actionpack 2.3.18 → 3.0.0.beta

data/lib/action_controller/request_forgery_protection.rb

@@ -1,116 +0,0 @@
-module ActionController #:nodoc:
-  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
-  end
-
-  module RequestForgeryProtection
-    def self.included(base)
-      base.class_eval do
-        helper_method :form_authenticity_token
-        helper_method :protect_against_forgery?
-      end
-      base.extend(ClassMethods)
-    end
-    
-    # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
-    # forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all
-    # forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller.  Only
-    # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication
-    # scheme there anyway).  Also, GET requests are not protected as these should be idempotent anyway.
-    #
-    # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
-    # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the error message in
-    # production by editing public/422.html.  A call to this method in ApplicationController is generated by default in post-Rails 2.0
-    # applications.
-    #
-    # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form manually (without the
-    # use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include a hidden field named like that and
-    # set its value to what is returned by <tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax requests. To
-    # make the token available through a global variable to scripts on a certain page, you could add something like this to a view:
-    #
-    #   <%= javascript_tag "window._token = '#{form_authenticity_token}'" %>
-    #
-    # Request forgery protection is disabled by default in test environment.  If you are upgrading from Rails 1.x, add this to
-    # config/environments/test.rb:
-    #
-    #   # Disable request forgery protection in test environment
-    #   config.action_controller.allow_forgery_protection = false
-    # 
-    # == Learn more about CSRF (Cross-Site Request Forgery) attacks
-    #
-    # Here are some resources:
-    # * http://isc.sans.org/diary.html?storyid=1750
-    # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
-    #
-    # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
-    # There are a few guidelines you should follow:
-    # 
-    # * Keep your GET requests safe and idempotent.  More reading material:
-    #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
-    #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
-    # * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look for "Expires: at end of session"
-    #
-    module ClassMethods
-      # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
-      #
-      # Example:
-      #
-      #   class FooController < ApplicationController
-      #     protect_from_forgery :except => :index
-      #
-      #     # you can disable csrf protection on controller-by-controller basis:
-      #     skip_before_filter :verify_authenticity_token
-      #   end
-      #
-      # Valid Options:
-      #
-      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
-      def protect_from_forgery(options = {})
-        self.request_forgery_protection_token ||= :authenticity_token
-        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
-        if options[:secret] || options[:digest]
-          ActiveSupport::Deprecation.warn("protect_from_forgery only takes :only and :except options now. :digest and :secret have no effect", caller)
-        end
-      end
-    end
-
-    protected
-      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
-      def verify_authenticity_token
-        verified_request? || handle_unverified_request
-      end
-
-      def handle_unverified_request
-        reset_session
-      end
-      
-      # Returns true or false if a request is verified.  Checks:
-      #
-      # * is the format restricted?  By default, only HTML requests are checked.
-      # * is it a GET request?  Gets should be safe and idempotent
-      # * Does the form_authenticity_token match the given token value from the params?
-      def verified_request?
-        !protect_against_forgery?                            ||
-          request.get?                                       ||
-          form_authenticity_token == form_authenticity_param ||
-          form_authenticity_token == request.headers['X-CSRF-Token']
-      end
-
-      def form_authenticity_param
-        params[request_forgery_protection_token]
-      end
-
-      def verifiable_request_format?
-        !request.content_type.nil? && request.content_type.verify_request?
-      end
-    
-      # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
-      # in +protect_from_forgery+ to add a custom salt to the hash.
-      def form_authenticity_token
-        session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
-      end
-
-      def protect_against_forgery?
-        allow_forgery_protection && request_forgery_protection_token
-      end
-  end
-end

data/lib/action_controller/rescue.rb

@@ -1,183 +0,0 @@
-module ActionController #:nodoc:
-  # Actions that fail to perform as expected throw exceptions. These
-  # exceptions can either be rescued for the public view (with a nice
-  # user-friendly explanation) or for the developers view (with tons of
-  # debugging information). The developers view is already implemented by
-  # the Action Controller, but the public view should be tailored to your
-  # specific application.
-  #
-  # The default behavior for public exceptions is to render a static html
-  # file with the name of the error code thrown.  If no such file exists, an
-  # empty response is sent with the correct status code.
-  #
-  # You can override what constitutes a local request by overriding the
-  # <tt>local_request?</tt> method in your own controller. Custom rescue
-  # behavior is achieved by overriding the <tt>rescue_action_in_public</tt>
-  # and <tt>rescue_action_locally</tt> methods.
