actionpack 3.0.20 → 3.1.0.beta1

data/lib/action_controller/metal/conditional_get.rb

@@ -6,7 +6,7 @@ module ActionController
     include Head
 
     # Sets the etag, last_modified, or both on the response and renders a
-    # "304 Not Modified" response if the request is already fresh.
+    # <tt>304 Not Modified</tt> response if the request is already fresh.
     #
     # Parameters:
     # * <tt>:etag</tt>
@@ -17,11 +17,11 @@ module ActionController
     #
     #   def show
     #     @article = Article.find(params[:id])
-    #     fresh_when(:etag => @article, :last_modified => @article.created_at.utc, :public => true)
+    #     fresh_when(:etag => @article, :last_modified => @article.created_at, :public => true)
     #   end
     #
     # This will render the show template if the request isn't sending a matching etag or
-    # If-Modified-Since header and just a "304 Not Modified" response if there's a match.
+    # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
     #
     def fresh_when(options)
       options.assert_valid_keys(:etag, :last_modified, :public)
@@ -36,7 +36,7 @@ module ActionController
     # Sets the etag and/or last_modified on the response and checks it against
     # the client request. If the request doesn't match the options provided, the
     # request is considered stale and should be generated from scratch. Otherwise,
-    # it's fresh and we don't need to generate anything and a reply of "304 Not Modified" is sent.
+    # it's fresh and we don't need to generate anything and a reply of <tt>304 Not Modified</tt> is sent.
     #
     # Parameters:
     # * <tt>:etag</tt>
@@ -48,7 +48,7 @@ module ActionController
     #   def show
     #     @article = Article.find(params[:id])
     #
-    #     if stale?(:etag => @article, :last_modified => @article.created_at.utc)
+    #     if stale?(:etag => @article, :last_modified => @article.created_at)
     #       @statistics = @article.really_expensive_call
     #       respond_to do |format|
     #         # all the supported formats
@@ -60,13 +60,13 @@ module ActionController
       !request.fresh?(response)
     end
 
-    # Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a "private" instruction, so that
-    # intermediate caches shouldn't cache the response.
+    # Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a <tt>private</tt> instruction, so that
+    # intermediate caches must not cache the response.
     #
     # Examples:
     #   expires_in 20.minutes
     #   expires_in 3.hours, :public => true
-    #   expires in 3.hours, 'max-stale' => 5.hours, :public => true
+    #   expires_in 3.hours, 'max-stale' => 5.hours, :public => true
     #
     # This method will overwrite an existing Cache-Control header.
     # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
@@ -77,7 +77,7 @@ module ActionController
       response.cache_control[:extras] = options.map {|k,v| "#{k}=#{v}"}
     end
 
-    # Sets a HTTP 1.1 Cache-Control header of "no-cache" so no caching should occur by the browser or
+    # Sets a HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should occur by the browser or
     # intermediate caches (like caching proxy servers).
     def expires_now #:doc:
       response.cache_control.replace(:no_cache => true)

