actionpack 3.0.0.beta3 → 3.0.0.beta4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- data/CHANGELOG +19 -0
- data/lib/abstract_controller.rb +1 -1
- data/lib/abstract_controller/asset_paths.rb +9 -0
- data/lib/abstract_controller/base.rb +5 -13
- data/lib/abstract_controller/callbacks.rb +1 -1
- data/lib/abstract_controller/helpers.rb +0 -1
- data/lib/abstract_controller/layouts.rb +3 -3
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/rendering.rb +1 -0
- data/lib/action_controller/base.rb +5 -1
- data/lib/action_controller/caching.rb +2 -3
- data/lib/action_controller/caching/actions.rb +1 -1
- data/lib/action_controller/caching/fragments.rb +1 -1
- data/lib/action_controller/caching/pages.rb +8 -8
- data/lib/action_controller/caching/sweeping.rb +1 -0
- data/lib/action_controller/deprecated/base.rb +10 -36
- data/lib/action_controller/metal.rb +45 -3
- data/lib/action_controller/metal/compatibility.rb +2 -2
- data/lib/action_controller/metal/helpers.rb +3 -3
- data/lib/action_controller/metal/http_authentication.rb +158 -0
- data/lib/action_controller/metal/instrumentation.rb +5 -5
- data/lib/action_controller/metal/rack_delegation.rb +4 -4
- data/lib/action_controller/metal/renderers.rb +3 -3
- data/lib/action_controller/metal/request_forgery_protection.rb +45 -74
- data/lib/action_controller/metal/responder.rb +1 -1
- data/lib/action_controller/metal/url_for.rb +8 -0
- data/lib/action_controller/railtie.rb +26 -39
- data/lib/action_controller/test_case.rb +147 -135
- data/lib/action_controller/vendor/html-scanner/html/tokenizer.rb +1 -0
- data/lib/action_dispatch.rb +0 -1
- data/lib/action_dispatch/http/parameters.rb +2 -1
- data/lib/action_dispatch/http/request.rb +19 -7
- data/lib/action_dispatch/http/response.rb +3 -33
- data/lib/action_dispatch/middleware/cookies.rb +44 -10
- data/lib/action_dispatch/middleware/flash.rb +11 -1
- data/lib/action_dispatch/middleware/params_parser.rb +3 -1
- data/lib/action_dispatch/middleware/session/abstract_store.rb +47 -83
- data/lib/action_dispatch/middleware/session/cookie_store.rb +19 -165
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +18 -12
- data/lib/action_dispatch/middleware/stack.rb +17 -67
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb +1 -1
- data/lib/action_dispatch/railtie.rb +0 -2
- data/lib/action_dispatch/routing/deprecated_mapper.rb +1 -0
- data/lib/action_dispatch/routing/mapper.rb +89 -23
- data/lib/action_dispatch/routing/route_set.rb +22 -16
- data/lib/action_dispatch/routing/url_for.rb +1 -1
- data/lib/action_dispatch/testing/assertions/routing.rb +1 -0
- data/lib/action_dispatch/testing/assertions/selector.rb +11 -7
- data/lib/action_dispatch/testing/test_process.rb +3 -2
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_view.rb +5 -1
- data/lib/action_view/base.rb +10 -4
- data/lib/action_view/helpers/active_model_helper.rb +1 -8
- data/lib/action_view/helpers/asset_tag_helper.rb +7 -4
- data/lib/action_view/helpers/cache_helper.rb +14 -14
- data/lib/action_view/helpers/capture_helper.rb +25 -6
- data/lib/action_view/helpers/date_helper.rb +33 -44
- data/lib/action_view/helpers/form_helper.rb +47 -27
- data/lib/action_view/helpers/form_options_helper.rb +26 -3
- data/lib/action_view/helpers/form_tag_helper.rb +8 -4