-  module Rescue
-    LOCALHOST = [/^127\.0\.0\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/].freeze
-
-    DEFAULT_RESCUE_RESPONSE = :internal_server_error
-    DEFAULT_RESCUE_RESPONSES = {
-      'ActionController::RoutingError'             => :not_found,
-      'ActionController::UnknownAction'            => :not_found,
-      'ActiveRecord::RecordNotFound'               => :not_found,
-      'ActiveRecord::StaleObjectError'             => :conflict,
-      'ActiveRecord::RecordInvalid'                => :unprocessable_entity,
-      'ActiveRecord::RecordNotSaved'               => :unprocessable_entity,
-      'ActionController::MethodNotAllowed'         => :method_not_allowed,
-      'ActionController::NotImplemented'           => :not_implemented,
-      'ActionController::InvalidAuthenticityToken' => :unprocessable_entity
-    }
-
-    DEFAULT_RESCUE_TEMPLATE = 'diagnostics'
-    DEFAULT_RESCUE_TEMPLATES = {
-      'ActionView::MissingTemplate'       => 'missing_template',
-      'ActionController::RoutingError'    => 'routing_error',
-      'ActionController::UnknownAction'   => 'unknown_action',
-      'ActionView::TemplateError'         => 'template_error'
-    }
-
-    RESCUES_TEMPLATE_PATH = ActionView::Template::EagerPath.new_and_loaded(
-      File.join(File.dirname(__FILE__), "templates"))
-
-    def self.included(base) #:nodoc:
-      base.cattr_accessor :rescue_responses
-      base.rescue_responses = Hash.new(DEFAULT_RESCUE_RESPONSE)
-      base.rescue_responses.update DEFAULT_RESCUE_RESPONSES
-
-      base.cattr_accessor :rescue_templates
-      base.rescue_templates = Hash.new(DEFAULT_RESCUE_TEMPLATE)
-      base.rescue_templates.update DEFAULT_RESCUE_TEMPLATES
-
-      base.extend(ClassMethods)
-      base.send :include, ActiveSupport::Rescuable
-
-      base.class_eval do
-        alias_method_chain :perform_action, :rescue
-      end
-    end
-
-    module ClassMethods
-      def call_with_exception(env, exception) #:nodoc:
-        request = env["action_controller.rescue.request"] ||= Request.new(env)
-        response = env["action_controller.rescue.response"] ||= Response.new
-        new.process(request, response, :rescue_action, exception)
-      end
-    end
-
-    protected
-      # Exception handler called when the performance of an action raises
-      # an exception.
-      def rescue_action(exception)
-        rescue_with_handler(exception) ||
-          rescue_action_without_handler(exception)
-      end
-
-      # Overwrite to implement custom logging of errors. By default
-      # logs as fatal.
-      def log_error(exception) #:doc:
-        ActiveSupport::Deprecation.silence do
-          if ActionView::TemplateError === exception
-            logger.fatal(exception.to_s)
-          else
-            logger.fatal(
-              "\n#{exception.class} (#{exception.message}):\n  " +
-              clean_backtrace(exception).join("\n  ") + "\n\n"
-            )
-          end
-        end
-      end
-
-      # Overwrite to implement public exception handling (for requests
-      # answering false to <tt>local_request?</tt>).  By default will call
-      # render_optional_error_file.  Override this method to provide more
-      # user friendly error messages.
-      def rescue_action_in_public(exception) #:doc:
-        render_optional_error_file response_code_for_rescue(exception)
-      end
-
-      # Attempts to render a static error page based on the
-      # <tt>status_code</tt> thrown, or just return headers if no such file
-      # exists. At first, it will try to render a localized static page.
-      # For example, if a 500 error is being handled Rails and locale is :da,
-      # it will first attempt to render the file at <tt>public/500.da.html</tt>
-      # then attempt to render <tt>public/500.html</tt>. If none of them exist,
-      # the body of the response will be left empty.
-      def render_optional_error_file(status_code)
-        status = interpret_status(status_code)
-        locale_path = "#{Rails.public_path}/#{status[0,3]}.#{I18n.locale}.html" if I18n.locale
-        path = "#{Rails.public_path}/#{status[0,3]}.html"
-
-        if locale_path && File.exist?(locale_path)
-          render :file => locale_path, :status => status, :content_type => Mime::HTML
-        elsif File.exist?(path)
-          render :file => path, :status => status, :content_type => Mime::HTML
-        else
-          head status
-        end
-      end
-
-      # True if the request came from localhost, 127.0.0.1. Override this
-      # method if you wish to redefine the meaning of a local request to
-      # include remote IP addresses or other criteria.
-      def local_request? #:doc:
-        LOCALHOST.any?{ |local_ip| request.remote_addr =~ local_ip && request.remote_ip =~ local_ip }
-      end
-
-      # Render detailed diagnostics for unhandled exceptions rescued from
-      # a controller action.