data/lib/action_controller/metal/data_streaming.rb

@@ -0,0 +1,145 @@
+require 'active_support/core_ext/file/path'
+
+module ActionController #:nodoc:
+  # Methods for sending arbitrary data and for streaming files to the browser,
+  # instead of rendering.
+  module DataStreaming
+    extend ActiveSupport::Concern
+
+    include ActionController::Rendering
+
+    DEFAULT_SEND_FILE_OPTIONS = {
+      :type         => 'application/octet-stream'.freeze,
+      :disposition  => 'attachment'.freeze,
+    }.freeze
+
+    protected
+      # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
+      # via the Rack::Sendfile middleware. The header to use is set via
+      # config.action_dispatch.x_sendfile_header, and defaults to "X-Sendfile".
+      # Your server can also configure this for you by setting the X-Sendfile-Type header.
+      #
+      # Be careful to sanitize the path parameter if it is coming from a web
+      # page. <tt>send_file(params[:path])</tt> allows a malicious user to
+      # download any file on your server.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      #   Defaults to <tt>File.basename(path)</tt>.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
+      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser guess the filename from
+      #   the URL, which is necessary for i18n filenames on certain browsers
+      #   (setting <tt>:filename</tt> overrides this option).
+      #
+      # The default Content-Type and Content-Disposition headers are
+      # set to download arbitrary binary files in as many browsers as
+      # possible.  IE versions 4, 5, 5.5, and 6 are all known to have
+      # a variety of quirks (especially when downloading over SSL).
+      #
+      # Simple download:
+      #
+      #   send_file '/path/to.zip'
+      #
+      # Show a JPEG in the browser:
+      #
+      #   send_file '/path/to.jpeg', :type => 'image/jpeg', :disposition => 'inline'
+      #
+      # Show a 404 page in the browser:
+      #
+      #   send_file '/path/to/404.html', :type => 'text/html; charset=utf-8', :status => 404
+      #
+      # Read about the other Content-* HTTP headers if you'd like to
+      # provide the user with more information (such as Content-Description) in
+      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      #
+      # Also be aware that the document may be cached by proxies and browsers.
+      # The Pragma and Cache-Control headers declare how the file may be cached
+      # by intermediaries.  They default to require clients to validate with
+      # the server before releasing cached responses.  See
+      # http://www.mnot.net/cache_docs/ for an overview of web caching and
+      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+      # for the Cache-Control header spec.
+      def send_file(path, options = {}) #:doc:
+        raise MissingFile, "Cannot read file #{path}" unless File.file?(path) and File.readable?(path)
+
+        options[:filename] ||= File.basename(path) unless options[:url_based_filename]
+        send_file_headers! options
+
+        self.status = options[:status] || 200
+        self.content_type = options[:content_type] if options.key?(:content_type)
+        self.response_body = File.open(path, "rb")
+      end
+
+      # Sends the given binary data to the browser. This method is similar to
+      # <tt>render :text => data</tt>, but also allows you to specify whether
+      # the browser should display the response as a file attachment (i.e. in a
+      # download dialog) or as inline data. You may also set the content type,
+      # the apparent file name, and other things.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
+      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
+      #
+      # Generic data download:
+      #
+      #   send_data buffer
+      #
+      # Download a dynamically-generated tarball:
+      #
+      #   send_data generate_tgz('dir'), :filename => 'dir.tgz'
+      #
+      # Display an image Active Record in the browser:
+      #
+      #   send_data image.data, :type => image.content_type, :disposition => 'inline'
+      #
+      # See +send_file+ for more information on HTTP Content-* headers and caching.
+      def send_data(data, options = {}) #:doc:
+        send_file_headers! options.dup
+        render options.slice(:status, :content_type).merge(:text => data)
+      end
+
+    private
+      def send_file_headers!(options)
+        options.update(DEFAULT_SEND_FILE_OPTIONS.merge(options))
+        [:type, :disposition].each do |arg|
+          raise ArgumentError, ":#{arg} option required" if options[arg].nil?
+        end
+
+        disposition = options[:disposition]
+        disposition += %(; filename="#{options[:filename]}") if options[:filename]
+
+        content_type = options[:type]
+
+        if content_type.is_a?(Symbol)
+          extension = Mime[content_type]
+          raise ArgumentError, "Unknown MIME type #{options[:type]}" unless extension
+          self.content_type = extension
+        else
+          self.content_type = content_type
+        end
+
+        headers.merge!(
+          'Content-Disposition'       => disposition,
+          'Content-Transfer-Encoding' => 'binary'
+        )
+
+        response.sending_file = true
+
+        # Fix a problem with IE 6.0 on opening downloaded files:
+        # If Cache-Control: no-cache is set (which Rails does by default),
+        # IE removes the file it just downloaded from its cache immediately
+        # after it displays the "open/save" dialog, which means that if you
+        # hit "open" the file isn't there anymore when the application that
+        # is called for handling the download is run, so let's workaround that
+        response.cache_control[:public] ||= false
+      end
+  end
+end

