actionpack 3.0.1 → 3.0.2

data/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -17,7 +17,7 @@ module ActionDispatch
     #
     # == Usage within the framework
     #
-    # Polymorphic URL helpers are used in a number of places throughout the Rails framework:
+    # Polymorphic URL helpers are used in a number of places throughout the \Rails framework:
     #
     # * <tt>url_for</tt>, so you can use it with a record as the argument, e.g.
     #   <tt>url_for(@article)</tt>;

data/lib/action_dispatch/routing/route.rb

@@ -34,7 +34,8 @@ module ActionDispatch
         if method = conditions[:request_method]
           case method
           when Regexp
-            method.source.upcase
+            source = method.source.upcase
+            source =~ /\A\^[-A-Z|]+\$\Z/ ? source[1..-2] : source
           else
             method.to_s.upcase
           end

data/lib/action_dispatch/routing/url_for.rb

@@ -1,6 +1,6 @@
 module ActionDispatch
   module Routing
-    # In <b>routes.rb</b> one defines URL-to-controller mappings, but the reverse
+    # In <tt>config/routes.rb</tt> you define URL-to-controller mappings, but the reverse
     # is also possible: an URL can be generated from one of your routing definitions.
     # URL generation functionality is centralized in this module.
     #
@@ -12,15 +12,14 @@ module ActionDispatch
     #
     # == URL generation from parameters
     #
-    # As you may know, some functions - such as ActionController::Base#url_for
+    # As you may know, some functions, such as ActionController::Base#url_for
     # and ActionView::Helpers::UrlHelper#link_to, can generate URLs given a set
     # of parameters. For example, you've probably had the chance to write code
     # like this in one of your views:
     #
     #   <%= link_to('Click here', :controller => 'users',
     #           :action => 'new', :message => 'Welcome!') %>
-    #
-    #   # Generates a link to /users/new?message=Welcome%21
+    #   # => "/users/new?message=Welcome%21"
     #
     # link_to, and all other functions that require URL generation functionality,
     # actually use ActionController::UrlFor under the hood. And in particular,
@@ -61,7 +60,7 @@ module ActionDispatch
     #
     # UrlFor also allows one to access methods that have been auto-generated from
     # named routes. For example, suppose that you have a 'users' resource in your
-    # <b>routes.rb</b>:
+    # <tt>config/routes.rb</tt>:
     #
     #   resources :users
     #

data/lib/action_dispatch/testing/integration.rb

@@ -115,8 +115,8 @@ module ActionDispatch
       end
     end
 
-    # An integration Session instance represents a set of requests and responses
-    # performed sequentially by some virtual user. Because you can instantiate
+    # An instance of this class represents a set of requests and responses
+    # performed sequentially by a test process. Because you can instantiate
     # multiple sessions and run them side-by-side, you can also mimic (to some
     # limited extent) multiple simultaneous users interacting with your system.
     #
@@ -257,12 +257,14 @@ module ActionDispatch
             end
           end
 
+          hostname, port = host.split(':')
+
           env = {
             :method => method,
             :params => parameters,
 
-            "SERVER_NAME"     => host.split(':')[0],
-            "SERVER_PORT"     => (https? ? "443" : "80"),
+            "SERVER_NAME"     => hostname,
+            "SERVER_PORT"     => port || (https? ? "443" : "80"),
             "HTTPS"           => https? ? "on" : "off",
             "rack.url_scheme" => https? ? "https" : "http",
 
@@ -373,12 +375,12 @@ module ActionDispatch
     end
   end
 
-  # An IntegrationTest is one that spans multiple controllers and actions,
+  # An test that spans multiple controllers and actions,
   # tying them all together to ensure they work together as expected. It tests
   # more completely than either unit or functional tests do, exercising the
   # entire stack, from the dispatcher to the database.
   #
-  # At its simplest, you simply extend IntegrationTest and write your tests
+  # At its simplest, you simply extend <tt>IntegrationTest</tt> and write your tests
   # using the get/post methods:
   #
   #   require "test_helper"
@@ -403,7 +405,7 @@ module ActionDispatch
   # However, you can also have multiple session instances open per test, and
   # even extend those instances with assertions and methods to create a very
   # powerful testing DSL that is specific for your application. You can even
-  # reference any named routes you happen to have defined!
+  # reference any named routes you happen to have defined.
   #
   #   require "test_helper"
   #