-      def rescue_action_locally(exception)
-        @template.instance_variable_set("@exception", exception)
-        @template.instance_variable_set("@rescues_path", RESCUES_TEMPLATE_PATH)
-        @template.instance_variable_set("@contents",
-          @template.render(:file => template_path_for_local_rescue(exception)))
-
-        response.content_type = Mime::HTML
-        render_for_file(rescues_path("layout"),
-          response_code_for_rescue(exception))
-      end
-
-      def rescue_action_without_handler(exception)
-        log_error(exception) if logger
-        erase_results if performed?
-
-        # Let the exception alter the response if it wants.
-        # For example, MethodNotAllowed sets the Allow header.
-        if exception.respond_to?(:handle_response!)
-          exception.handle_response!(response)
-        end
-
-        if consider_all_requests_local || local_request?
-          rescue_action_locally(exception)
-        else
-          rescue_action_in_public(exception)
-        end
-      end
-
-    private
-      def perform_action_with_rescue #:nodoc:
-        perform_action_without_rescue
-      rescue Exception => exception
-        rescue_action(exception)
-      end
-
-      def rescues_path(template_name)
-        RESCUES_TEMPLATE_PATH["rescues/#{template_name}.erb"]
-      end
-
-      def template_path_for_local_rescue(exception)
-        rescues_path(rescue_templates[exception.class.name])
-      end
-
-      def response_code_for_rescue(exception)
-        rescue_responses[exception.class.name]
-      end
-
-      def clean_backtrace(exception)
-        defined?(Rails) && Rails.respond_to?(:backtrace_cleaner) ?
-          Rails.backtrace_cleaner.clean(exception.backtrace) :
-          exception.backtrace
-      end
-  end
-end

data/lib/action_controller/resources.rb

@@ -1,682 +0,0 @@
-module ActionController
-  # == Overview
-  #
-  # ActionController::Resources are a way of defining RESTful \resources.  A RESTful \resource, in basic terms,
-  # is something that can be pointed at and it will respond with a representation of the data requested.
-  # In real terms this could mean a user with a browser requests an HTML page, or that a desktop application
-  # requests XML data.
-  #
-  # RESTful design is based on the assumption that there are four generic verbs that a user of an
-  # application can request from a \resource (the noun).
-  #
-  # \Resources can be requested using four basic HTTP verbs (GET, POST, PUT, DELETE), the method used
-  # denotes the type of action that should take place.
-  #
-  # === The Different Methods and their Usage
-  #
-  # * GET    - Requests for a \resource, no saving or editing of a \resource should occur in a GET request.
-  # * POST   - Creation of \resources.
-  # * PUT    - Editing of attributes on a \resource.
-  # * DELETE - Deletion of a \resource.
-  #
-  # === Examples
-  #
-  #   # A GET request on the Posts resource is asking for all Posts
-  #   GET /posts
-  #
-  #   # A GET request on a single Post resource is asking for that particular Post
-  #   GET /posts/1
-  #
-  #   # A POST request on the Posts resource is asking for a Post to be created with the supplied details
-  #   POST /posts # with => { :post => { :title => "My Whizzy New Post", :body => "I've got a brand new combine harvester" } }
-  #
-  #   # A PUT request on a single Post resource is asking for a Post to be updated
-  #   PUT /posts # with => { :id => 1, :post => { :title => "Changed Whizzy Title" } }
-  #
-  #   # A DELETE request on a single Post resource is asking for it to be deleted
-  #   DELETE /posts # with => { :id => 1 }
-  #
-  # By using the REST convention, users of our application can assume certain things about how the data
-  # is requested and how it is returned.  Rails simplifies the routing part of RESTful design by
-  # supplying you with methods to create them in your routes.rb file.
-  #
-  # Read more about REST at http://en.wikipedia.org/wiki/Representational_State_Transfer
-  module Resources
-    INHERITABLE_OPTIONS = :namespace, :shallow
-
-    class Resource #:nodoc:
-      DEFAULT_ACTIONS = :index, :create, :new, :edit, :show, :update, :destroy
-
-      attr_reader :collection_methods, :member_methods, :new_methods
-      attr_reader :path_prefix, :name_prefix, :path_segment
-      attr_reader :plural, :singular
-      attr_reader :options
-
-      def initialize(entities, options)
-        @plural   ||= entities
-        @singular ||= options[:singular] || plural.to_s.singularize
-        @path_segment = options.delete(:as) || @plural
-
-        @options = options
-
-        arrange_actions
-        add_default_actions
-        set_allowed_actions
-        set_prefixes
-      end
-
-      def controller
-        @controller ||= "#{options[:namespace]}#{(options[:controller] || plural).to_s}"
-      end
-
-      def requirements(with_id = false)
-        @requirements   ||= @options[:requirements] || {}
-        @id_requirement ||= { :id => @requirements.delete(:id) || /[^#{Routing::SEPARATORS.join}]+/ }
-
-        with_id ? @requirements.merge(@id_requirement) : @requirements
-      end
-
-      def conditions
-        @conditions ||= @options[:conditions] || {}
-      end
-
-      def path
-        @path ||= "#{path_prefix}/#{path_segment}"
-      end
-
-      def new_path
-        new_action   = self.options[:path_names][:new] if self.options[:path_names]
-        new_action ||= Base.resources_path_names[:new]
-        @new_path  ||= "#{path}/#{new_action}"
-      end
-
-      def shallow_path_prefix
-        @shallow_path_prefix ||= @options[:shallow] ? @options[:namespace].try(:sub, /\/$/, '') : path_prefix
-      end
-
-      def member_path
-        @member_path ||= "#{shallow_path_prefix}/#{path_segment}/:id"
-      end
-
-      def nesting_path_prefix
-        @nesting_path_prefix ||= "#{shallow_path_prefix}/#{path_segment}/:#{singular}_id"
-      end
-
-      def shallow_name_prefix
-        @shallow_name_prefix ||= @options[:shallow] ? @options[:namespace].try(:gsub, /\//, '_') : name_prefix
-      end
-
-      def nesting_name_prefix
-        "#{shallow_name_prefix}#{singular}_"
-      end
-
-      def action_separator
-        @action_separator ||= Base.resource_action_separator
-      end
-
-      def uncountable?
