actionpack 2.0.5 → 2.1.0

data/lib/action_controller/mime_responds.rb

@@ -92,7 +92,7 @@ module ActionController #:nodoc:
       # with the remaining data.
       #
       # Note that you can define your own XML parameter parser which would allow you to describe multiple entities
-      # in a single request (i.e., by wrapping them all in a single root note), but if you just go with the flow
+      # in a single request (i.e., by wrapping them all in a single root node), but if you just go with the flow
       # and accept Rails' defaults, life will be much easier.
       #
       # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
@@ -125,7 +125,7 @@ module ActionController #:nodoc:
 
         @order << mime_type
 
-        @responses[mime_type] = Proc.new do
+        @responses[mime_type] ||= Proc.new do
           @response.template.template_format = mime_type.to_sym
           @response.content_type = mime_type.to_s
           block_given? ? block.call : @controller.send(:render, :action => @controller.action_name)
@@ -133,7 +133,11 @@ module ActionController #:nodoc:
       end
 
       def any(*args, &block)
-        args.each { |type| send(type, &block) }
+        if args.any?
+          args.each { |type| send(type, &block) }
+        else
+          custom(@mime_type_priority.first, &block)
+        end
       end
 
       def method_missing(symbol, &block)

data/lib/action_controller/mime_type.rb

@@ -17,6 +17,10 @@ module Mime
   #     end
   #   end
   class Type
+    @@html_types = Set.new [:html, :all]
+    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
+    cattr_reader :html_types, :unverifiable_types
+
     # A simple helper class used in parsing the accept header
     class AcceptItem #:nodoc:
       attr_accessor :order, :name, :q
@@ -71,8 +75,11 @@ module Mime
         # keep track of creation order to keep the subsequent sort stable
         list = []
         accept_header.split(/,/).each_with_index do |header, index| 
-          params = header.split(/;\s*q=/)
-          list << AcceptItem.new(index, *params) unless params.empty?
+          params, q = header.split(/;\s*q=/)       
+          if params
+            params.strip!          
+            list << AcceptItem.new(index, params, q) unless params.empty?
+          end
         end
         list.sort!
 
@@ -97,7 +104,7 @@ module Mime
           list[text_xml].name = Mime::XML.to_s
         end
 
-        # Look for more specific xml-based types and sort them ahead of app/xml
+        # Look for more specific XML-based types and sort them ahead of app/xml
 
         if app_xml
           idx = app_xml
@@ -145,17 +152,26 @@ module Mime
     end
     
     def ==(mime_type)
-      return false unless mime_type
-      (@synonyms + [ self ]).any? do |synonym|
-        synonym.to_s == mime_type.to_s || synonym.to_sym == mime_type.to_sym
+      return false if mime_type.blank?
+      (@synonyms + [ self ]).any? do |synonym| 
+        synonym.to_s == mime_type.to_s || synonym.to_sym == mime_type.to_sym 
       end
     end
-    
+
+    # Returns true if Action Pack should check requests using this Mime Type for possible request forgery.  See
+    # ActionController::RequestForgerProtection.
+    def verify_request?
+      !@@unverifiable_types.include?(to_sym)
+    end
+
+    def html?
+      @@html_types.include?(to_sym) || @string =~ /html/
+    end
+
     private
       def method_missing(method, *args)
         if method.to_s =~ /(\w+)\?$/
-          mime_type = $1.downcase.to_sym
-          mime_type == @symbol || (mime_type == :html && @symbol == :all)
+          $1.downcase.to_sym == to_sym
         else
           super
         end

data/lib/action_controller/mime_types.rb

@@ -17,4 +17,4 @@ Mime::Type.register "multipart/form-data", :multipart_form
 Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
 
 # http://www.ietf.org/rfc/rfc4627.txt
-Mime::Type.register "application/json", :json, %w( text/x-json )
+Mime::Type.register "application/json", :json, %w( text/x-json )