data/lib/action_pack/version.rb

@@ -2,8 +2,8 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 1
-
+    TINY  = 2
+    
     STRING = [MAJOR, MINOR, TINY].join('.')
   end
 end

data/lib/action_view/base.rb

@@ -156,7 +156,7 @@ module ActionView #:nodoc:
   #
   # This refreshes the sidebar, removes a person element and highlights the user list.
   #
-  # See the ActionView::Helpers::PrototypeHelper::GeneratorMethods documentation for more details.
+  # See the ActionView::Helpers::PrototypeHelper::JavaScriptGenerator::GeneratorMethods documentation for more details.
   class Base
     module Subclasses
     end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -836,7 +836,7 @@ module ActionView
 
         def expand_javascript_sources(sources, recursive = false)
           if sources.include?(:all)
-            all_javascript_files = collect_asset_files(config.javascripts_dir, ('**' if recursive), '*.js')
+            all_javascript_files = (collect_asset_files(config.javascripts_dir, ('**' if recursive), '*.js') - ['application']) << 'application'
             ((determine_source(:defaults, @@javascript_expansions).dup & all_javascript_files) + all_javascript_files).uniq
           else
             expanded_sources = sources.collect do |source|

data/lib/action_view/helpers/capture_helper.rb

@@ -1,4 +1,5 @@
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Capture Helper
@@ -38,7 +39,7 @@ module ActionView
         value = nil
         buffer = with_output_buffer { value = yield(*args) }
         if string = buffer.presence || value and string.is_a?(String)
-          NonConcattingString.new(string)
+          NonConcattingString.new(ERB::Util.html_escape(string))
         end
       end
 

data/lib/action_view/helpers/date_helper.rb

@@ -893,6 +893,8 @@ module ActionView
         # Returns the separator for a given datetime component
         def separator(type)
           case type
+            when :year
+              @options[:discard_year] ? "" : @options[:date_separator]
             when :month
               @options[:discard_month] ? "" : @options[:date_separator]
             when :day

data/lib/action_view/helpers/form_helper.rb

@@ -202,6 +202,12 @@ module ActionView
       #     ...
       #   <% end %>
       #
+      # You can also set the answer format, like this:
+      #
+      #   <%= form_for(@post, :format => :json) do |f| %>
+      #     ...
+      #   <% end %>
+      #
       # If you have an object that needs to be represented as a different
       # parameter, like a Client that acts as a Person:
       #
@@ -332,7 +338,9 @@ module ActionView
 
         options[:html] ||= {}
         options[:html].reverse_merge!(html_options)
-        options[:url] ||= polymorphic_path(object_or_array)
+        options[:url] ||= options[:format] ? \
+          polymorphic_path(object_or_array, :format => options.delete(:format)) : \
+          polymorphic_path(object_or_array)
       end
 
       # Creates a scope around a specific model object like form_for, but
@@ -803,7 +811,7 @@ module ActionView
           options["incremental"] = true unless options.has_key?("incremental")
         end
 
-        InstanceTag.new(object_name, method, self, options.delete(:object)).to_input_field_tag("search", options)
+        InstanceTag.new(object_name, method, self, options.delete("object")).to_input_field_tag("search", options)
       end
 
       # Returns a text_field of type "tel".
@@ -1006,14 +1014,9 @@ module ActionView
 
         def value_before_type_cast(object, method_name)
           unless object.nil?
-            if object.respond_to?(method_name)
-              object.send(method_name)
-            # FIXME: this is AR dependent
-            elsif object.respond_to?(method_name + "_before_type_cast")
-              object.send(method_name + "_before_type_cast")
-            else
-              raise NoMethodError, "Model #{object.class} does not respond to #{method_name}"
-            end
+            object.respond_to?(method_name + "_before_type_cast") ?
+            object.send(method_name + "_before_type_cast") :
+            object.send(method_name)
           end
         end
 