- data/lib/action_view/helpers/number_helper.rb +5 -2
- data/lib/action_view/helpers/prototype_helper.rb +1 -1
- data/lib/action_view/helpers/tag_helper.rb +1 -1
- data/lib/action_view/helpers/text_helper.rb +55 -46
- data/lib/action_view/helpers/translation_helper.rb +19 -8
- data/lib/action_view/helpers/url_helper.rb +2 -4
- data/lib/action_view/locale/en.yml +14 -14
- data/lib/action_view/lookup_context.rb +52 -22
- data/lib/action_view/paths.rb +1 -0
- data/lib/action_view/render/layouts.rb +3 -12
- data/lib/action_view/render/partials.rb +21 -10
- data/lib/action_view/render/rendering.rb +1 -1
- data/lib/action_view/template.rb +172 -26
- data/lib/action_view/template/error.rb +25 -27
- data/lib/action_view/template/handlers.rb +1 -1
- data/lib/action_view/template/handlers/erb.rb +92 -45
- data/lib/action_view/template/resolver.rb +4 -1
- data/lib/action_view/test_case.rb +105 -72
- data/lib/action_view/testing/resolvers.rb +43 -0
- metadata +62 -20
- data/lib/abstract_controller/assigns.rb +0 -21
- data/lib/action_dispatch/middleware/cascade.rb +0 -29
@@ -300,5 +300,163 @@ module ActionController
|
|
300
300
|
end
|
301
301
|
|
302
302
|
end
|
303
|
+
|
304
|
+
# Makes it dead easy to do HTTP Token authentication.
|
305
|
+
#
|
306
|
+
# Simple Token example:
|
307
|
+
#
|
308
|
+
# class PostsController < ApplicationController
|
309
|
+
# TOKEN = "secret"
|
310
|
+
#
|
311
|
+
# before_filter :authenticate, :except => [ :index ]
|
312
|
+
#
|
313
|
+
# def index
|
314
|
+
# render :text => "Everyone can see me!"
|
315
|
+
# end
|
316
|
+
#
|
317
|
+
# def edit
|
318
|
+
# render :text => "I'm only accessible if you know the password"
|
319
|
+
# end
|
320
|
+
#
|
321
|
+
# private
|
322
|
+
# def authenticate
|
323
|
+
# authenticate_or_request_with_http_token do |token, options|
|
324
|
+
# token == TOKEN
|
325
|
+
# end
|
326
|
+
# end
|
327
|
+
# end
|
328
|
+
#
|
329
|
+
#
|
330
|
+
# Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
|
331
|
+
# the regular HTML interface is protected by a session approach:
|
332
|
+
#
|
333
|
+
# class ApplicationController < ActionController::Base
|
334
|
+
# before_filter :set_account, :authenticate
|
335
|
+
#
|
336
|
+
# protected
|
337
|
+
# def set_account
|
338
|
+
# @account = Account.find_by_url_name(request.subdomains.first)
|
339
|
+
# end
|
340
|
+
#
|
341
|
+
# def authenticate
|
342
|
+
# case request.format
|
343
|
+
# when Mime::XML, Mime::ATOM
|
344
|
+
# if user = authenticate_with_http_token { |t, o| @account.users.authenticate(t, o) }
|
345
|
+
# @current_user = user
|
346
|
+
# else
|
347
|
+
# request_http_token_authentication
|
348
|
+
# end
|
349
|
+
# else
|
350
|
+
# if session_authenticated?
|
351
|
+
# @current_user = @account.users.find(session[:authenticated][:user_id])
|
352
|
+
# else
|
353
|
+
# redirect_to(login_url) and return false
|
354
|
+
# end
|
355
|
+
# end
|
356
|
+
# end
|
357
|
+
# end
|
358
|
+
#
|
359
|
+
#
|
360
|
+
# In your integration tests, you can do something like this:
|
361
|
+
#
|
362
|
+
# def test_access_granted_from_xml
|
363
|
+
# get(
|
364
|
+
# "/notes/1.xml", nil,
|
365
|
+
# :authorization => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
|
366
|
+
# )
|
367
|
+
#
|
368
|
+