-        @singular.to_s == @plural.to_s
-      end
-
-      def has_action?(action)
-        !DEFAULT_ACTIONS.include?(action) || action_allowed?(action)
-      end
-
-      protected
-        def arrange_actions
-          @collection_methods = arrange_actions_by_methods(options.delete(:collection))
-          @member_methods     = arrange_actions_by_methods(options.delete(:member))
-          @new_methods        = arrange_actions_by_methods(options.delete(:new))
-        end
-
-        def add_default_actions
-          add_default_action(member_methods, :get, :edit)
-          add_default_action(new_methods, :get, :new)
-        end
-
-        def set_allowed_actions
-          only, except = @options.values_at(:only, :except)
-          @allowed_actions ||= {}
-
-          if only == :all || except == :none
-            only = nil
-            except = []
-          elsif only == :none || except == :all
-            only = []
-            except = nil
-          end
-
-          if only
-            @allowed_actions[:only] = Array(only).map(&:to_sym)
-          elsif except
-            @allowed_actions[:except] = Array(except).map(&:to_sym)
-          end
-        end
-
-        def action_allowed?(action)
-          only, except = @allowed_actions.values_at(:only, :except)
-          (!only || only.include?(action)) && (!except || !except.include?(action))
-        end
-
-        def set_prefixes
-          @path_prefix = options.delete(:path_prefix)
-          @name_prefix = options.delete(:name_prefix)
-        end
-
-        def arrange_actions_by_methods(actions)
-          (actions || {}).inject({}) do |flipped_hash, (key, value)|
-            (flipped_hash[value] ||= []) << key
-            flipped_hash
-          end
-        end
-
-        def add_default_action(collection, method, action)
-          (collection[method] ||= []).unshift(action)
-        end
-    end
-
-    class SingletonResource < Resource #:nodoc:
-      def initialize(entity, options)
-        @singular = @plural = entity
-        options[:controller] ||= @singular.to_s.pluralize
-        super
-      end
-
-      alias_method :shallow_path_prefix, :path_prefix
-      alias_method :shallow_name_prefix, :name_prefix
-      alias_method :member_path,         :path
-      alias_method :nesting_path_prefix, :path
-    end
-
-    # Creates named routes for implementing verb-oriented controllers
-    # for a collection \resource.