@@ -1258,11 +1261,11 @@ module ActionView
 
           if association.respond_to?(:persisted?)
             association = [association] if @object.send(association_name).is_a?(Array)
-          elsif !association.is_a?(Array)
+          elsif !association.respond_to?(:to_ary)
             association = @object.send(association_name)
           end
 
-          if association.is_a?(Array)
+          if association.respond_to?(:to_ary)
             explicit_child_index = options[:child_index]
             output = ActiveSupport::SafeBuffer.new
             association.each do |child|

data/lib/action_view/helpers/form_options_helper.rb

@@ -395,12 +395,12 @@ module ActionView
       # <b>Note:</b> Only the <tt><optgroup></tt> and <tt><option></tt> tags are returned, so you still have to
       # wrap the output in an appropriate <tt><select></tt> tag.
       def option_groups_from_collection_for_select(collection, group_method, group_label_method, option_key_method, option_value_method, selected_key = nil)
-        collection.inject("") do |options_for_select, group|
+        collection.map do |group|
           group_label_string = eval("group.#{group_label_method}")
-          options_for_select += "<optgroup label=\"#{html_escape(group_label_string)}\">"
-          options_for_select += options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key)
-          options_for_select += '</optgroup>'
-        end.html_safe
+          "<optgroup label=\"#{html_escape(group_label_string)}\">" +
+            options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) +
+            '</optgroup>'
+        end.join.html_safe
       end
 
       # Returns a string of <tt><option></tt> tags, like <tt>options_for_select</tt>, but

data/lib/action_view/helpers/javascript_helper.rb

@@ -65,7 +65,8 @@ module ActionView
       #   //]]>
       #   </script>
       #
-      # +html_options+ may be a hash of attributes for the <script> tag. Example:
+      # +html_options+ may be a hash of attributes for the <tt>\<script></tt> tag.
+      # Example:
       #   javascript_tag "alert('All is good')", :defer => 'defer'
       #   # => <script defer="defer" type="text/javascript">alert('All is good')</script>
       #

data/lib/action_view/helpers/number_helper.rb

@@ -14,7 +14,7 @@ module ActionView
     # unchanged if can't be converted into a valid number.
     module NumberHelper
 
-      DEFAULT_CURRENCY_VALUES = { :format => "%u%n", :unit => "$", :separator => ".", :delimiter => ",",
+      DEFAULT_CURRENCY_VALUES = { :format => "%u%n", :negative_format => "-%u%n", :unit => "$", :separator => ".", :delimiter => ",",
                                   :precision => 2, :significant => false, :strip_insignificant_zeros => false }
 
       # Raised when argument +number+ param given to the helpers is invalid and
@@ -83,15 +83,18 @@ module ActionView
       # in the +options+ hash.
       #
       # ==== Options
-      # * <tt>:locale</tt>     -  Sets the locale to be used for formatting (defaults to current locale).
-      # * <tt>:precision</tt>  -  Sets the level of precision (defaults to 2).
-      # * <tt>:unit</tt>       - Sets the denomination of the currency (defaults to "$").
-      # * <tt>:separator</tt>  - Sets the separator between the units (defaults to ".").
-      # * <tt>:delimiter</tt>  - Sets the thousands delimiter (defaults to ",").
-      # * <tt>:format</tt>     - Sets the format of the output string (defaults to "%u%n"). The field types are:
-      #
-      #     %u  The currency unit
-      #     %n  The number
+      # * <tt>:locale</tt>           - Sets the locale to be used for formatting (defaults to current locale).
+      # * <tt>:precision</tt>        - Sets the level of precision (defaults to 2).
+      # * <tt>:unit</tt>             - Sets the denomination of the currency (defaults to "$").
+      # * <tt>:separator</tt>        - Sets the separator between the units (defaults to ".").
+      # * <tt>:delimiter</tt>        - Sets the thousands delimiter (defaults to ",").
+      # * <tt>:format</tt>           - Sets the format for non-negative numbers (defaults to "%u%n").
+      #                                Fields are <tt>%u</tt> for the currency, and <tt>%n</tt>
+      #                                for the number.
+      # * <tt>:negative_format</tt>  - Sets the format for negative numbers (defaults to prepending
+      #                                an hyphen to the formatted number given by <tt>:format</tt>).
+      #                                Accepts the same fields than <tt>:format</tt>, except
+      #                                <tt>%n</tt> is here the absolute value of the number.
       #
       # ==== Examples
       #  number_to_currency(1234567890.50)                    # => $1,234,567,890.50
@@ -99,6 +102,8 @@ module ActionView
       #  number_to_currency(1234567890.506, :precision => 3)  # => $1,234,567,890.506
       #  number_to_currency(1234567890.506, :locale => :fr)   # => 1 234 567 890,506 €
       #
+      #  number_to_currency(1234567890.50, :negative_format => "(%u%n)")
+      #  # => ($1,234,567,890.51)
       #  number_to_currency(1234567890.50, :unit => "&pound;", :separator => ",", :delimiter => "")
       #  # => &pound;1234567890,50
       #  number_to_currency(1234567890.50, :unit => "&pound;", :separator => ",", :delimiter => "", :format => "%n %u")
@@ -112,11 +117,17 @@ module ActionView
         currency  = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {})
 
