actionpack 2.3.18 → 3.0.0.beta

data/lib/action_controller/metal/rendering.rb

@@ -0,0 +1,69 @@
+module ActionController
+  module Rendering
+    extend ActiveSupport::Concern
+
+    included do
+      include AbstractController::Rendering
+      include AbstractController::LocalizedCache
+    end
+
+    def process_action(*)
+      self.formats = request.formats.map {|x| x.to_sym}
+      super
+    end
+
+    def render(*args)
+      if response_body
+        raise ::AbstractController::DoubleRenderError
+      end
+
+      args << {} unless args.last.is_a?(Hash)
+      super(*args)
+      self.content_type ||= args.last[:_template].mime_type.to_s
+      response_body
+    end
+
+    def render_to_body(options)
+      _process_options(options)
+      super
+    end
+
+    private
+
+      def _render_partial(options)
+        options[:partial] = action_name if options[:partial] == true
+        options[:_details] = {:formats => formats}
+        super
+      end
+
+      def format_for_text
+        formats.first
+      end
+
+      def _process_options(options)
+        status, content_type, location = options.values_at(:status, :content_type, :location)
+        self.status = status if status
+        self.content_type = content_type if content_type
+        self.headers["Location"] = url_for(location) if location
+      end
+
+      def _normalize_options(action=nil, options={}, &blk)
+        case action
+        when NilClass
+        when Hash
+          options = super(action.delete(:action), action)
+        when String, Symbol
+          options = super
+        else
+          options.merge! :partial => action
+        end
+
+        if options[:status]
+          options[:status] = Rack::Utils.status_code(options[:status])
+        end
+
+        options[:update] = blk if block_given?
+        options
+      end
+  end
+end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -0,0 +1,115 @@
+require 'active_support/core_ext/class/attribute'
+
+module ActionController #:nodoc:
+  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+  end
+
+  module RequestForgeryProtection
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers
+
+    included do
+      # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
+      # sets it to <tt>:authenticity_token</tt> by default.
+      cattr_accessor :request_forgery_protection_token
+
+      # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+      class_attribute :allow_forgery_protection
+      self.allow_forgery_protection = true
+
+      helper_method :form_authenticity_token
+      helper_method :protect_against_forgery?
+    end
+
+    # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
+    # web application, not a forged link from another site, is done by embedding a token based on a random
+    # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
+    # by Rails and then verifying the authenticity of that token in the controller.  Only HTML/JavaScript
+    # requests are checked, so this will not protect your XML API (presumably you'll have a different
+    # authentication scheme there anyway).  Also, GET requests are not protected as these should be
+    # idempotent anyway.
+    #
+    # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
+    # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
+    # error message in production by editing public/422.html.  A call to this method in ApplicationController is
+    # generated by default in post-Rails 2.0 applications.
+    #
+    # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
+    # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
+    # include a hidden field named like that and set its value to what is returned by
+    # <tt>form_authenticity_token</tt>.
+    #
+    # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
+    # 1.x, add this to config/environments/test.rb:
+    #
+    #   # Disable request forgery protection in test environment
+    #   config.action_controller.allow_forgery_protection = false
+    #
+    # == Learn more about CSRF (Cross-Site Request Forgery) attacks
+    #
+    # Here are some resources:
+    # * http://isc.sans.org/diary.html?storyid=1750
+    # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+    # There are a few guidelines you should follow:
+    #
+    # * Keep your GET requests safe and idempotent.  More reading material:
+    #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+    #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+    #   * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look
+    #     for "Expires: at end of session"
+    #
+    module ClassMethods
+      # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
+      #
+      # Example:
+      #
+      #   class FooController < ApplicationController
+      #     protect_from_forgery :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
+      #   end
+      #
+      # Valid Options:
+      #
+      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, options
+      end
+    end
+
+    protected
+      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+      def verify_authenticity_token
+        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+      end
+
+      # Returns true or false if a request is verified.  Checks:
+      #
+      # * is the format restricted?  By default, only HTML requests are checked.
+      # * is it a GET request?  Gets should be safe and idempotent
+      # * Does the form_authenticity_token match the given token value from the params?
+      def verified_request?
+        !protect_against_forgery? || request.forgery_whitelisted? ||
+          form_authenticity_token == params[request_forgery_protection_token]
+      end
+
+      # Sets the token value for the current session.
+      def form_authenticity_token
+        session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
+      end
+
+      # The form's authenticity parameter. Override to provide your own.
+      def form_authenticity_param
+        params[request_forgery_protection_token]
+      end
+
+      def protect_against_forgery?
+        self.class.allow_forgery_protection
+      end
+  end
+end