-    #
-    # For example:
-    #
-    #   map.resources :messages
-    #
-    # will map the following actions in the corresponding controller:
-    #
-    #   class MessagesController < ActionController::Base
-    #     # GET messages_url
-    #     def index
-    #       # return all messages
-    #     end
-    #
-    #     # GET new_message_url
-    #     def new
-    #       # return an HTML form for describing a new message
-    #     end
-    #
-    #     # POST messages_url
-    #     def create
-    #       # create a new message
-    #     end
-    #
-    #     # GET message_url(:id => 1)
-    #     def show
-    #       # find and return a specific message
-    #     end
-    #
-    #     # GET edit_message_url(:id => 1)
-    #     def edit
-    #       # return an HTML form for editing a specific message
-    #     end
-    #
-    #     # PUT message_url(:id => 1)
-    #     def update
-    #       # find and update a specific message
-    #     end
-    #
-    #     # DELETE message_url(:id => 1)
-    #     def destroy
-    #       # delete a specific message
-    #     end
-    #   end
-    #
-    # Along with the routes themselves, +resources+ generates named routes for use in
-    # controllers and views. <tt>map.resources :messages</tt> produces the following named routes and helpers:
-    #
-    #   Named Route   Helpers
-    #   ============  =====================================================
-    #   messages      messages_url, hash_for_messages_url,
-    #                 messages_path, hash_for_messages_path
-    #
-    #   message       message_url(id), hash_for_message_url(id),
-    #                 message_path(id), hash_for_message_path(id)
-    #
-    #   new_message   new_message_url, hash_for_new_message_url,
-    #                 new_message_path, hash_for_new_message_path
-    #
-    #   edit_message  edit_message_url(id), hash_for_edit_message_url(id),
-    #                 edit_message_path(id), hash_for_edit_message_path(id)
-    #
-    # You can use these helpers instead of +url_for+ or methods that take +url_for+ parameters. For example:
-    #
-    #   redirect_to :controller => 'messages', :action => 'index'
-    #   # and
-    #   <%= link_to "edit this message", :controller => 'messages', :action => 'edit', :id => @message.id %>
-    #
-    # now become:
-    #
-    #   redirect_to messages_url
-    #   # and
-    #   <%= link_to "edit this message", edit_message_url(@message) # calls @message.id automatically
-    #
-    # Since web browsers don't support the PUT and DELETE verbs, you will need to add a parameter '_method' to your
-    # form tags. The form helpers make this a little easier. For an update form with a <tt>@message</tt> object:
-    #
-    #   <%= form_tag message_path(@message), :method => :put %>
-    #
-    # or
-    #
-    #   <% form_for :message, @message, :url => message_path(@message), :html => {:method => :put} do |f| %>
-    #
-    # or
-    #
-    #   <% form_for @message do |f| %>
-    #
-    # which takes into account whether <tt>@message</tt> is a new record or not and generates the
-    # path and method accordingly.
-    #
-    # The +resources+ method accepts the following options to customize the resulting routes:
-    # * <tt>:collection</tt> - Add named routes for other actions that operate on the collection.
-    #   Takes a hash of <tt>#{action} => #{method}</tt>, where method is <tt>:get</tt>/<tt>:post</tt>/<tt>:put</tt>/<tt>:delete</tt>,
-    #   an array of any of the previous, or <tt>:any</tt> if the method does not matter.
-    #   These routes map to a URL like /messages/rss, with a route of +rss_messages_url+.
-    # * <tt>:member</tt> - Same as <tt>:collection</tt>, but for actions that operate on a specific member.
-    # * <tt>:new</tt> - Same as <tt>:collection</tt>, but for actions that operate on the new \resource action.
-    # * <tt>:controller</tt> - Specify the controller name for the routes.
-    # * <tt>:singular</tt> - Specify the singular name used in the member routes.
-    # * <tt>:requirements</tt> - Set custom routing parameter requirements; this is a hash of either 
-    #     regular expressions (which must match for the route to match) or extra parameters. For example:
-    #
-    #       map.resource :profile, :path_prefix => ':name', :requirements => { :name => /[a-zA-Z]+/, :extra => 'value' }
-    #
-    #     will only match if the first part is alphabetic, and will pass the parameter :extra to the controller.
-    # * <tt>:conditions</tt> - Specify custom routing recognition conditions.  \Resources sets the <tt>:method</tt> value for the method-specific routes.
-    # * <tt>:as</tt> - Specify a different \resource name to use in the URL path. For example:
-    #     # products_path == '/productos'
-    #     map.resources :products, :as => 'productos' do |product|
-    #       # product_reviews_path(product) == '/productos/1234/comentarios'
-    #       product.resources :product_reviews, :as => 'comentarios'
-    #     end
-    #
-    # * <tt>:has_one</tt> - Specify nested \resources, this is a shorthand for mapping singleton \resources beneath the current.
-    # * <tt>:has_many</tt> - Same has <tt>:has_one</tt>, but for plural \resources.
-    #
-    #   You may directly specify the routing association with +has_one+ and +has_many+ like:
-    #
-    #     map.resources :notes, :has_one => :author, :has_many => [:comments, :attachments]
-    #
-    #   This is the same as:
-    #
-    #     map.resources :notes do |notes|
-    #       notes.resource  :author
-    #       notes.resources :comments
-    #       notes.resources :attachments
-    #     end
-    #
-    # * <tt>:path_names</tt> - Specify different path names for the actions. For example:
-    #     # new_products_path == '/productos/nuevo'
-    #     # bids_product_path(1) == '/productos/1/licitacoes'
-    #     map.resources :products, :as => 'productos', :member => { :bids => :get }, :path_names => { :new => 'nuevo', :bids => 'licitacoes' }
-    #
-    #   You can also set default action names from an environment, like this:
-    #     config.action_controller.resources_path_names = { :new => 'nuevo', :edit => 'editar' }
-    #
-    # * <tt>:path_prefix</tt> - Set a prefix to the routes with required route variables.