data/lib/action_controller/metal/force_ssl.rb

@@ -0,0 +1,35 @@
+module ActionController
+  # This module provides a method which will redirects browser to use HTTPS
+  # protocol. This will ensure that user's sensitive information will be
+  # transferred safely over the internet. You _should_ always force browser
+  # to use HTTPS when you're transferring sensitive information such as
+  # user authentication, account information, or credit card information.
+  #
+  # Note that if you really concern about your application safety, you might
+  # consider using +config.force_ssl+ in your configuration config file instead.
+  # That will ensure all the data transferred via HTTPS protocol and prevent
+  # user from getting session hijacked when accessing the site under unsecured
+  # HTTP protocol.
+  module ForceSSL
+    extend ActiveSupport::Concern
+    include AbstractController::Callbacks
+
+    module ClassMethods
+      # Force the request to this particular controller or specified actions to be
+      # under HTTPS protocol.
+      #
+      # Note that this method will not be effective on development environment.
+      #
+      # ==== Options
+      # * <tt>only</tt>   - The callback should be run only for this action
+      # * <tt>except<tt>  - The callback should be run for all actions except this action
+      def force_ssl(options = {})
+        before_filter(options) do
+          if !request.ssl? && !Rails.env.development?
+            redirect_to :protocol => 'https://', :status => :moved_permanently
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/metal/head.rb

@@ -20,7 +20,7 @@ module ActionController
       location = options.delete(:location)
 
       options.each do |key, value|
-        headers[key.to_s.dasherize.split(/-/).map { |v| v.capitalize }.join("-")] = value.to_s
+        headers[key.to_s.dasherize.split('-').each { |v| v[0] = v[0].chr.upcase }.join('-')] = value.to_s
       end
 
       self.status = status

data/lib/action_controller/metal/helpers.rb

@@ -2,21 +2,21 @@ require 'active_support/core_ext/array/wrap'
 require 'active_support/core_ext/class/attribute'
 
 module ActionController
-  # The Rails framework provides a large number of helpers for working with +assets+, +dates+, +forms+,
-  # +numbers+ and model objects, to name a few. These helpers are available to all templates
+  # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
+  # numbers and model objects, to name a few. These helpers are available to all templates
   # by default.
   #
-  # In addition to using the standard template helpers provided in the Rails framework, creating custom helpers to
+  # In addition to using the standard template helpers provided, creating custom helpers to
   # extract complicated logic or reusable functionality is strongly encouraged. By default, the controller will
   # include a helper whose name matches that of the controller, e.g., <tt>MyController</tt> will automatically
   # include <tt>MyHelper</tt>.
   #
-  # Additional helpers can be specified using the +helper+ class method in <tt>ActionController::Base</tt> or any
+  # Additional helpers can be specified using the +helper+ class method in ActionController::Base or any
   # controller which inherits from it.
   #
   # ==== Examples
-  # The +to_s+ method from the Time class can be wrapped in a helper method to display a custom message if
-  # the Time object is blank:
+  # The +to_s+ method from the \Time class can be wrapped in a helper method to display a custom message if
+  # a \Time object is blank:
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message="&nbsp;")
@@ -53,30 +53,20 @@ module ActionController
     include AbstractController::Helpers
 
     included do
-      config_accessor :helpers_path
+      config_accessor :helpers_path, :include_all_helpers
       self.helpers_path ||= []
+      self.include_all_helpers = true
     end
 
     module ClassMethods
-      def helpers_dir
-        ActiveSupport::Deprecation.warn "helpers_dir is deprecated, use helpers_path instead", caller
-        self.helpers_path
-      end
-
-      def helpers_dir=(value)
-        ActiveSupport::Deprecation.warn "helpers_dir= is deprecated, use helpers_path= instead", caller
-        self.helpers_path = Array.wrap(value)
-      end
-
       # Declares helper accessors for controller attributes. For example, the
       # following adds new +name+ and <tt>name=</tt> instance methods to a
       # controller and makes them available to the view:
-      #   helper_attr :name
       #   attr_accessor :name
+      #   helper_attr :name
       #
       # ==== Parameters
-      # *attrs<Array[String, Symbol]>:: Names of attributes to be converted
-      #   into helpers.
+      # * <tt>attrs</tt> - Names of attributes to be converted into helpers.
       def helper_attr(*attrs)
         attrs.flatten.each { |attr| helper_method(attr, "#{attr}=") }
       end
@@ -86,32 +76,35 @@ module ActionController
         @helper_proxy ||= ActionView::Base.new.extend(_helpers)
       end
 