# assert_equal 200, status
|
369
|
+
# end
|
370
|
+
#
|
371
|
+
#
|
372
|
+
# On shared hosts, Apache sometimes doesn't pass authentication headers to
|
373
|
+
# FCGI instances. If your environment matches this description and you cannot
|
374
|
+
# authenticate, try this rule in your Apache setup:
|
375
|
+
#
|
376
|
+
# RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
|
377
|
+
module Token
|
378
|
+
|
379
|
+
extend self
|
380
|
+
|
381
|
+
module ControllerMethods
|
382
|
+
def authenticate_or_request_with_http_token(realm = "Application", &login_procedure)
|
383
|
+
authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm)
|
384
|
+
end
|
385
|
+
|
386
|
+
def authenticate_with_http_token(&login_procedure)
|
387
|
+
Token.authenticate(self, &login_procedure)
|
388
|
+
end
|
389
|
+
|
390
|
+
def request_http_token_authentication(realm = "Application")
|
391
|
+
Token.authentication_request(self, realm)
|
392
|
+
end
|
393
|
+
end
|
394
|
+
|
395
|
+
# If token Authorization header is present, call the login procedure with
|
396
|
+
# the present token and options.
|
397
|
+
#
|
398
|
+
# controller - ActionController::Base instance for the current request.
|
399
|
+
# login_procedure - Proc to call if a token is present. The Proc should
|
400
|
+
# take 2 arguments:
|
401
|
+
# authenticate(controller) { |token, options| ... }
|
402
|
+
#
|
403
|
+
# Returns the return value of `&login_procedure` if a token is found.
|
404
|
+
# Returns nil if no token is found.
|
405
|
+
def authenticate(controller, &login_procedure)
|
406
|
+
token, options = token_and_options(controller.request)
|
407
|
+
if !token.blank?
|
408
|
+
login_procedure.call(token, options)
|
409
|
+
end
|
410
|
+
end
|
411
|
+
|
412
|
+
# Parses the token and options out of the token authorization header. If
|
413
|
+
# the header looks like this:
|
414
|
+
# Authorization: Token token="abc", nonce="def"
|
415
|
+
# Then the returned token is "abc", and the options is {:nonce => "def"}
|
416
|
+
#
|
417
|
+
# request - ActionController::Request instance with the current headers.
|
418
|
+
#
|
419
|
+
# Returns an Array of [String, Hash] if a token is present.
|
420
|
+
# Returns nil if no token is found.
|
421
|
+
def token_and_options(request)
|
422
|
+
if header = request.authorization.to_s[/^Token (.*)/]
|
423
|
+
values = $1.split(',').
|
424
|
+
inject({}) do |memo, value|
|
425
|
+
value.strip! # remove any spaces between commas and values
|
426
|
+
key, value = value.split(/\=\"?/) # split key=value pairs
|
427
|
+
value.chomp!('"') # chomp trailing " in value
|
428
|
+
value.gsub!(/\\\"/, '"') # unescape remaining quotes
|
429
|
+
memo.update(key => value)
|
430
|
+
end
|
431
|
+
[values.delete("token"), values.with_indifferent_access]
|
432
|
+
end
|
433
|
+
end
|
434
|
+
|
435
|
+
# Encodes the given token and options into an Authorization header value.
|
436
|
+
#
|
437
|
+
# token - String token.
|
438
|
+
# options - optional Hash of the options.
|
439
|
+
#
|
440
|
+
# Returns String.
|
441
|
+
def encode_credentials(token, options = {})
|
442
|
+
values = ["token=#{token.to_s.inspect}"]
|
443
|
+
options.each do |key, value|
|
444
|
+
values << "#{key}=#{value.to_s.inspect}"
|
445
|
+
end
|
446
|
+
"Token #{values * ", "}"