-    #
-    #   Weblog comments usually belong to a post, so you might use +resources+ like:
-    #
-    #     map.resources :articles
-    #     map.resources :comments, :path_prefix => '/articles/:article_id'
-    #
-    #   You can nest +resources+ calls to set this automatically:
-    #
-    #     map.resources :articles do |article|
-    #       article.resources :comments
-    #     end
-    #
-    #   The comment \resources work the same, but must now include a value for <tt>:article_id</tt>.
-    #
-    #     article_comments_url(@article)
-    #     article_comment_url(@article, @comment)
-    #
-    #     article_comments_url(:article_id => @article)
-    #     article_comment_url(:article_id => @article, :id => @comment)
-    #
-    #   If you don't want to load all objects from the database you might want to use the <tt>article_id</tt> directly:
-    #
-    #     articles_comments_url(@comment.article_id, @comment)
-    #
-    # * <tt>:name_prefix</tt> - Define a prefix for all generated routes, usually ending in an underscore.
-    #   Use this if you have named routes that may clash.
-    #
-    #     map.resources :tags, :path_prefix => '/books/:book_id', :name_prefix => 'book_'
-    #     map.resources :tags, :path_prefix => '/toys/:toy_id',   :name_prefix => 'toy_'
-    #
-    # You may also use <tt>:name_prefix</tt> to override the generic named routes in a nested \resource:
-    #
-    #   map.resources :articles do |article|
-    #     article.resources :comments, :name_prefix => nil
-    #   end
-    #
-    # This will yield named \resources like so:
-    #
-    #   comments_url(@article)
-    #   comment_url(@article, @comment)
-    #
-    # * <tt>:shallow</tt> - If true, paths for nested resources which reference a specific member
-    #   (ie. those with an :id parameter) will not use the parent path prefix or name prefix.
-    #
-    # The <tt>:shallow</tt> option is inherited by any nested resource(s).
-    #
-    # For example, 'users', 'posts' and 'comments' all use shallow paths with the following nested resources:
-    #
-    #   map.resources :users, :shallow => true do |user|
-    #     user.resources :posts do |post|
-    #       post.resources :comments
-    #     end
-    #   end
-    #   # --> GET /users/1/posts (maps to the PostsController#index action as usual)
-    #   #     also adds the usual named route called "user_posts"
-    #   # --> GET /posts/2 (maps to the PostsController#show action as if it were not nested)
-    #   #     also adds the named route called "post"
-    #   # --> GET /posts/2/comments (maps to the CommentsController#index action)
-    #   #     also adds the named route called "post_comments"
-    #   # --> GET /comments/2 (maps to the CommentsController#show action as if it were not nested)
-    #   #     also adds the named route called "comment"
-    #
-    # You may also use <tt>:shallow</tt> in combination with the +has_one+ and +has_many+ shorthand notations like:
-    #
-    #   map.resources :users, :has_many => { :posts => :comments }, :shallow => true
-    #
-    # * <tt>:only</tt> and <tt>:except</tt> - Specify which of the seven default actions should be routed to.
-    #
-    # <tt>:only</tt> and <tt>:except</tt> may be set to <tt>:all</tt>, <tt>:none</tt>, an action name or a
-    # list of action names. By default, routes are generated for all seven actions.
-    #
-    # For example:
-    #
-    #   map.resources :posts, :only => [:index, :show] do |post|
-    #     post.resources :comments, :except => [:update, :destroy]
-    #   end
-    #   # --> GET /posts (maps to the PostsController#index action)
-    #   # --> POST /posts (fails)
-    #   # --> GET /posts/1 (maps to the PostsController#show action)
-    #   # --> DELETE /posts/1 (fails)
-    #   # --> POST /posts/1/comments (maps to the CommentsController#create action)
-    #   # --> PUT /posts/1/comments/1 (fails)
-    #
-    # If <tt>map.resources</tt> is called with multiple resources, they all get the same options applied.
-    #
-    # Examples:
-    #
-    #   map.resources :messages, :path_prefix => "/thread/:thread_id"
-    #   # --> GET /thread/7/messages/1
-    #
-    #   map.resources :messages, :collection => { :rss => :get }
-    #   # --> GET /messages/rss (maps to the #rss action)
-    #   #     also adds a named route called "rss_messages"
-    #
-    #   map.resources :messages, :member => { :mark => :post }
-    #   # --> POST /messages/1/mark (maps to the #mark action)
-    #   #     also adds a named route called "mark_message"
-    #
-    #   map.resources :messages, :new => { :preview => :post }
-    #   # --> POST /messages/new/preview (maps to the #preview action)
-    #   #     also adds a named route called "preview_new_message"
-    #
-    #   map.resources :messages, :new => { :new => :any, :preview => :post }
-    #   # --> POST /messages/new/preview (maps to the #preview action)
-    #   #     also adds a named route called "preview_new_message"
-    #   # --> /messages/new can be invoked via any request method
-    #
-    #   map.resources :messages, :controller => "categories",
-    #         :path_prefix => "/category/:category_id",
-    #         :name_prefix => "category_"
-    #   # --> GET /categories/7/messages/1
-    #   #     has named route "category_message"
-    #
-    # The +resources+ method sets HTTP method restrictions on the routes it generates. For example, making an
-    # HTTP POST on <tt>new_message_url</tt> will raise a RoutingError exception. The default route in
-    # <tt>config/routes.rb</tt> overrides this and allows invalid HTTP methods for \resource routes.
