actionpack 3.2.22.5 → 4.0.0.beta1

data/lib/action_controller/metal/params_wrapper.rb

@@ -1,9 +1,8 @@
-require 'active_support/core_ext/class/attribute'
 require 'active_support/core_ext/hash/slice'
 require 'active_support/core_ext/hash/except'
-require 'active_support/core_ext/array/wrap'
 require 'active_support/core_ext/module/anonymous'
-require 'action_dispatch/http/mime_types'
+require 'active_support/core_ext/struct'
+require 'action_dispatch/http/mime_type'
 
 module ActionController
   # Wraps the parameters hash into a nested hash. This will allow clients to submit
@@ -17,7 +16,7 @@ module ActionController
   # a non-empty array:
   #
   #     class UsersController < ApplicationController
-  #       wrap_parameters :format => [:json, :xml]
+  #       wrap_parameters format: [:json, :xml]
   #     end
   #
   # If you enable +ParamsWrapper+ for +:json+ format, instead of having to
@@ -40,16 +39,15 @@ module ActionController
   # +:exclude+ options like this:
   #
   #     class UsersController < ApplicationController
-  #       wrap_parameters :person, :include => [:username, :password]
+  #       wrap_parameters :person, include: [:username, :password]
   #     end
   #
-  # On ActiveRecord models with no +:include+ or +:exclude+ option set, 
-  # if attr_accessible is set on that model, it will only wrap the accessible
-  # parameters, else it will only wrap the parameters returned by the class 
-  # method attribute_names.
+  # On ActiveRecord models with no +:include+ or +:exclude+ option set,
+  # it will only wrap the parameters returned by the class method
+  # <tt>attribute_names</tt>.
   #
   # If you're going to pass the parameters to an +ActiveModel+ object (such as
-  # +User.new(params[:user])+), you might consider passing the model class to
+  # <tt>User.new(params[:user])</tt>), you might consider passing the model class to
   # the method instead. The +ParamsWrapper+ will actually try to determine the
   # list of attribute names from the model and only wrap those attributes:
   #
@@ -67,7 +65,7 @@ module ActionController
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if +Admin::User+ or +User+ model exists, and use it to
+  # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
   module ParamsWrapper
@@ -75,17 +73,104 @@ module ActionController
 
     EXCLUDE_PARAMETERS = %w(authenticity_token _method utf8)
 
+    require 'mutex_m'
+
+    class Options < Struct.new(:name, :format, :include, :exclude, :klass, :model) # :nodoc:
+      include Mutex_m
+
+      def self.from_hash(hash)
+        name    = hash[:name]
+        format  = Array(hash[:format])
+        include = hash[:include] && Array(hash[:include]).collect(&:to_s)
+        exclude = hash[:exclude] && Array(hash[:exclude]).collect(&:to_s)
+        new name, format, include, exclude, nil, nil
+      end
+
+      def initialize(name, format, include, exclude, klass, model) # nodoc
+        super
+        @include_set = include
+        @name_set    = name
+      end
+
+      def model
+        super || synchronize { super || self.model = _default_wrap_model }
+      end
+
+      def include
+        return super if @include_set
+
+        m = model
+        synchronize do
+          return super if @include_set
+
+          @include_set = true
+
+          unless super || exclude
+            if m.respond_to?(:attribute_names) && m.attribute_names.any?
+              self.include = m.attribute_names
+            end
+          end
+        end
+      end
+
+      def name
+        return super if @name_set
+
+        m = model
+        synchronize do
+          return super if @name_set
+
+          @name_set = true
+
+          unless super || klass.anonymous?
+            self.name = m ? m.to_s.demodulize.underscore :
+              klass.controller_name.singularize
+          end
+        end
+      end
+
+      private
+      # Determine the wrapper model from the controller's name. By convention,
+      # this could be done by trying to find the defined model that has the
+      # same singularize name as the controller. For example, +UsersController+
+      # will try to find if the +User+ model exists.
+      #
+      # This method also does namespace lookup. Foo::Bar::UsersController will
+      # try to find Foo::Bar::User, Foo::User and finally User.
+      def _default_wrap_model #:nodoc:
+        return nil if klass.anonymous?
+        model_name = klass.name.sub(/Controller$/, '').classify
+
+        begin
+          if model_klass = model_name.safe_constantize
+            model_klass
+          else
+            namespaces = model_name.split("::")
+            namespaces.delete_at(-2)
+            break if namespaces.last == model_name
+            model_name = namespaces.join("::")
+          end
+        end until model_klass
+
+        model_klass
+      end
+    end
+
     included do
       class_attribute :_wrapper_options
-      self._wrapper_options = { :format => [] }
+      self._wrapper_options = Options.from_hash(format: [])
     end
 
