actionpack 3.2.19 → 4.2.11.3

data/lib/action_controller/metal/params_wrapper.rb

@@ -1,13 +1,12 @@
-require 'active_support/core_ext/class/attribute'
 require 'active_support/core_ext/hash/slice'
 require 'active_support/core_ext/hash/except'
-require 'active_support/core_ext/array/wrap'
 require 'active_support/core_ext/module/anonymous'
-require 'action_dispatch/http/mime_types'
+require 'active_support/core_ext/struct'
+require 'action_dispatch/http/mime_type'
 
 module ActionController
-  # Wraps the parameters hash into a nested hash. This will allow clients to submit
-  # POST requests without having to specify any root elements.
+  # Wraps the parameters hash into a nested hash. This will allow clients to
+  # submit requests without having to specify any root elements.
   #
   # This functionality is enabled in +config/initializers/wrap_parameters.rb+
   # and can be customized. If you are upgrading to \Rails 3.1, this file will
@@ -17,7 +16,7 @@ module ActionController
   # a non-empty array:
   #
   #     class UsersController < ApplicationController
-  #       wrap_parameters :format => [:json, :xml]
+  #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
   #     end
   #
   # If you enable +ParamsWrapper+ for +:json+ format, instead of having to
@@ -40,16 +39,15 @@ module ActionController
   # +:exclude+ options like this:
   #
   #     class UsersController < ApplicationController
-  #       wrap_parameters :person, :include => [:username, :password]
+  #       wrap_parameters :person, include: [:username, :password]
   #     end
   #
-  # On ActiveRecord models with no +:include+ or +:exclude+ option set, 
-  # if attr_accessible is set on that model, it will only wrap the accessible
-  # parameters, else it will only wrap the parameters returned by the class 
-  # method attribute_names.
+  # On ActiveRecord models with no +:include+ or +:exclude+ option set,
+  # it will only wrap the parameters returned by the class method
+  # <tt>attribute_names</tt>.
   #
   # If you're going to pass the parameters to an +ActiveModel+ object (such as
-  # +User.new(params[:user])+), you might consider passing the model class to
+  # <tt>User.new(params[:user])</tt>), you might consider passing the model class to
   # the method instead. The +ParamsWrapper+ will actually try to determine the
   # list of attribute names from the model and only wrap those attributes:
   #
@@ -67,7 +65,7 @@ module ActionController
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if +Admin::User+ or +User+ model exists, and use it to
+  # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
   module ParamsWrapper
@@ -75,17 +73,104 @@ module ActionController
 
     EXCLUDE_PARAMETERS = %w(authenticity_token _method utf8)
 
+    require 'mutex_m'
+
+    class Options < Struct.new(:name, :format, :include, :exclude, :klass, :model) # :nodoc:
+      include Mutex_m
+
+      def self.from_hash(hash)
+        name    = hash[:name]
+        format  = Array(hash[:format])
+        include = hash[:include] && Array(hash[:include]).collect(&:to_s)
+        exclude = hash[:exclude] && Array(hash[:exclude]).collect(&:to_s)
+        new name, format, include, exclude, nil, nil
+      end
+
+      def initialize(name, format, include, exclude, klass, model) # nodoc
+        super
+        @include_set = include
+        @name_set    = name
+      end
+
+      def model
+        super || synchronize { super || self.model = _default_wrap_model }
+      end
+
+      def include
+        return super if @include_set
+
+        m = model
+        synchronize do
+          return super if @include_set
+
+          @include_set = true
+
+          unless super || exclude
+            if m.respond_to?(:attribute_names) && m.attribute_names.any?
+              self.include = m.attribute_names
+            end
+          end
+        end
+      end
+
+      def name
+        return super if @name_set
+
+        m = model
+        synchronize do
+          return super if @name_set
+
+          @name_set = true
+
+          unless super || klass.anonymous?
+            self.name = m ? m.to_s.demodulize.underscore :
+              klass.controller_name.singularize
+          end
+        end
+      end
+
+      private
+      # Determine the wrapper model from the controller's name. By convention,
+      # this could be done by trying to find the defined model that has the
+      # same singularize name as the controller. For example, +UsersController+
+      # will try to find if the +User+ model exists.
+      #
+      # This method also does namespace lookup. Foo::Bar::UsersController will
+      # try to find Foo::Bar::User, Foo::User and finally User.
+      def _default_wrap_model #:nodoc:
+        return nil if klass.anonymous?
+        model_name = klass.name.sub(/Controller$/, '').classify
+
+        begin
+          if model_klass = model_name.safe_constantize
+            model_klass
+          else
+            namespaces = model_name.split("::")
+            namespaces.delete_at(-2)
+            break if namespaces.last == model_name
+            model_name = namespaces.join("::")
+          end
+        end until model_klass
+
+        model_klass
+      end
+    end
+
     included do
       class_attribute :_wrapper_options
-      self._wrapper_options = { :format => [] }
+      self._wrapper_options = Options.from_hash(format: [])
     end
 