data/lib/action_controller/metal/rescue.rb

@@ -0,0 +1,13 @@
+module ActionController #:nodoc:
+  module Rescue
+    extend ActiveSupport::Concern
+    include ActiveSupport::Rescuable
+
+    private
+      def process_action(*args)
+        super
+      rescue Exception => exception
+        rescue_with_handler(exception) || raise(exception)
+      end
+  end
+end

data/lib/action_controller/metal/responder.rb

@@ -0,0 +1,220 @@
+module ActionController #:nodoc:
+  # Responder is responsible for exposing a resource to different mime requests,
+  # usually depending on the HTTP verb. The responder is triggered when
+  # <code>respond_with</code> is called. The simplest case to study is a GET request:
+  #
+  #   class PeopleController < ApplicationController
+  #     respond_to :html, :xml, :json
+  #
+  #     def index
+  #       @people = Person.find(:all)
+  #       respond_with(@people)
+  #     end
+  #   end
+  #
+  # When a request comes in, for example for an XML response, three steps happen:
+  #
+  #   1) the responder searches for a template at people/index.xml;
+  #
+  #   2) if the template is not available, it will invoke <code>#to_xml</code> on the given resource;
+  #
+  #   3) if the responder does not <code>respond_to :to_xml</code>, call <code>#to_format</code> on it.
+  #
+  # === Builtin HTTP verb semantics
+  #
+  # The default Rails responder holds semantics for each HTTP verb. Depending on the
+  # content type, verb and the resource status, it will behave differently.
+  #
+  # Using Rails default responder, a POST request for creating an object could
+  # be written as:
+  #
+  #   def create
+  #     @user = User.new(params[:user])
+  #     flash[:notice] = 'User was successfully created.' if @user.save
+  #     respond_with(@user)
+  #   end
+  #
+  # Which is exactly the same as:
+  #
+  #   def create
+  #     @user = User.new(params[:user])
+  #
+  #     respond_to do |format|
+  #       if @user.save
+  #         flash[:notice] = 'User was successfully created.'
+  #         format.html { redirect_to(@user) }
+  #         format.xml { render :xml => @user, :status => :created, :location => @user }
+  #       else
+  #         format.html { render :action => "new" }
+  #         format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
+  #       end
+  #     end
+  #   end
+  #
+  # The same happens for PUT and DELETE requests.
+  #
+  # === Nested resources
+  #
+  # You can supply nested resources as you do in <code>form_for</code> and <code>polymorphic_url</code>.
+  # Consider the project has many tasks example. The create action for
+  # TasksController would be like:
+  #
+  #   def create
+  #     @project = Project.find(params[:project_id])
+  #     @task = @project.comments.build(params[:task])
+  #     flash[:notice] = 'Task was successfully created.' if @task.save
+  #     respond_with(@project, @task)
+  #   end
+  #
+  # Giving an array of resources, you ensure that the responder will redirect to
+  # <code>project_task_url</code> instead of <code>task_url</code>.
+  #
+  # Namespaced and singleton resources require a symbol to be given, as in
+  # polymorphic urls. If a project has one manager which has many tasks, it
+  # should be invoked as:
+  #
+  #   respond_with(@project, :manager, @task)
+  #
+  # Check <code>polymorphic_url</code> documentation for more examples.
+  #
+  class Responder
+    attr_reader :controller, :request, :format, :resource, :resources, :options
+
+    ACTIONS_FOR_VERBS = {
+      :post => :new,
+      :put => :edit
+    }
+
+    def initialize(controller, resources, options={})
+      @controller = controller
+      @request = controller.request
+      @format = controller.formats.first
+      @resource = resources.is_a?(Array) ? resources.last : resources
+      @resources = resources
+      @options = options
+      @action = options.delete(:action)
+      @default_response = options.delete(:default_response)
+    end
+
+    delegate :head, :render, :redirect_to,   :to => :controller
+    delegate :get?, :post?, :put?, :delete?, :to => :request
+
+    # Undefine :to_json and :to_yaml since it's defined on Object
+    undef_method(:to_json) if method_defined?(:to_json)
+    undef_method(:to_yaml) if method_defined?(:to_yaml)
+
+    # Initializes a new responder an invoke the proper format. If the format is
+    # not defined, call to_format.
+    #
+    def self.call(*args)
+      new(*args).respond
+    end
+
+    # Main entry point for responder responsible to dispatch to the proper format.
+    #
+    def respond
+      method = :"to_#{format}"
+      respond_to?(method) ? send(method) : to_format
+    end
+
+    # HTML format does not render the resource, it always attempt to render a
+    # template.
+    #
+    def to_html
+      default_render
+    rescue ActionView::MissingTemplate => e
+      navigation_behavior(e)
+    end
+
+    # All other formats follow the procedure below. First we try to render a
+    # template, if the template is not available, we verify if the resource
+    # responds to :to_format and display it.
+    #
+    def to_format
+      default_render
+    rescue ActionView::MissingTemplate => e
+      raise unless resourceful?
+      api_behavior(e)
+    end
+
+  protected
+
+    # This is the common behavior for "navigation" requests, like :html, :iphone and so forth.
+    def navigation_behavior(error)
+      if get?
+        raise error
+      elsif has_errors? && default_action
+        render :action => default_action
+      else
+        redirect_to resource_location
+      end
+    end
+
+    # This is the common behavior for "API" requests, like :xml and :json.
+    def api_behavior(error)
+      if get?
+        display resource
+      elsif has_errors?
+        display resource.errors, :status => :unprocessable_entity
+      elsif post?
+        display resource, :status => :created, :location => resource_location
+      else
+        head :ok
+      end
+    end
+
+    # Checks whether the resource responds to the current format or not.
+    #
+    def resourceful?
+      resource.respond_to?(:"to_#{format}")
+    end
+
+    # Returns the resource location by retrieving it from the options or
+    # returning the resources array.
+    #
+    def resource_location
+      options[:location] || resources
+    end
+
+    # If a given response block was given, use it, otherwise call render on
+    # controller.
+    #
+    def default_render
+      @default_response.call
+    end
+
+    # Display is just a shortcut to render a resource with the current format.
+    #
+    #   display @user, :status => :ok
+    #
+    # For XML requests it's equivalent to:
+    #
+    #   render :xml => @user, :status => :ok
+    #
+    # Options sent by the user are also used:
+    #
+    #   respond_with(@user, :status => :created)
+    #   display(@user, :status => :ok)
+    #
+    # Results in:
+    #
+    #   render :xml => @user, :status => :created
+    #
+    def display(resource, given_options={})
+      controller.render given_options.merge!(options).merge!(format => resource)
+    end
+
+    # Check whether the resource has errors.
+    #
+    def has_errors?
+      resource.respond_to?(:errors) && !resource.errors.empty?
+    end
+
+    # By default, render the <code>:edit</code> action for HTML requests with failure, unless
+    # the verb is POST.
+    #
+    def default_action
+      @action ||= ACTIONS_FOR_VERBS[request.method]
+    end
+  end
+end