-    def resources(*entities, &block)
-      options = entities.extract_options!
-      entities.each { |entity| map_resource(entity, options.dup, &block) }
-    end
-
-    # Creates named routes for implementing verb-oriented controllers for a singleton \resource.
-    # A singleton \resource is global to its current context.  For unnested singleton \resources,
-    # the \resource is global to the current user visiting the application, such as a user's
-    # <tt>/account</tt> profile.  For nested singleton \resources, the \resource is global to its parent
-    # \resource, such as a <tt>projects</tt> \resource that <tt>has_one :project_manager</tt>.
-    # The <tt>project_manager</tt> should be mapped as a singleton \resource under <tt>projects</tt>:
-    #
-    #   map.resources :projects do |project|
-    #     project.resource :project_manager
-    #   end
-    #
-    # See +resources+ for general conventions.  These are the main differences:
-    # * A singular name is given to <tt>map.resource</tt>.  The default controller name is still taken from the plural name.
-    # * To specify a custom plural name, use the <tt>:plural</tt> option.  There is no <tt>:singular</tt> option.
-    # * No default index route is created for the singleton \resource controller.
-    # * When nesting singleton \resources, only the singular name is used as the path prefix (example: 'account/messages/1')
-    #
-    # For example:
-    #
-    #   map.resource :account
-    #
-    # maps these actions in the Accounts controller:
-    #
-    #   class AccountsController < ActionController::Base
-    #     # GET new_account_url
-    #     def new
-    #       # return an HTML form for describing the new account
-    #     end
-    #
-    #     # POST account_url
-    #     def create
-    #       # create an account
-    #     end
-    #
-    #     # GET account_url
-    #     def show
-    #       # find and return the account
-    #     end
-    #
-    #     # GET edit_account_url
-    #     def edit
-    #       # return an HTML form for editing the account
-    #     end
-    #
-    #     # PUT account_url
-    #     def update
-    #       # find and update the account
-    #     end
-    #
-    #     # DELETE account_url
-    #     def destroy
-    #       # delete the account
-    #     end
-    #   end
-    #
-    # Along with the routes themselves, +resource+ generates named routes for
-    # use in controllers and views. <tt>map.resource :account</tt> produces
-    # these named routes and helpers:
-    #
-    #   Named Route   Helpers
-    #   ============  =============================================
-    #   account       account_url, hash_for_account_url,
-    #                 account_path, hash_for_account_path
-    #
-    #   new_account   new_account_url, hash_for_new_account_url,
-    #                 new_account_path, hash_for_new_account_path
-    #
-    #   edit_account  edit_account_url, hash_for_edit_account_url,
-    #                 edit_account_path, hash_for_edit_account_path
-    def resource(*entities, &block)
-      options = entities.extract_options!
-      entities.each { |entity| map_singleton_resource(entity, options.dup, &block) }
-    end
-
-    private
-      def map_resource(entities, options = {}, &block)
-        resource = Resource.new(entities, options)
-
-        with_options :controller => resource.controller do |map|
-          map_associations(resource, options)
-
-          if block_given?
-            with_options(options.slice(*INHERITABLE_OPTIONS).merge(:path_prefix => resource.nesting_path_prefix, :name_prefix => resource.nesting_name_prefix), &block)
-          end
-
-          map_collection_actions(map, resource)
-          map_default_collection_actions(map, resource)
-          map_new_actions(map, resource)
-          map_member_actions(map, resource)
-        end
-      end
-
-      def map_singleton_resource(entities, options = {}, &block)
-        resource = SingletonResource.new(entities, options)
-
-        with_options :controller => resource.controller do |map|
-          map_associations(resource, options)
-
-          if block_given?