     module ClassMethods
+      def _set_wrapper_options(options)
+        self._wrapper_options = Options.from_hash(options)
+      end
+
       # Sets the name of the wrapper key, or the model which +ParamsWrapper+
       # would use to determine the attribute names from.
       #
       # ==== Examples
-      #   wrap_parameters :format => :xml
+      #   wrap_parameters format: :xml
       #     # enables the parameter wrapper for XML format
       #
       #   wrap_parameters :person
@@ -95,7 +180,7 @@ module ActionController
       #     # wraps parameters by determining the wrapper key from Person class
       #     (+person+, in this case) and the list of attribute names
       #
-      #   wrap_parameters :include => [:username, :title]
+      #   wrap_parameters include: [:username, :title]
       #     # wraps only +:username+ and +:title+ attributes from parameters.
       #
       #   wrap_parameters false
@@ -122,78 +207,36 @@ module ActionController
           model = name_or_model_or_options
         end
 
-        _set_wrapper_defaults(_wrapper_options.slice(:format).merge(options), model)
+        opts   = Options.from_hash _wrapper_options.to_h.slice(:format).merge(options)
+        opts.model = model
+        opts.klass = self
+
+        self._wrapper_options = opts
       end
 
       # Sets the default wrapper key or model which will be used to determine
       # wrapper key and attribute names. Will be called automatically when the
       # module is inherited.
       def inherited(klass)
-        if klass._wrapper_options[:format].present?
-          klass._set_wrapper_defaults(klass._wrapper_options.slice(:format))
+        if klass._wrapper_options.format.any?
+          params = klass._wrapper_options.dup
+          params.klass = klass
+          klass._wrapper_options = params
         end
         super
       end
-
-      protected
-
-      # Determine the wrapper model from the controller's name. By convention,
-      # this could be done by trying to find the defined model that has the
-      # same singularize name as the controller. For example, +UsersController+
-      # will try to find if the +User+ model exists.
-      #
-      # This method also does namespace lookup. Foo::Bar::UsersController will
-      # try to find Foo::Bar::User, Foo::User and finally User.
-      def _default_wrap_model #:nodoc:
-        return nil if self.anonymous?
-        model_name = self.name.sub(/Controller$/, '').classify
-
-        begin
-          if model_klass = model_name.safe_constantize
-            model_klass
-          else
-            namespaces = model_name.split("::")
-            namespaces.delete_at(-2)
-            break if namespaces.last == model_name
-            model_name = namespaces.join("::")
-          end
-        end until model_klass
-
-        model_klass
-      end
-
-      def _set_wrapper_defaults(options, model=nil)
-        options = options.dup
-
-        unless options[:include] || options[:exclude]
-          model ||= _default_wrap_model
-          role = options.has_key?(:as) ? options[:as] : :default
-          if model.respond_to?(:accessible_attributes) && model.accessible_attributes(role).present?
-            options[:include] = model.accessible_attributes(role).to_a
-          elsif model.respond_to?(:attribute_names) && model.attribute_names.present?
-            options[:include] = model.attribute_names
-          end
-        end
-
-        unless options[:name] || self.anonymous?
-          model ||= _default_wrap_model
-          options[:name] = model ? model.to_s.demodulize.underscore :
-            controller_name.singularize
-        end
-
-        options[:include] = Array.wrap(options[:include]).collect(&:to_s) if options[:include]
-        options[:exclude] = Array.wrap(options[:exclude]).collect(&:to_s) if options[:exclude]
-        options[:format]  = Array.wrap(options[:format])
-
-        self._wrapper_options = options
-      end
     end
 