|
447
|
+
end
|
448
|
+
|
449
|
+
# Sets a WWW-Authenticate to let the client know a token is desired.
|
450
|
+
#
|
451
|
+
# controller - ActionController::Base instance for the outgoing response.
|
452
|
+
# realm - String realm to use in the header.
|
453
|
+
#
|
454
|
+
# Returns nothing.
|
455
|
+
def authentication_request(controller, realm)
|
456
|
+
controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
|
457
|
+
controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
|
458
|
+
end
|
459
|
+
end
|
460
|
+
|
303
461
|
end
|
304
462
|
end
|
@@ -23,9 +23,9 @@ module ActionController
|
|
23
23
|
:path => (request.fullpath rescue "unknown")
|
24
24
|
}
|
25
25
|
|
26
|
-
ActiveSupport::Notifications.instrument("action_controller
|
26
|
+
ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
|
27
27
|
|
28
|
-
ActiveSupport::Notifications.instrument("action_controller
|
28
|
+
ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
|
29
29
|
result = super
|
30
30
|
payload[:status] = response.status
|
31
31
|
append_info_to_payload(payload)
|
@@ -42,20 +42,20 @@ module ActionController
|
|
42
42
|
end
|
43
43
|
|
44
44
|
def send_file(path, options={})
|
45
|
-
ActiveSupport::Notifications.instrument("action_controller
|
45
|
+
ActiveSupport::Notifications.instrument("send_file.action_controller",
|
46
46
|
options.merge(:path => path)) do
|
47
47
|
super
|
48
48
|
end
|
49
49
|
end
|
50
50
|
|
51
51
|
def send_data(data, options = {})
|
52
|
-
ActiveSupport::Notifications.instrument("action_controller
|
52
|
+
ActiveSupport::Notifications.instrument("send_data.action_controller", options) do
|
53
53
|
super
|
54
54
|
end
|
55
55
|
end
|
56
56
|
|
57
57
|
def redirect_to(*args)
|
58
|
-
ActiveSupport::Notifications.instrument("action_controller
|
58
|
+
ActiveSupport::Notifications.instrument("redirect_to.action_controller") do |payload|
|
59
59
|
result = super
|
60
60
|
payload[:status] = self.status
|
61
61
|
payload[:location] = self.location
|
@@ -8,10 +8,10 @@ module ActionController
|
|
8
8
|
delegate :headers, :status=, :location=, :content_type=,
|
9
9
|
:status, :location, :content_type, :to => "@_response"
|
10
10
|
|
11
|
-
def dispatch(action, request)
|
12
|
-
@_response
|
13
|
-
@_response.request
|
14
|
-
super
|
11
|
+
def dispatch(action, request, response = ActionDispatch::Response.new)
|
12
|
+
@_response ||= response
|
13
|
+
@_response.request ||= request
|
14
|
+
super(action, request)
|
15
15
|
end
|
16
16
|
|
17
17
|
def params
|
@@ -71,7 +71,7 @@ module ActionController
|
|
71
71
|
end
|
72
72
|
|
73
73
|
add :json do |json, options|
|
74
|
-
json = ActiveSupport::JSON.encode(json) unless json.respond_to?(:to_str)
|
74
|
+
json = ActiveSupport::JSON.encode(json, options) unless json.respond_to?(:to_str)
|
75
75
|
json = "#{options[:callback]}(#{json})" unless options[:callback].blank?