-      private
-        # Overwrite modules_for_helpers to accept :all as argument, which loads
-        # all helpers in helpers_dir.
-        #
-        # ==== Parameters
-        # args<Array[String, Symbol, Module, all]>:: A list of helpers
-        #
-        # ==== Returns
-        # Array[Module]:: A normalized list of modules for the list of
-        #   helpers provided.
-        def modules_for_helpers(args)
-          args += all_application_helpers if args.delete(:all)
-          super(args)
-        end
+      # Overwrite modules_for_helpers to accept :all as argument, which loads
+      # all helpers in helpers_path.
+      #
+      # ==== Parameters
+      # * <tt>args</tt> - A list of helpers
+      #
+      # ==== Returns
+      # * <tt>array</tt> - A normalized list of modules for the list of helpers provided.
+      def modules_for_helpers(args)
+        args += all_application_helpers if args.delete(:all)
+        super(args)
+      end
 
-        # Extract helper names from files in app/helpers/**/*_helper.rb
-        def all_application_helpers
-          helpers = []
-          Array.wrap(helpers_path).each do |path|
-            extract  = /^#{Regexp.quote(path.to_s)}\/?(.*)_helper.rb$/
-            helpers += Dir["#{path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1') }
-          end
-          helpers.sort!
-          helpers.uniq!
-          helpers
+      def all_helpers_from_path(path)
+        helpers = []
+        Array.wrap(path).each do |_path|
+          extract  = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
+          helpers += Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1') }
         end
+        helpers.sort!
+        helpers.uniq!
+        helpers
+      end
+
+      private
+      # Extract helper names from files in <tt>app/helpers/**/*_helper.rb</tt>
+      def all_application_helpers
+        all_helpers_from_path(helpers_path)
+      end
     end
   end
 end

data/lib/action_controller/metal/hide_actions.rb

@@ -1,8 +1,7 @@
 require 'active_support/core_ext/class/attribute'
 
 module ActionController
-  # ActionController::HideActions adds the ability to prevent public methods on a controller
-  # to be called as actions.
+  # Adds the ability to prevent public methods on a controller to be called as actions.
   module HideActions
     extend ActiveSupport::Concern
 
@@ -23,7 +22,7 @@ module ActionController
       # Sets all of the actions passed in as hidden actions.
       #
       # ==== Parameters
-      # *args<#to_s>:: A list of actions
+      # * <tt>args</tt> - A list of actions
       def hide_action(*args)
         self.hidden_actions = hidden_actions.dup.merge(args.map(&:to_s)).freeze
       end

data/lib/action_controller/metal/http_authentication.rb

@@ -3,14 +3,12 @@ require 'active_support/core_ext/object/blank'
 
 module ActionController
   module HttpAuthentication
-    # Makes it dead easy to do HTTP Basic authentication.
+    # Makes it dead easy to do HTTP \Basic and \Digest authentication.
     #
-    # Simple Basic example:
+    # === Simple \Basic example
     #
     #   class PostsController < ApplicationController
-    #     USER_NAME, PASSWORD = "dhh", "secret"
-    #
-    #     before_filter :authenticate, :except => [ :index ]
+    #     http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
     #
     #     def index
     #       render :text => "Everyone can see me!"
@@ -19,17 +17,11 @@ module ActionController
     #     def edit
     #       render :text => "I'm only accessible if you know the password"
     #     end
+    #  end
     #
-    #     private
-    #       def authenticate
-    #         authenticate_or_request_with_http_basic do |user_name, password|
-    #           user_name == USER_NAME && password == PASSWORD
-    #         end
-    #       end
-    #   end
+    # === Advanced \Basic example
     #
-    #
-    # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
     # the regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
@@ -69,13 +61,13 @@ module ActionController
     #     assert_equal 200, status
     #   end
     #
-    # Simple Digest example:
+    # === Simple \Digest example
     #
     #   require 'digest/md5'
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest:MD5::hexdigest(["dap",REALM,"secret"].join(":"))  #ha1 digest password
+    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))  #ha1 digest password
     #
     #     before_filter :authenticate, :except => [:index]
     #
@@ -101,15 +93,30 @@ module ActionController
     # or the ha1 digest hash so the framework can appropriately hash to check the user's
     # credentials. Returning +nil+ will cause authentication to fail.
     #
-    # On shared hosts, Apache sometimes doesn't pass authentication headers to
-    # FCGI instances. If your environment matches this description and you cannot
-    # authenticate, try this rule in your Apache setup:
+    # Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If
+    # the password file or database is compromised, the attacker would be able to use the ha1 hash to
+    # authenticate as the user at this +realm+, but would not have the user's password to try using at
+    # other sites.
     #
-    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
+    # In rare instances, web servers or front proxies strip authorization headers before
+    # they reach your application. You can debug this situation by logging all environment
+    # variables, and check for HTTP_AUTHORIZATION, amongst others.
     module Basic
       extend self
 