     # Performs parameters wrapping upon the request. Will be called automatically
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
+        if request.parameters[_wrapper_key].present?
+          wrapped_hash = _extract_parameters(request.parameters)
+        else
+          wrapped_hash = _wrap_parameters request.request_parameters
+        end
+
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -201,7 +244,7 @@ module ActionController
         request.parameters.merge! wrapped_hash
         request.request_parameters.merge! wrapped_hash
 
-        # This will make the wrapped hash displayed in the log file
+        # This will display the wrapped hash in the log file
         request.filtered_parameters.merge! wrapped_filtered_hash
       end
       super
@@ -209,26 +252,28 @@ module ActionController
 
     private
 
-      # Returns the wrapper key which will use to stored wrapped parameters.
+      # Returns the wrapper key which will be used to stored wrapped parameters.
       def _wrapper_key
-        _wrapper_options[:name]
+        _wrapper_options.name
       end
 
       # Returns the list of enabled formats.
       def _wrapper_formats
-        _wrapper_options[:format]
+        _wrapper_options.format
       end
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if include_only = _wrapper_options[:include]
+        { _wrapper_key => _extract_parameters(parameters) }
+      end
+
+      def _extract_parameters(parameters)
+        if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
-          exclude = _wrapper_options[:exclude] || []
+          exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
-
-        { _wrapper_key => value }
       end
 
       # Checks if we should perform parameters wrapping.

data/lib/action_controller/metal/rack_delegation.rb

@@ -6,11 +6,10 @@ module ActionController
     extend ActiveSupport::Concern
 
     delegate :headers, :status=, :location=, :content_type=,
-             :status, :location, :content_type, :to => "@_response"
+             :status, :location, :content_type, :response_code, :to => "@_response"
 
-    def dispatch(action, request, response = ActionDispatch::Response.new)
-      @_response ||= response
-      @_response.request ||= request
+    def dispatch(action, request)
+      set_response!(request)
       super(action, request)
     end
 
@@ -22,5 +21,12 @@ module ActionController
     def reset_session
       @_request.reset_session
     end
+
+    private
+
+    def set_response!(request)
+      @_response         = ActionDispatch::Response.new
+      @_response.request = request
+    end
   end
 end

data/lib/action_controller/metal/redirecting.rb

@@ -14,7 +14,7 @@ module ActionController
     include ActionController::RackDelegation
     include ActionController::UrlFor
 