|
76
76
|
self.content_type ||= Mime::JSON
|
77
77
|
self.response_body = json
|
@@ -79,12 +79,12 @@ module ActionController
|
|
79
79
|
|
80
80
|
add :js do |js, options|
|
81
81
|
self.content_type ||= Mime::JS
|
82
|
-
self.response_body = js.respond_to?(:to_js) ? js.to_js : js
|
82
|
+
self.response_body = js.respond_to?(:to_js) ? js.to_js(options) : js
|
83
83
|
end
|
84
84
|
|
85
85
|
add :xml do |xml, options|
|
86
86
|
self.content_type ||= Mime::XML
|
87
|
-
self.response_body = xml.respond_to?(:to_xml) ? xml.to_xml : xml
|
87
|
+
self.response_body = xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
|
88
88
|
end
|
89
89
|
|
90
90
|
add :update do |proc, options|
|
@@ -4,62 +4,65 @@ module ActionController #:nodoc:
|
|
4
4
|
class InvalidAuthenticityToken < ActionControllerError #:nodoc:
|
5
5
|
end
|
6
6
|
|
7
|
+
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
|
8
|
+
# web application, not a forged link from another site, is done by embedding a token based on a random
|
9
|
+
# string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
|
10
|
+
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
|
11
|
+
# requests are checked, so this will not protect your XML API (presumably you'll have a different
|
12
|
+
# authentication scheme there anyway). Also, GET requests are not protected as these should be
|
13
|
+
# idempotent anyway.
|
14
|
+
#
|
15
|
+
# This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
|
16
|
+
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
|
17
|
+
# error message in production by editing public/422.html. A call to this method in ApplicationController is
|
18
|
+
# generated by default in post-Rails 2.0 applications.
|
19
|
+
#
|
20
|
+
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
|
21
|
+
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
|
22
|
+
# include a hidden field named like that and set its value to what is returned by
|
23
|
+
# <tt>form_authenticity_token</tt>.
|
24
|
+
#
|
25
|
+
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
|
26
|
+
# 1.x, add this to config/environments/test.rb:
|
27
|
+
#
|
28
|
+
# # Disable request forgery protection in test environment
|
29
|
+
# config.action_controller.allow_forgery_protection = false
|
30
|
+
#
|
31
|
+
# == Learn more about CSRF (Cross-Site Request Forgery) attacks
|
32
|
+
#
|
33
|
+
# Here are some resources:
|
34
|
+
# * http://isc.sans.org/diary.html?storyid=1750
|
35
|
+
# * http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
36
|
+
#
|
37
|
+
# Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
|
38
|
+
# There are a few guidelines you should follow:
|
39
|
+
#
|
40
|
+
# * Keep your GET requests safe and idempotent. More reading material:
|
41
|
+
# * http://www.xml.com/pub/a/2002/04/24/deviant.html
|
42
|
+
# * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
|
43
|
+
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
|
44
|
+
# for "Expires: at end of session"
|
45
|
+
#
|
7
46
|
module RequestForgeryProtection
|
8
47
|
extend ActiveSupport::Concern
|
9
48
|
|
10
49
|
include AbstractController::Helpers
|
50
|
+
include AbstractController::Callbacks
|
11
51
|
|
12
52
|
included do
|
13
53
|
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
|
14
54
|
# sets it to <tt>:authenticity_token</tt> by default.
|
15
|
-
|
55
|
+
config_accessor :request_forgery_protection_token
|
56
|
+
self.request_forgery_protection_token ||= :authenticity_token
|
16
57
|
|
17
58
|
# Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
|
18
|
-
|
59
|
+
config_accessor :allow_forgery_protection
|
60
|
+
self.allow_forgery_protection = true if allow_forgery_protection.nil?
|
19
61
|
|
20
62
|
helper_method :form_authenticity_token
|
21
63
|
helper_method :protect_against_forgery?