         defaults  = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency)
+        defaults[:negative_format] = "-" + options[:format] if options[:format]
         options   = defaults.merge!(options)
 
         unit      = options.delete(:unit)
         format    = options.delete(:format)
 
+        if number.to_f < 0
+          format = options.delete(:negative_format)
+          number = number.respond_to?("abs") ? number.abs : number.sub(/^-/, '')
+        end
+
         begin
           value = number_with_precision(number, options.merge(:raise => true))
           format.gsub(/%n/, value).gsub(/%u/, unit).html_safe
@@ -260,7 +271,7 @@ module ActionView
           if number == 0
             digits, rounded_number = 1, 0
           else
-            digits = (Math.log10(number) + 1).floor
+            digits = (Math.log10(number.abs) + 1).floor
             rounded_number = BigDecimal.new((number / 10 ** (digits - precision)).to_s).round.to_f * 10 ** (digits - precision)
           end
           precision = precision - digits
@@ -459,7 +470,7 @@ module ActionView
           raise ArgumentError, ":units must be a Hash or String translation scope."
         end.keys.map{|e_name| DECIMAL_UNITS.invert[e_name] }.sort_by{|e| -e}
 
-        number_exponent = Math.log10(number).floor
+        number_exponent = number != 0 ? Math.log10(number.abs).floor : 0
         display_exponent = unit_exponents.find{|e| number_exponent >= e }
         number  /= 10 ** display_exponent
 

data/lib/action_view/helpers/prototype_helper.rb

@@ -161,7 +161,7 @@ module ActionView
 
         # JavaScriptGenerator generates blocks of JavaScript code that allow you
         # to change the content and presentation of multiple DOM elements.  Use
-        # this in your Ajax response bodies, either in a <script> tag or as plain
+        # this in your Ajax response bodies, either in a <tt>\<script></tt> tag or as plain
         # JavaScript sent with a Content-type of "text/javascript".
         #
         # Create new instances with PrototypeHelper#update_page or with
@@ -224,7 +224,7 @@ module ActionView
         #
         # You can also use PrototypeHelper#update_page_tag instead of
         # PrototypeHelper#update_page to wrap the generated JavaScript in a
-        # <script> tag.
+        # <tt>\<script></tt> tag.
         module GeneratorMethods
           def to_s #:nodoc:
             (@lines * $/).tap do |javascript|
@@ -582,11 +582,11 @@ module ActionView
         JavaScriptGenerator.new(view_context, &block).to_s.html_safe
       end
 