-    # Redirects the browser to the target specified in +options+. This parameter can take one of three forms:
+    # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
     # * <tt>Record</tt> - The URL will be generated by calling url_for with the +options+, which will reference a named URL for that record.
@@ -24,8 +24,9 @@ module ActionController
     # * <tt>:back</tt> - Back to the page that issued the request. Useful for forms that are triggered from multiple places.
     #   Short-hand for <tt>redirect_to(request.env["HTTP_REFERER"])</tt>
     #
-    # Examples:
-    #   redirect_to :action => "show", :id => 5
+    # === Examples:
+    #
+    #   redirect_to action: "show", id: 5
     #   redirect_to post
     #   redirect_to "http://www.rubyonrails.org"
     #   redirect_to "/images/screenshot.jpg"
@@ -33,13 +34,12 @@ module ActionController
     #   redirect_to :back
     #   redirect_to proc { edit_post_url(@post) }
     #
-    # The redirection happens as a "302 Moved" header unless otherwise specified.
+    # The redirection happens as a "302 Found" header unless otherwise specified using the <tt>:status</tt> option:
     #
-    # Examples:
-    #   redirect_to post_url(@post), :status => :found
-    #   redirect_to :action=>'atom', :status => :moved_permanently
-    #   redirect_to post_url(@post), :status => 301
-    #   redirect_to :action=>'atom', :status => 302
+    #   redirect_to post_url(@post), status: :found
+    #   redirect_to action: 'atom', status: :moved_permanently
+    #   redirect_to post_url(@post), status: 301
+    #   redirect_to action: 'atom', status: 302
     #
     # The status code can either be a standard {HTTP Status code}[http://www.iana.org/assignments/http-status-codes] as an
     # integer, or a symbol representing the downcased, underscored and symbolized description.
@@ -51,29 +51,52 @@ module ActionController
     # around this  you can return a <tt>303 See Other</tt> status code which will be
     # followed using a GET request.
     #
-    # Examples:
-    #   redirect_to posts_url, :status => :see_other
-    #   redirect_to :action => 'index', :status => 303
+    #   redirect_to posts_url, status: :see_other
+    #   redirect_to action: 'index', status: 303
     #
     # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
     # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
     #
-    # Examples:
-    #   redirect_to post_url(@post), :alert => "Watch it, mister!"
-    #   redirect_to post_url(@post), :status=> :found, :notice => "Pay attention to the road"
-    #   redirect_to post_url(@post), :status => 301, :flash => { :updated_post_id => @post.id }
-    #   redirect_to { :action=>'atom' }, :alert => "Something serious happened"
+    #   redirect_to post_url(@post), alert: "Watch it, mister!"
+    #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
     #
-    # When using <tt>redirect_to :back</tt>, if there is no referrer, ActionController::RedirectBackError will be raised. You may specify some fallback
-    # behavior for this case by rescuing ActionController::RedirectBackError.
+    # When using <tt>redirect_to :back</tt>, if there is no referrer,
+    # <tt>ActionController::RedirectBackError</tt> will be raised. You
+    # may specify some fallback behavior for this case by rescuing
+    # <tt>ActionController::RedirectBackError</tt>.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)
-      self.location      = _compute_redirect_to_location(options)
-      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(location)}\">redirected</a>.</body></html>"
+      self.location      = _compute_redirect_to_location(request, options)
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+    end
+
+    def _compute_redirect_to_location(request, options) #:nodoc:
+      case options
+      # The scheme name consist of a letter followed by any combination of
+      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
+      # characters; and is terminated by a colon (":").
+      # See http://tools.ietf.org/html/rfc3986#section-3.1
+      # The protocol relative scheme starts with a double slash "//".
+      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
+        options
+      when String
+        request.protocol + request.host_with_port + options
+      when :back
+        request.headers["Referer"] or raise RedirectBackError
+      when Proc
+        _compute_redirect_to_location request, options.call
+      else
+        url_for(options)
+      end.delete("\0\r\n")
     end
+    module_function :_compute_redirect_to_location
+    public :_compute_redirect_to_location
 
     private
       def _extract_redirect_to_status(options, response_status)
@@ -85,25 +108,5 @@ module ActionController
           302
         end
       end
-
-      def _compute_redirect_to_location(options)
-        case options
-        # The scheme name consist of a letter followed by any combination of
-        # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
-        # characters; and is terminated by a colon (":").
-        # The protocol relative scheme starts with a double slash "//"
-        when %r{^(\w[\w+.-]*:|//).*}
-          options
-        when String
-          request.protocol + request.host_with_port + options
-        when :back
-          raise RedirectBackError unless refer = request.headers["Referer"]
-          refer
-        when Proc
-          _compute_redirect_to_location options.call
-        else
-          url_for(options)
-        end.gsub(/[\0\r\n]/, '')
-      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -1,5 +1,3 @@
-require 'active_support/core_ext/class/attribute'
-require 'active_support/core_ext/object/blank'
 require 'set'
 
 module ActionController
@@ -8,6 +6,17 @@ module ActionController
     Renderers.add(key, &block)
   end
 