|
22
64
|
end
|
23
65
|
|
24
|
-
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
|
25
|
-
# web application, not a forged link from another site, is done by embedding a token based on a random
|
26
|
-
# string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
|
27
|
-
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
|
28
|
-
# requests are checked, so this will not protect your XML API (presumably you'll have a different
|
29
|
-
# authentication scheme there anyway). Also, GET requests are not protected as these should be
|
30
|
-
# idempotent anyway.
|
31
|
-
#
|
32
|
-
# This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
|
33
|
-
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
|
34
|
-
# error message in production by editing public/422.html. A call to this method in ApplicationController is
|
35
|
-
# generated by default in post-Rails 2.0 applications.
|
36
|
-
#
|
37
|
-
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
|
38
|
-
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
|
39
|
-
# include a hidden field named like that and set its value to what is returned by
|
40
|
-
# <tt>form_authenticity_token</tt>.
|
41
|
-
#
|
42
|
-
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
|
43
|
-
# 1.x, add this to config/environments/test.rb:
|
44
|
-
#
|
45
|
-
# # Disable request forgery protection in test environment
|
46
|
-
# config.action_controller.allow_forgery_protection = false
|
47
|
-
#
|
48
|
-
# == Learn more about CSRF (Cross-Site Request Forgery) attacks
|
49
|
-
#
|
50
|
-
# Here are some resources:
|
51
|
-
# * http://isc.sans.org/diary.html?storyid=1750
|
52
|
-
# * http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
53
|
-
#
|
54
|
-
# Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
|
55
|
-
# There are a few guidelines you should follow:
|
56
|
-
#
|
57
|
-
# * Keep your GET requests safe and idempotent. More reading material:
|
58
|
-
# * http://www.xml.com/pub/a/2002/04/24/deviant.html
|
59
|
-
# * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
|
60
|
-
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
|
61
|
-
# for "Expires: at end of session"
|
62
|
-
#
|
63
66
|
module ClassMethods
|
64
67
|
# Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
|
65
68
|
#
|
@@ -79,22 +82,6 @@ module ActionController #:nodoc:
|
|
79
82
|
self.request_forgery_protection_token ||= :authenticity_token
|
80
83
|
before_filter :verify_authenticity_token, options
|
81
84
|
end
|
82
|
-
|
83
|
-
def request_forgery_protection_token
|
84
|
-
config.request_forgery_protection_token
|
85
|
-
end
|
86
|
-
|
87
|
-
def request_forgery_protection_token=(val)
|
88
|
-
config.request_forgery_protection_token = val
|
89
|
-
end
|
90
|
-
|
91
|
-
def allow_forgery_protection
|
92
|
-
config.allow_forgery_protection
|
93
|
-
end
|
94
|
-
|
95
|
-
def allow_forgery_protection=(val)
|
96
|
-
config.allow_forgery_protection = val
|
97
|
-
end
|
98
85
|
end
|
99
86
|
|
100
87
|
protected
|
@@ -104,22 +91,6 @@ module ActionController #:nodoc:
|
|
104
91
|
before_filter :verify_authenticity_token, options
|
105
92
|
end
|
106
93
|
|
107
|
-
def request_forgery_protection_token
|
108
|
-
config.request_forgery_protection_token
|
109
|
-
end
|
110
|
-
|
111
|
-
def request_forgery_protection_token=(val)
|
112
|
-
config.request_forgery_protection_token = val
|
113
|
-
end
|
114
|
-
|
115
|
-
def allow_forgery_protection
|
116
|
-
config.allow_forgery_protection
|
117
|
-
end
|
118
|
-
|
119
|
-
def allow_forgery_protection=(val)
|
120
|
-
config.allow_forgery_protection = val
|
121
|
-
end
|
122
|
-
|
123
94
|
# The actual before_filter that is used. Modify this to change how you handle unverified requests.
|
124
95
|
def verify_authenticity_token
|
125
96
|
verified_request? || raise(ActionController::InvalidAuthenticityToken)
|
@@ -146,7 +117,7 @@ module ActionController #:nodoc:
|
|
146
117
|
end
|
147
118
|
|
148
119
|
def protect_against_forgery?