     module ClassMethods
+      def _set_wrapper_options(options)
+        self._wrapper_options = Options.from_hash(options)
+      end
+
       # Sets the name of the wrapper key, or the model which +ParamsWrapper+
       # would use to determine the attribute names from.
       #
       # ==== Examples
-      #   wrap_parameters :format => :xml
+      #   wrap_parameters format: :xml
       #     # enables the parameter wrapper for XML format
       #
       #   wrap_parameters :person
@@ -95,7 +180,7 @@ module ActionController
       #     # wraps parameters by determining the wrapper key from Person class
       #     (+person+, in this case) and the list of attribute names
       #
-      #   wrap_parameters :include => [:username, :title]
+      #   wrap_parameters include: [:username, :title]
       #     # wraps only +:username+ and +:title+ attributes from parameters.
       #
       #   wrap_parameters false
@@ -122,71 +207,24 @@ module ActionController
           model = name_or_model_or_options
         end
 
-        _set_wrapper_defaults(_wrapper_options.slice(:format).merge(options), model)
+        opts   = Options.from_hash _wrapper_options.to_h.slice(:format).merge(options)
+        opts.model = model
+        opts.klass = self
+
+        self._wrapper_options = opts
       end
 
       # Sets the default wrapper key or model which will be used to determine
       # wrapper key and attribute names. Will be called automatically when the
       # module is inherited.
       def inherited(klass)
-        if klass._wrapper_options[:format].present?
-          klass._set_wrapper_defaults(klass._wrapper_options.slice(:format))
+        if klass._wrapper_options.format.any?
+          params = klass._wrapper_options.dup
+          params.klass = klass
+          klass._wrapper_options = params
         end
         super
       end
-
-      protected
-
-      # Determine the wrapper model from the controller's name. By convention,
-      # this could be done by trying to find the defined model that has the
-      # same singularize name as the controller. For example, +UsersController+
-      # will try to find if the +User+ model exists.
-      #
-      # This method also does namespace lookup. Foo::Bar::UsersController will
-      # try to find Foo::Bar::User, Foo::User and finally User.
-      def _default_wrap_model #:nodoc:
-        return nil if self.anonymous?
-        model_name = self.name.sub(/Controller$/, '').classify
-
-        begin
-          if model_klass = model_name.safe_constantize
-            model_klass
-          else
-            namespaces = model_name.split("::")
-            namespaces.delete_at(-2)
-            break if namespaces.last == model_name
-            model_name = namespaces.join("::")
-          end
-        end until model_klass
-
-        model_klass
-      end
-
-      def _set_wrapper_defaults(options, model=nil)
-        options = options.dup
-
-        unless options[:include] || options[:exclude]
-          model ||= _default_wrap_model
-          role = options.has_key?(:as) ? options[:as] : :default
-          if model.respond_to?(:accessible_attributes) && model.accessible_attributes(role).present?
-            options[:include] = model.accessible_attributes(role).to_a
-          elsif model.respond_to?(:attribute_names) && model.attribute_names.present?
-            options[:include] = model.attribute_names
-          end
-        end
-
-        unless options[:name] || self.anonymous?
-          model ||= _default_wrap_model
-          options[:name] = model ? model.to_s.demodulize.underscore :
-            controller_name.singularize
-        end
-
-        options[:include] = Array.wrap(options[:include]).collect(&:to_s) if options[:include]
-        options[:exclude] = Array.wrap(options[:exclude]).collect(&:to_s) if options[:exclude]
-        options[:format]  = Array.wrap(options[:format])
-
-        self._wrapper_options = options
-      end
     end
 