-            with_options(options.slice(*INHERITABLE_OPTIONS).merge(:path_prefix => resource.nesting_path_prefix, :name_prefix => resource.nesting_name_prefix), &block)
-          end
-
-          map_collection_actions(map, resource)
-          map_new_actions(map, resource)
-          map_member_actions(map, resource)
-          map_default_singleton_actions(map, resource)
-        end
-      end
-
-      def map_associations(resource, options)
-        map_has_many_associations(resource, options.delete(:has_many), options) if options[:has_many]
-
-        path_prefix = "#{options.delete(:path_prefix)}#{resource.nesting_path_prefix}"
-        name_prefix = "#{options.delete(:name_prefix)}#{resource.nesting_name_prefix}"
-
-        Array(options[:has_one]).each do |association|
-          resource(association, options.slice(*INHERITABLE_OPTIONS).merge(:path_prefix => path_prefix, :name_prefix => name_prefix))
-        end
-      end
-
-      def map_has_many_associations(resource, associations, options)
-        case associations
-        when Hash
-          associations.each do |association,has_many|
-            map_has_many_associations(resource, association, options.merge(:has_many => has_many))
-          end
-        when Array
-          associations.each do |association|
-            map_has_many_associations(resource, association, options)
-          end
-        when Symbol, String
-          resources(associations, options.slice(*INHERITABLE_OPTIONS).merge(:path_prefix => resource.nesting_path_prefix, :name_prefix => resource.nesting_name_prefix, :has_many => options[:has_many]))
-        else
-        end
-      end
-
-      def map_collection_actions(map, resource)
-        resource.collection_methods.each do |method, actions|
-          actions.each do |action|
-            [method].flatten.each do |m|
-              action_path = resource.options[:path_names][action] if resource.options[:path_names].is_a?(Hash)
-              action_path ||= action
-
-              map_resource_routes(map, resource, action, "#{resource.path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.name_prefix}#{resource.plural}", m)
-            end
-          end
-        end
-      end
-
-      def map_default_collection_actions(map, resource)
-        index_route_name = "#{resource.name_prefix}#{resource.plural}"
-
-        if resource.uncountable?
-          index_route_name << "_index"
-        end
-
-        map_resource_routes(map, resource, :index, resource.path, index_route_name)
-        map_resource_routes(map, resource, :create, resource.path, index_route_name)
-      end
-
-      def map_default_singleton_actions(map, resource)
-        map_resource_routes(map, resource, :create, resource.path, "#{resource.shallow_name_prefix}#{resource.singular}")
-      end
-
-      def map_new_actions(map, resource)
-        resource.new_methods.each do |method, actions|
-          actions.each do |action|
-            route_path = resource.new_path
-            route_name = "new_#{resource.name_prefix}#{resource.singular}"
-
-            unless action == :new
-              route_path = "#{route_path}#{resource.action_separator}#{action}"
-              route_name = "#{action}_#{route_name}"
-            end
-
-            map_resource_routes(map, resource, action, route_path, route_name, method)
-          end
-        end
-      end
-
-      def map_member_actions(map, resource)
-        resource.member_methods.each do |method, actions|
-          actions.each do |action|
-            [method].flatten.each do |m|
-              action_path = resource.options[:path_names][action] if resource.options[:path_names].is_a?(Hash)
-              action_path ||= Base.resources_path_names[action] || action
-
-              map_resource_routes(map, resource, action, "#{resource.member_path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.shallow_name_prefix}#{resource.singular}", m, { :force_id => true })
-            end
-          end
-        end
-
-        route_path = "#{resource.shallow_name_prefix}#{resource.singular}"
-        map_resource_routes(map, resource, :show, resource.member_path, route_path)
-        map_resource_routes(map, resource, :update, resource.member_path, route_path)
-        map_resource_routes(map, resource, :destroy, resource.member_path, route_path)
-      end
-
-      def map_resource_routes(map, resource, action, route_path, route_name = nil, method = nil, resource_options = {} )
-        if resource.has_action?(action)
-          action_options = action_options_for(action, resource, method, resource_options)
-          formatted_route_path = "#{route_path}.:format"
-
-          if route_name && @set.named_routes[route_name.to_sym].nil?
-            map.named_route(route_name, formatted_route_path, action_options)
-          else
-            map.connect(formatted_route_path, action_options)
-          end
-        end
-      end
-
-      def add_conditions_for(conditions, method)
-        ({:conditions => conditions.dup}).tap do |options|
-          options[:conditions][:method] = method unless method == :any
-        end
-      end
-
-      def action_options_for(action, resource, method = nil, resource_options = {})
-        default_options = { :action => action.to_s }
-        require_id = !resource.kind_of?(SingletonResource)
-        force_id = resource_options[:force_id] && !resource.kind_of?(SingletonResource)
-
-        case default_options[:action]
-          when "index", "new"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements)
-          when "create";       default_options.merge(add_conditions_for(resource.conditions, method || :post)).merge(resource.requirements)
-          when "show", "edit"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements(require_id))
-          when "update";       default_options.merge(add_conditions_for(resource.conditions, method || :put)).merge(resource.requirements(require_id))
-          when "destroy";      default_options.merge(add_conditions_for(resource.conditions, method || :delete)).merge(resource.requirements(require_id))
-          else                 default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements(force_id))
-        end
-      end
-  end
-end