data/lib/action_controller/polymorphic_routes.rb

@@ -1,6 +1,6 @@
 module ActionController
   # Polymorphic URL helpers are methods for smart resolution to a named route call when
-  # given an ActiveRecord model instance. They are to be used in combination with
+  # given an Active Record model instance. They are to be used in combination with
   # ActionController::Resources.
   #
   # These methods are useful when you want to generate correct URL or path to a RESTful
@@ -9,7 +9,9 @@ module ActionController
   # Nested resources and/or namespaces are also supported, as illustrated in the example:
   #
   #   polymorphic_url([:admin, @article, @comment])
-  #   #-> results in:
+  #
+  # results in:
+  #   
   #   admin_article_comment_url(@article, @comment)
   #
   # == Usage within the framework
@@ -19,7 +21,7 @@ module ActionController
   # * <tt>url_for</tt>, so you can use it with a record as the argument, e.g.
   #   <tt>url_for(@article)</tt>;
   # * ActionView::Helpers::FormHelper uses <tt>polymorphic_path</tt>, so you can write
-  #   <tt>form_for(@article)</tt> without having to specify :url parameter for the form
+  #   <tt>form_for(@article)</tt> without having to specify <tt>:url</tt> parameter for the form
   #   action;
   # * <tt>redirect_to</tt> (which, in fact, uses <tt>url_for</tt>) so you can write
   #   <tt>redirect_to(post)</tt> in your controllers;
@@ -38,38 +40,41 @@ module ActionController
   #
   # Example usage:
   #
-  #   edit_polymorphic_path(@post)
-  #   #=> /posts/1/edit
-  #
-  #   formatted_polymorphic_path([@post, :pdf])
-  #   #=> /posts/1.pdf
+  #   edit_polymorphic_path(@post)              # => "/posts/1/edit"
+  #   formatted_polymorphic_path([@post, :pdf]) # => "/posts/1.pdf"
   module PolymorphicRoutes
     # Constructs a call to a named RESTful route for the given record and returns the
     # resulting URL string. For example:
     #
-    #   polymorphic_url(post)
-    #   # calls post_url(post) #=> "http://example.com/posts/1"
+    #   # calls post_url(post)
+    #   polymorphic_url(post) # => "http://example.com/posts/1"
     #
     # ==== Options
-    # * <tt>:action</tt> -- specifies the action prefix for the named route:
-    #   <tt>:new</tt>, <tt>:edit</tt> or <tt>:formatted</tt>. Default is no prefix.
-    # * <tt>:routing_type</tt> -- <tt>:path</tt> or <tt>:url</tt> (default <tt>:url</tt>).
+    #
+    # * <tt>:action</tt> - Specifies the action prefix for the named route:
+    #   <tt>:new</tt>, <tt>:edit</tt>, or <tt>:formatted</tt>. Default is no prefix.
+    # * <tt>:routing_type</tt> - Allowed values are <tt>:path</tt> or <tt>:url</tt>.
+    #   Default is <tt>:url</tt>.
     #
     # ==== Examples
     #
     #   # an Article record
-    #   polymorphic_url(record)  #->  article_url(record)
+    #   polymorphic_url(record)  # same as article_url(record)
     #
     #   # a Comment record
-    #   polymorphic_url(record)  #->  comment_url(record)
+    #   polymorphic_url(record)  # same as comment_url(record)
     #
     #   # it recognizes new records and maps to the collection
     #   record = Comment.new
-    #   polymorphic_url(record)  #->  comments_url()
+    #   polymorphic_url(record)  # same as comments_url()
     #
     def polymorphic_url(record_or_hash_or_array, options = {})
+      if record_or_hash_or_array.kind_of?(Array)
+        record_or_hash_or_array = record_or_hash_or_array.dup
+      end
+
       record    = extract_record(record_or_hash_or_array)
-      format    = (options[:action].to_s == "formatted" and record_or_hash_or_array.pop)
+      format    = extract_format(record_or_hash_or_array, options)
       namespace = extract_namespace(record_or_hash_or_array)
       
       args = case record_or_hash_or_array
@@ -148,6 +153,16 @@ module ActionController
         end
       end
       
+      def extract_format(record_or_hash_or_array, options)
+        if options[:action].to_s == "formatted" && record_or_hash_or_array.is_a?(Array)
+          record_or_hash_or_array.pop
+        elsif options[:format]
+          options[:format]
+        else
+          nil
+        end
+      end
+      
       def extract_namespace(record_or_hash_or_array)
         returning "" do |namespace|
           if record_or_hash_or_array.is_a?(Array)

data/lib/action_controller/record_identifier.rb

@@ -33,11 +33,17 @@ module ActionController
 
     # Returns plural/singular for a record or class. Example:
     #
-    #   partial_path(post)   # => "posts/post"
-    #   partial_path(Person) # => "people/person"
-    def partial_path(record_or_class)
+    #   partial_path(post)                   # => "posts/post"
+    #   partial_path(Person)                 # => "people/person"
+    #   partial_path(Person, "admin/games")  # => "admin/people/person"
+    def partial_path(record_or_class, controller_path = nil)
       klass = class_from_record_or_class(record_or_class)
-      "#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+
+      if controller_path && controller_path.include?("/")
+        "#{File.dirname(controller_path)}/#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+      else
+        "#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+      end
     end
 