|
149
|
-
|
120
|
+
allow_forgery_protection
|
150
121
|
end
|
151
122
|
end
|
152
123
|
end
|
@@ -16,5 +16,13 @@ module ActionController
|
|
16
16
|
raise "In order to use #url_for, you must include the helpers of a particular " \
|
17
17
|
"router. For instance, `include Rails.application.routes.url_helpers"
|
18
18
|
end
|
19
|
+
|
20
|
+
module ClassMethods
|
21
|
+
def action_methods
|
22
|
+
@action_methods ||= begin
|
23
|
+
super - _router.named_routes.helper_names
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
19
27
|
end
|
20
28
|
end
|
@@ -13,64 +13,51 @@ module ActionController
|
|
13
13
|
class Railtie < Rails::Railtie
|
14
14
|
config.action_controller = ActiveSupport::OrderedOptions.new
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
end
|
16
|
+
config.action_controller.singleton_class.tap do |d|
|
17
|
+
d.send(:define_method, :session) do
|
18
|
+
ActiveSupport::Deprecation.warn "config.action_controller.session has been deprecated. " <<
|
19
|
+
"Please use Rails.application.config.session_store instead.", caller
|
20
|
+
end
|
22
21
|
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
end
|
22
|
+
d.send(:define_method, :session=) do |val|
|
23
|
+
ActiveSupport::Deprecation.warn "config.action_controller.session= has been deprecated. " <<
|
24
|
+
"Please use config.session_store(name, options) instead.", caller
|
25
|
+
end
|
28
26
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
end
|
27
|
+
d.send(:define_method, :session_store) do
|
28
|
+
ActiveSupport::Deprecation.warn "config.action_controller.session_store has been deprecated. " <<
|
29
|
+
"Please use Rails.application.config.session_store instead.", caller
|
30
|
+
end
|
34
31
|
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
32
|
+
d.send(:define_method, :session_store=) do |val|
|
33
|
+
ActiveSupport::Deprecation.warn "config.action_controller.session_store= has been deprecated. " <<
|
34
|
+
"Please use config.session_store(name, options) instead.", caller
|
35
|
+
end
|
39
36
|
end
|
40
37
|
|
41
38
|
log_subscriber :action_controller, ActionController::Railties::LogSubscriber.new
|
42
39
|
|
43
|
-
initializer "action_controller.logger" do
|
44
|
-
ActiveSupport.on_load(:action_controller) { self.logger ||= Rails.logger }
|
45
|
-
end
|
46
|
-
|
47
|
-
initializer "action_controller.page_cache_directory" do
|
48
|
-
ActiveSupport.on_load(:action_controller) do
|
49
|
-
self.page_cache_directory = Rails.public_path
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
40
|
initializer "action_controller.set_configs" do |app|
|
54
41
|
paths = app.config.paths
|
55
42
|
ac = app.config.action_controller
|
56
43
|
|
57
|
-
ac.assets_dir
|
58
|
-
ac.javascripts_dir
|
59
|
-
ac.stylesheets_dir
|
44
|
+
ac.assets_dir ||= paths.public.to_a.first
|
45
|
+
ac.javascripts_dir ||= paths.public.javascripts.to_a.first
|
46
|
+
ac.stylesheets_dir ||= paths.public.stylesheets.to_a.first
|
47
|
+
ac.page_cache_directory ||= paths.public.to_a.first
|
48
|
+
ac.helpers_path ||= paths.app.helpers.to_a
|
60
49
|
|
61
50
|
ActiveSupport.on_load(:action_controller) do
|
62
51
|
self.config.merge!(ac)
|
63
52
|
end
|
64
53
|
end
|
65
54
|
|
66
|
-
initializer "action_controller.
|
67
|
-
ActiveSupport.on_load(:action_controller) { self.
|
55
|
+
initializer "action_controller.logger" do
|
56
|
+
ActiveSupport.on_load(:action_controller) { self.logger ||= Rails.logger }
|
68
57
|
end
|
69
58
|
|
70
|
-
initializer "action_controller.
|
71
|
-
ActiveSupport.on_load(:action_controller)
|
72
|
-
self.helpers_path = app.config.paths.app.helpers.to_a
|
73
|
-
end
|
59
|
+
initializer "action_controller.initialize_framework_caches" do
|
60
|
+
ActiveSupport.on_load(:action_controller) { self.cache_store ||= RAILS_CACHE }
|
74
61
|
end
|
75
62
|
|
76
63
|
initializer "action_controller.url_helpers" do |app|
|