or
+      # <tt>:memory_store</tt>) or your own custom class.
       def session_store=(store)
         ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] =
           store.is_a?(Symbol) ? CGI::Session.const_get(store == :drb_store ? "DRbStore" : store.to_s.camelize) : store
@@ -67,11 +69,16 @@ module ActionController #:nodoc:
       #   session :off, 
       #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
       #
+      #   # turn the session back on, useful when it was turned off in the
+      #   # application controller, and you need it on in another controller
+      #   session :on
+      #
       # All session options described for ActionController::Base.process_cgi
       # are valid arguments.
       def session(*args)
         options = args.extract_options!
 
+        options[:disabled] = false if args.delete(:on)
         options[:disabled] = true if !args.empty?
         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
         options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]

data/lib/action_controller/streaming.rb

@@ -4,34 +4,37 @@ module ActionController #:nodoc:
     DEFAULT_SEND_FILE_OPTIONS = {
       :type         => 'application/octet-stream'.freeze,
       :disposition  => 'attachment'.freeze,
-      :stream       => true, 
-      :buffer_size  => 4096
+      :stream       => true,
+      :buffer_size  => 4096,
+      :x_sendfile   => false
     }.freeze
 
+    X_SENDFILE_HEADER = 'X-Sendfile'.freeze
+
     protected
       # Sends the file by streaming it 4096 bytes at a time. This way the
       # whole file doesn't need to be read into memory at once.  This makes
       # it feasible to send even large files.
       #
       # Be careful to sanitize the path parameter if it coming from a web
-      # page.  send_file(params[:path]) allows a malicious user to
+      # page. <tt>send_file(params[:path])</tt> allows a malicious user to
       # download any file on your server.
       #
       # Options:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
-      #   Defaults to File.basename(path).
+      #   Defaults to <tt>File.basename(path)</tt>.
       # * <tt>:type</tt> - specifies an HTTP content type.
       #   Defaults to 'application/octet-stream'.
-      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.  
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
-      # * <tt>:stream</tt> - whether to send the file to the user agent as it is read (true)
-      #   or to read the entire file before sending (false). Defaults to true.
+      # * <tt>:stream</tt> - whether to send the file to the user agent as it is read (+true+)
+      #   or to read the entire file before sending (+false+). Defaults to +true+.
       # * <tt>:buffer_size</tt> - specifies size (in bytes) of the buffer used to stream the file.
       #   Defaults to 4096.
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
-      # * <tt>:url_based_filename</tt> - set to true if you want the browser guess the filename from 
-      #   the URL, which is necessary for i18n filenames on certain browsers 
-      #   (setting :filename overrides this option).
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser guess the filename from
+      #   the URL, which is necessary for i18n filenames on certain browsers
+      #   (setting <tt>:filename</tt> overrides this option).
       #
       # The default Content-Type and Content-Disposition headers are
       # set to download arbitrary binary files in as many browsers as
@@ -39,17 +42,20 @@ module ActionController #:nodoc:
       # a variety of quirks (especially when downloading over SSL).
       #
       # Simple download:
+      #
       #   send_file '/path/to.zip'
       #
       # Show a JPEG in the browser:
+      #
       #   send_file '/path/to.jpeg', :type => 'image/jpeg', :disposition => 'inline'
       #
       # Show a 404 page in the browser:
+      #
       #   send_file '/path/to/404.html', :type => 'text/html; charset=utf-8', :status => 404
       #
       # Read about the other Content-* HTTP headers if you'd like to
-      # provide the user with more information (such as Content-Description).
-      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
+      # provide the user with more information (such as Content-Description) in
+      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
       #
       # Also be aware that the document may be cached by proxies and browsers.
       # The Pragma and Cache-Control headers declare how the file may be cached
@@ -67,19 +73,24 @@ module ActionController #:nodoc:
 
         @performed_render = false
 
-        if options[:stream]
-          render :status => options[:status], :text => Proc.new { |response, output|
-            logger.info "Streaming file #{path}" unless logger.nil?
-            len = options[:buffer_size] || 4096
-            File.open(path, 'rb') do |file|
-              while buf = file.read(len)
-                output.write(buf)
-              end
-            end
-          }
+        if options[:x_sendfile]
+          logger.info "Sending #{X_SENDFILE_HEADER} header #{path}" if logger
+          head options[:status], X_SENDFILE_HEADER => path
         else
-          logger.info "Sending file #{path}" unless logger.nil?
-          File.open(path, 'rb') { |file| render :status => options[:status], :text => file.read }
+          if options[:stream]
+            render :status => options[:status], :text => Proc.new { |response, output|
+              logger.info "Streaming file #{path}" unless logger.nil?
+              len = options[:buffer_size] || 4096
+              File.open(path, 'rb') do |file|
+                while buf = file.read(len)
+                  output.write(buf)
+                end
+              end
+            }
+          else
+            logger.info "Sending file #{path}" unless logger.nil?
+            File.open(path, 'rb') { |file| render :status => options[:status], :text => file.read }
+          end
         end
       end
 
@@ -87,25 +98,28 @@ module ActionController #:nodoc:
       # and specify whether to show data inline or download as an attachment.
       #
       # Options:
-      # * <tt>:filename</tt> - Suggests a filename for the browser to use.
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
       # * <tt>:type</tt> - specifies an HTTP content type.
       #   Defaults to 'application/octet-stream'.
-      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.  
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
       #
       # Generic data download:
+      #
       #   send_data buffer
       #
       # Download a dynamically-generated tarball:
+      #
       #   send_data generate_tgz('dir'), :filename => 'dir.tgz'
       #
       # Display an image Active Record in the browser:
+      #
       #   send_data image.data, :type => image.content_type, :disposition => 'inline'
       #
       # See +send_file+ for more information on HTTP Content-* headers and caching.
       def send_data(data, options = {}) #:doc:
-        logger.info "Sending data #{options[:filename]}" unless logger.nil?
+        logger.info "Sending data #{options[:filename]}" if logger
         send_file_headers! options.merge(:length => data.size)
         @performed_render = false
         render :status => options[:status], :text => data
@@ -130,10 +144,10 @@ module ActionController #:nodoc:
         )
 
         # Fix a problem with IE 6.0 on opening downloaded files:
-        # If Cache-Control: no-cache is set (which Rails does by default), 
-        # IE removes the file it just downloaded from its cache immediately 
-        # after it displays the "open/save" dialog, which means that if you 
-        # hit "open" the file isn't there anymore when the application that 
+        # If Cache-Control: no-cache is set (which Rails does by default),
+        # IE removes the file it just downloaded from its cache immediately
+        # after it displays the "open/save" dialog, which means that if you
+        # hit "open" the file isn't there anymore when the application that
         # is called for handling the download is run, so let's workaround that
         headers['Cache-Control'] = 'private' if headers['Cache-Control'] == 'no-cache'
       end