-      # Works like update_page but wraps the generated JavaScript in a <script>
+      # Works like update_page but wraps the generated JavaScript in a <tt>\<script></tt>
       # tag. Use this to include generated JavaScript in an ERb template.
       # See JavaScriptGenerator for more information.
       #
-      # +html_options+ may be a hash of <script> attributes to be passed
+      # +html_options+ may be a hash of <tt>\<script></tt> attributes to be passed
       # to ActionView::Helpers::JavaScriptHelper#javascript_tag.
       def update_page_tag(html_options = {}, &block)
         javascript_tag update_page(&block), html_options

data/lib/action_view/helpers/text_helper.rb

@@ -9,6 +9,24 @@ module ActionView
     # and transforming strings, which can reduce the amount of inline Ruby code in
     # your views. These helper methods extend Action View making them callable
     # within your template files.
+    #
+    # ==== Sanitization
+    #
+    # Most text helpers by default sanitize the given content, but do not escape it.
+    # This means HTML tags will appear in the page but all malicious code will be removed.
+    # Let's look at some examples using the +simple_format+ method:
+    #
+    #   simple_format('<a href="http://example.com/">Example</a>')
+    #   # => "<p><a href=\"http://example.com/\">Example</a></p>"
+    #
+    #   simple_format('<a href="javascript:alert('no!')">Example</a>')
+    #   # => "<p><a>Example</a></p>"
+    #
+    # If you want to escape all content, you should invoke the +h+ method before
+    # calling the text helper.
+    #
+    #   simple_format h('<a href="http://example.com/">Example</a>')
+    #   # => "<p>&lt;a href=\"http://example.com/\"&gt;Example&lt;/a&gt;</p>"
     module TextHelper
       extend ActiveSupport::Concern
 

data/lib/action_view/helpers/url_helper.rb

@@ -13,7 +13,7 @@ module ActionView
     module UrlHelper
       # This helper may be included in any class that includes the
       # URL helpers of a routes (routes.url_helpers). Some methods
-      # provided here will only work in the4 context of a request
+      # provided here will only work in the context of a request
       # (link_to_unless_current, for instance), which must be provided
       # as a method called #request on the context.
 
@@ -235,13 +235,8 @@ module ActionView
           html_options = convert_options_to_data_attributes(options, html_options)
           url = url_for(options)
 
-          if html_options
-            html_options = html_options.stringify_keys
-            href = html_options['href']
-            tag_options = tag_options(html_options)
-          else
-            tag_options = nil
-          end
+          href = html_options['href']
+          tag_options = tag_options(html_options)
 
           href_attr = "href=\"#{html_escape(url)}\"" unless href
           "<a #{href_attr}#{tag_options}>#{html_escape(name || url)}</a>".html_safe
@@ -269,8 +264,9 @@ module ActionView
       # The +options+ hash accepts the same options as url_for.
       #
       # There are a few special +html_options+:
-      # * <tt>:method</tt> - Specifies the anchor name to be appended to the path.
-      # * <tt>:disabled</tt> - Specifies the anchor name to be appended to the path.
+      # * <tt>:method</tt> - Symbol of HTTP verb. Supported verbs are <tt>:post</tt>, <tt>:get</tt>, 
+      #   <tt>:delete</tt> and <tt>:put</tt>. By default it will be <tt>:post</tt>.
+      # * <tt>:disabled</tt> - If set to true, it will generate a disabled button.
       # * <tt>:confirm</tt> - This will use the unobtrusive JavaScript driver to
       #   prompt with the question specified. If the user accepts, the link is
       #   processed normally, otherwise no action is taken.
@@ -593,6 +589,7 @@ module ActionView
             html_options['data-remote'] = 'true'
           end
 
+          disable_with = html_options.delete("disable_with")
           confirm = html_options.delete("confirm")
 
           if html_options.key?("popup")
@@ -601,6 +598,7 @@ module ActionView
 
           method, href = html_options.delete("method"), html_options['href']
 
+          add_disable_with_to_attributes!(html_options, disable_with) if disable_with
           add_confirm_to_attributes!(html_options, confirm) if confirm
           add_method_to_attributes!(html_options, method)   if method
 
@@ -611,6 +609,10 @@ module ActionView
           html_options["data-confirm"] = confirm if confirm
         end
 
+        def add_disable_with_to_attributes!(html_options, disable_with)
+          html_options["data-disable-with"] = disable_with if disable_with
+        end
+
         def add_method_to_attributes!(html_options, method)
           html_options["rel"] = "nofollow" if method && method.to_s.downcase != "get"
           html_options["data-method"] = method if method