+  # See <tt>Renderers.remove</tt>
+  def self.remove_renderer(key)
+    Renderers.remove(key)
+  end
+
+  class MissingRenderer < LoadError
+    def initialize(format)
+      super "No renderer defined for format: #{format}"
+    end
+  end
+
   module Renderers
     extend ActiveSupport::Concern
 
@@ -25,23 +34,28 @@ module ActionController
     end
 
     def render_to_body(options)
-      _handle_render_options(options) || super
+      _render_to_body_with_renderer(options) || super
     end
 
-    def _handle_render_options(options)
+    def _render_to_body_with_renderer(options)
       _renderers.each do |name|
         if options.key?(name)
           _process_options(options)
-          return send("_render_option_#{name}", options.delete(name), options)
+          method_name = Renderers._render_with_renderer_method_name(name)
+          return send(method_name, options.delete(name), options)
         end
       end
       nil
     end
 
-    # Hash of available renderers, mapping a renderer name to its proc.
-    # Default keys are :json, :js, :xml.
+    # A Set containing renderer names that correspond to available renderer procs.
+    # Default values are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
     RENDERERS = Set.new
 
+    def self._render_with_renderer_method_name(key)
+      "_render_with_renderer_#{key}"
+    end
+
     # Adds a new renderer to call within controller actions.
     # A renderer is invoked by passing its name as an option to
     # <tt>AbstractController::Rendering#render</tt>. To create a renderer
@@ -49,14 +63,13 @@ module ActionController
     # is the value paired with its key and the second is the remaining
     # hash of options passed to +render+.
     #
-    # === Example
     # Create a csv renderer:
     #
     #   ActionController::Renderers.add :csv do |obj, options|
     #     filename = options[:filename] || 'data'
     #     str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
-    #     send_data str, :type => Mime::CSV,
-    #       :disposition => "attachment; filename=#{filename}.csv"
+    #     send_data str, type: Mime::CSV,
+    #       disposition: "attachment; filename=#{filename}.csv"
     #   end
     #
     # Note that we used Mime::CSV for the csv mime type as it comes with Rails.
@@ -69,17 +82,25 @@ module ActionController
     #     @csvable = Csvable.find(params[:id])
     #     respond_to do |format|
     #       format.html
-    #       format.csv { render :csv => @csvable, :filename => @csvable.name }
-    #     }
+    #       format.csv { render csv: @csvable, filename: @csvable.name }
+    #     end
     #   end
-    # To use renderers and their mime types in more concise ways, see
-    # <tt>ActionController::MimeResponds::ClassMethods.respond_to</tt> and
-    # <tt>ActionController::MimeResponds#respond_with</tt>
     def self.add(key, &block)
-      define_method("_render_option_#{key}", &block)
+      define_method(_render_with_renderer_method_name(key), &block)
       RENDERERS << key.to_sym
     end
 
+    # This method is the opposite of add method.
+    #
+    # Usage:
+    #
+    #   ActionController::Renderers.remove(:csv)
+    def self.remove(key)
+      RENDERERS.delete(key.to_sym)
+      method_name = _render_with_renderer_method_name(key)
+      remove_method(method_name) if method_defined?(method_name)
+    end
+
     module All
       extend ActiveSupport::Concern
       include Renderers
@@ -91,9 +112,17 @@ module ActionController
 
     add :json do |json, options|
       json = json.to_json(options) unless json.kind_of?(String)
-      json = "#{options[:callback]}(#{json})" unless options[:callback].blank?
-      self.content_type ||= Mime::JSON
-      json
+
+      if options[:callback].present?
+        if content_type.nil? || content_type == Mime::JSON
+          self.content_type = Mime::JS
+        end
+
+        "/**/#{options[:callback]}(#{json})"
+      else
+        self.content_type ||= Mime::JSON
+        json
+      end
     end
 
     add :js do |js, options|