       module ControllerMethods
+        extend ActiveSupport::Concern
+        
+        module ClassMethods
+          def http_basic_authenticate_with(options = {})
+            before_filter(options.except(:name, :password, :realm)) do
+              authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
+                name == options[:name] && password == options[:password]
+              end
+            end
+          end
+        end
+        
         def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
           authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
         end
@@ -209,7 +216,7 @@ module ActionController
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
         credentials[:response] = expected_response(http_method, credentials[:uri], credentials, password, password_is_ha1)
-        "Digest " + credentials.sort_by {|x| x[0].to_s }.inject([]) {|a, v| a << "#{v[0]}='#{v[1]}'" }.join(', ')
+        "Digest " + credentials.sort_by {|x| x[0].to_s }.map {|v| "#{v[0]}='#{v[1]}'" }.join(', ')
       end
 
       def decode_credentials_header(request)
@@ -217,9 +224,9 @@ module ActionController
       end
 
       def decode_credentials(header)
-        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
           key, value = pair.split('=', 2)
-          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
+          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
         end]
       end
 
@@ -373,7 +380,6 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
-
       extend self
 
       module ControllerMethods
@@ -402,7 +408,7 @@ module ActionController
       # Returns nil if no token is found.
       def authenticate(controller, &login_procedure)
         token, options = token_and_options(controller.request)
-        if !token.blank?
+        unless token.blank?
           login_procedure.call(token, options)
         end
       end
@@ -412,20 +418,19 @@ module ActionController
       #   Authorization: Token token="abc", nonce="def"
       # Then the returned token is "abc", and the options is {:nonce => "def"}
       #
-      # request - ActionController::Request instance with the current headers.
+      # request - ActionDispatch::Request instance with the current headers.
       #
       # Returns an Array of [String, Hash] if a token is present.
       # Returns nil if no token is found.
       def token_and_options(request)
         if header = request.authorization.to_s[/^Token (.*)/]
-          values = $1.split(',').
-            inject({}) do |memo, value|
-              value.strip!                      # remove any spaces between commas and values
-              key, value = value.split(/\=\"?/) # split key=value pairs
-              value.chomp!('"')                 # chomp trailing " in value
-              value.gsub!(/\\\"/, '"')          # unescape remaining quotes
-              memo.update(key => value)
-            end
+          values = Hash[$1.split(',').map do |value|
+            value.strip!                      # remove any spaces between commas and values
+            key, value = value.split(/\=\"?/) # split key=value pairs
+            value.chomp!('"')                 # chomp trailing " in value
+            value.gsub!(/\\\"/, '"')          # unescape remaining quotes
+            [key, value]
+          end]
           [values.delete("token"), values.with_indifferent_access]
         end
       end
@@ -437,9 +442,8 @@ module ActionController
       #
       # Returns String.
       def encode_credentials(token, options = {})
-        values = ["token=#{token.to_s.inspect}"]
-        options.each do |key, value|
-          values << "#{key}=#{value.to_s.inspect}"
+        values = ["token=#{token.to_s.inspect}"] + options.map do |key, value|
+          "#{key}=#{value.to_s.inspect}"
         end
         "Token #{values * ", "}"
       end
@@ -455,6 +459,5 @@ module ActionController
         controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
       end
     end
-
   end
 end