data/lib/action_controller/{session_management.rb → metal/session_management.rb}

@@ -1,10 +1,8 @@
 module ActionController #:nodoc:
   module SessionManagement #:nodoc:
-    def self.included(base)
-      base.class_eval do
-        extend ClassMethods
-      end
-    end
+    extend ActiveSupport::Concern
+
+    include ActionController::Configuration
 
     module ClassMethods
       # Set the session store to be used for keeping the session data between requests.
@@ -16,7 +14,7 @@ module ActionController #:nodoc:
           self.session_store = ActiveRecord::SessionStore
         else
           @@session_store = store.is_a?(Symbol) ?
-            Session.const_get(store.to_s.camelize) :
+            ActionDispatch::Session.const_get(store.to_s.camelize) :
             store
         end
       end
@@ -26,7 +24,7 @@ module ActionController #:nodoc:
         if defined? @@session_store
           @@session_store
         else
-          Session::CookieStore
+          ActionDispatch::Session::CookieStore
         end
       end
 
@@ -35,13 +33,6 @@ module ActionController #:nodoc:
         session_options.merge!(options)
       end
 
-      # Returns the hash used to configure the session. Example use:
-      #
-      #   ActionController::Base.session_options[:secure] = true # session only available over HTTPS
-      def session_options
-        @session_options ||= {}
-      end
-
       def session(*args)
         ActiveSupport::Deprecation.warn(
           "Disabling sessions for a single controller has been deprecated. " +