     # The DOM class convention is to use the singular form of an object or class. Examples:

data/lib/action_controller/request.rb

@@ -15,7 +15,7 @@ module ActionController
     # such as { 'RAILS_ENV' => 'production' }.
     attr_reader :env
 
-    # The true HTTP request method as a lowercase symbol, such as :get.
+    # The true HTTP request method as a lowercase symbol, such as <tt>:get</tt>.
     # UnknownHttpMethod is raised for invalid methods not listed in ACCEPTED_HTTP_METHODS.
     def request_method
       @request_method ||= begin
@@ -28,41 +28,43 @@ module ActionController
       end
     end
 
-    # The HTTP request method as a lowercase symbol, such as :get.
-    # Note, HEAD is returned as :get since the two are functionally
+    # The HTTP request method as a lowercase symbol, such as <tt>:get</tt>.
+    # Note, HEAD is returned as <tt>:get</tt> since the two are functionally
     # equivalent from the application's perspective.
     def method
       request_method == :head ? :get : request_method
     end
 
-    # Is this a GET (or HEAD) request?  Equivalent to request.method == :get
+    # Is this a GET (or HEAD) request?  Equivalent to <tt>request.method == :get</tt>.
     def get?
       method == :get
     end
 
-    # Is this a POST request?  Equivalent to request.method == :post
+    # Is this a POST request?  Equivalent to <tt>request.method == :post</tt>.
     def post?
       request_method == :post
     end
 
-    # Is this a PUT request?  Equivalent to request.method == :put
+    # Is this a PUT request?  Equivalent to <tt>request.method == :put</tt>.
     def put?
       request_method == :put
     end
 
-    # Is this a DELETE request?  Equivalent to request.method == :delete
+    # Is this a DELETE request?  Equivalent to <tt>request.method == :delete</tt>.
     def delete?
       request_method == :delete
     end
 
-    # Is this a HEAD request? request.method sees HEAD as :get, so check the
-    # HTTP method directly.
+    # Is this a HEAD request? <tt>request.method</tt> sees HEAD as <tt>:get</tt>,
+    # so check the HTTP method directly.
     def head?
       request_method == :head
     end
 
+    # Provides acccess to the request's HTTP headers, for example:
+    #  request.headers["Content-Type"] # => "text/plain"
     def headers
-      @env
+      @headers ||= ActionController::Http::Headers.new(@env)
     end
 
     def content_length
@@ -400,6 +402,14 @@ EOM
             body.blank? ? {} : Hash.from_xml(body).with_indifferent_access
           when :yaml
             YAML.load(body)
+          when :json
+            if body.blank?
+              {}
+            else
+              data = ActiveSupport::JSON.decode(body)
+              data = {:_json => data} unless data.is_a?(Hash)
+              data.with_indifferent_access
+            end
           else
             {}
         end
@@ -456,8 +466,8 @@ EOM
         parser.result
       end
 
-      def parse_multipart_form_parameters(body, boundary, content_length, env)
-        parse_request_parameters(read_multipart(body, boundary, content_length, env))
+      def parse_multipart_form_parameters(body, boundary, body_size, env)
+        parse_request_parameters(read_multipart(body, boundary, body_size, env))
       end
 
       def extract_multipart_boundary(content_type_with_parameters)
@@ -488,7 +498,7 @@ EOM
             when Array
               value.map { |v| get_typed_value(v) }
             else
-              if value.is_a?(UploadedFile)
+              if value.respond_to? :original_filename
                 # Uploaded file
                 if value.original_filename
                   value
@@ -505,23 +515,28 @@ EOM
           end
         end
 
-
         MULTIPART_BOUNDARY = %r|\Amultipart/form-data.*boundary=\"?([^\";,]+)\"?|n
 
         EOL = "\015\012"
 
-        def read_multipart(body, boundary, content_length, env)
+        def read_multipart(body, boundary, body_size, env)
           params = Hash.new([])
           boundary = "--" + boundary
-          quoted_boundary = Regexp.quote(boundary, "n")
+          quoted_boundary = Regexp.quote(boundary)
           buf = ""
           bufsize = 10 * 1024
           boundary_end=""
 
           # start multipart/form-data
           body.binmode if defined? body.binmode
+          case body
+          when File
+            body.set_encoding(Encoding::BINARY) if body.respond_to?(:set_encoding)
+          when StringIO
+            body.string.force_encoding(Encoding::BINARY) if body.string.respond_to?(:force_encoding)
+          end
           boundary_size = boundary.size + EOL.size
-          content_length -= boundary_size
+          body_size -= boundary_size
           status = body.read(boundary_size)
           if nil == status
             raise EOFError, "no content body"
@@ -532,7 +547,7 @@ EOM
           loop do
             head = nil
             content =
-              if 10240 < content_length
+              if 10240 < body_size
                 UploadedTempfile.new("CGI")
               else
                 UploadedStringIO.new
@@ -554,24 +569,24 @@ EOM
                 buf[0 ... (buf.size - (EOL + boundary + EOL).size)] = ""
               end
 
-              c = if bufsize < content_length
+              c = if bufsize < body_size
                     body.read(bufsize)
                   else
-                    body.read(content_length)
+                    body.read(body_size)
                   end
               if c.nil? || c.empty?
                 raise EOFError, "bad content body"
               end
               buf.concat(c)
-              content_length -= c.size
+              body_size -= c.size
             end
 
             buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{quoted_boundary}([\r\n]{1,2}|--)/n) do
               content.print $1
               if "--" == $2
-                content_length = -1
+                body_size = -1
               end
-             boundary_end = $2.dup
+              boundary_end = $2.dup
               ""
             end
 
@@ -598,17 +613,16 @@ EOM
             else
               params[name] = [content]
             end
-            break if buf.size == 0
-            break if content_length == -1
+            break if body_size == -1
           end
           raise EOFError, "bad boundary end of body part" unless boundary_end=~/--/
 
-	  begin
+          begin
             body.rewind if body.respond_to?(:rewind)
-	  rescue Errno::ESPIPE
+          rescue Errno::ESPIPE
             # Handles exceptions raised by input streams that cannot be rewound
             # such as when using plain CGI under Apache
-	  end
+          end
 
           params
         end
@@ -687,6 +701,7 @@ EOM
             else
               top << {key => value}.with_indifferent_access
               push top.last
+              value = top[key]
             end
           else
             top << value
@@ -694,7 +709,8 @@ EOM
         elsif top.is_a? Hash
           key = CGI.unescape(key)
           parent << (@top = {}) if top.key?(key) && parent.is_a?(Array)
-          return top[key] ||= value
+          top[key] ||= value
+          return top[key]
         else
           raise ArgumentError, "Don't know what to do: top is #{top.inspect}"
         end
@@ -703,7 +719,7 @@ EOM
       end
 
       def type_conflict!(klass, value)
-        raise TypeError, "Conflicting types for parameter containers. Expected an instance of #{klass} but found an instance of #{value.class}. This can be caused by colliding Array and Hash parameters like qs[]=value&qs[key]=value."
+        raise TypeError, "Conflicting types for parameter containers. Expected an instance of #{klass} but found an instance of #{value.class}. This can be caused by colliding Array and Hash parameters like qs[]=value&qs[key]=value. (The parameters received were #{value.inspect}.)"
       end
   end
 

data/lib/action_controller/request_forgery_protection.rb

@@ -36,7 +36,7 @@ module ActionController #:nodoc:
     #
     #   # Disable request forgery protection in test environment
     #   config.action_controller.allow_forgery_protection = false
-    #
+    # 
     # == Learn more about CSRF (Cross-Site Request Forgery) attacks
     #
     # Here are some resources:
@@ -45,7 +45,7 @@ module ActionController #:nodoc:
     #
     # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
     # There are a few guidelines you should follow:
-    #
+    # 
     # * Keep your GET requests safe and idempotent.  More reading material:
     #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
     #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
@@ -69,10 +69,10 @@ module ActionController #:nodoc:
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - passed to the <tt>before_filter</tt> call.  Set which actions are verified.
+      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
       # * <tt>:secret</tt> - Custom salt used to generate the <tt>form_authenticity_token</tt>.
       #   Leave this off if you are using the cookie session store.
-      # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'
+      # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'.
       def protect_from_forgery(options = {})
         self.request_forgery_protection_token ||= :authenticity_token
         before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
@@ -99,17 +99,18 @@ module ActionController #:nodoc:
       end
     
       def verifiable_request_format?
-        request.format.html? || request.format.js?
+        request.content_type.nil? || request.content_type.verify_request?
       end
     
-      # Sets the token value for the current session.  Pass a :secret option in #protect_from_forgery to add a custom salt to the hash.
+      # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
+      # in +protect_from_forgery+ to add a custom salt to the hash.
       def form_authenticity_token
-        @form_authenticity_token ||= if request_forgery_protection_options[:secret]
+        @form_authenticity_token ||= if !session.respond_to?(:session_id)
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        elsif request_forgery_protection_options[:secret]
           authenticity_token_from_session_id
         elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
           authenticity_token_from_cookie_session
-        elsif session.nil?
-          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
         else
           raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
         end