     # Performs parameters wrapping upon the request. Will be called automatically
@@ -211,20 +249,20 @@ module ActionController
 
       # Returns the wrapper key which will use to stored wrapped parameters.
       def _wrapper_key
-        _wrapper_options[:name]
+        _wrapper_options.name
       end
 
       # Returns the list of enabled formats.
       def _wrapper_formats
-        _wrapper_options[:format]
+        _wrapper_options.format
       end
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if include_only = _wrapper_options[:include]
+        value = if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
-          exclude = _wrapper_options[:exclude] || []
+          exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
 

data/lib/action_controller/metal/rack_delegation.rb

@@ -8,9 +8,8 @@ module ActionController
     delegate :headers, :status=, :location=, :content_type=,
              :status, :location, :content_type, :to => "@_response"
 
-    def dispatch(action, request, response = ActionDispatch::Response.new)
-      @_response ||= response
-      @_response.request ||= request
+    def dispatch(action, request)
+      set_response!(request)
       super(action, request)
     end
 
@@ -22,5 +21,12 @@ module ActionController
     def reset_session
       @_request.reset_session
     end
+
+    private
+
+    def set_response!(request)
+      @_response         = ActionDispatch::Response.new
+      @_response.request = request
+    end
   end
 end

data/lib/action_controller/metal/redirecting.rb

@@ -24,8 +24,7 @@ module ActionController
     # * <tt>:back</tt> - Back to the page that issued the request. Useful for forms that are triggered from multiple places.
     #   Short-hand for <tt>redirect_to(request.env["HTTP_REFERER"])</tt>
     #
-    # Examples:
-    #   redirect_to :action => "show", :id => 5
+    #   redirect_to action: "show", id: 5
     #   redirect_to post
     #   redirect_to "http://www.rubyonrails.org"
     #   redirect_to "/images/screenshot.jpg"
@@ -33,13 +32,12 @@ module ActionController
     #   redirect_to :back
     #   redirect_to proc { edit_post_url(@post) }
     #
-    # The redirection happens as a "302 Moved" header unless otherwise specified.
+    # The redirection happens as a "302 Found" header unless otherwise specified.
     #
-    # Examples:
-    #   redirect_to post_url(@post), :status => :found
-    #   redirect_to :action=>'atom', :status => :moved_permanently
-    #   redirect_to post_url(@post), :status => 301
-    #   redirect_to :action=>'atom', :status => 302
+    #   redirect_to post_url(@post), status: :found
+    #   redirect_to action: 'atom', status: :moved_permanently
+    #   redirect_to post_url(@post), status: 301
+    #   redirect_to action: 'atom', status: 302
     #
     # The status code can either be a standard {HTTP Status code}[http://www.iana.org/assignments/http-status-codes] as an
     # integer, or a symbol representing the downcased, underscored and symbolized description.
@@ -51,18 +49,16 @@ module ActionController
     # around this  you can return a <tt>303 See Other</tt> status code which will be
     # followed using a GET request.
     #
-    # Examples:
-    #   redirect_to posts_url, :status => :see_other
-    #   redirect_to :action => 'index', :status => 303
+    #   redirect_to posts_url, status: :see_other
+    #   redirect_to action: 'index', status: 303
     #
     # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
     # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
     #
-    # Examples:
-    #   redirect_to post_url(@post), :alert => "Watch it, mister!"
-    #   redirect_to post_url(@post), :status=> :found, :notice => "Pay attention to the road"
-    #   redirect_to post_url(@post), :status => 301, :flash => { :updated_post_id => @post.id }
-    #   redirect_to { :action=>'atom' }, :alert => "Something serious happened"
+    #   redirect_to post_url(@post), alert: "Watch it, mister!"
+    #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #   redirect_to { action: 'atom' }, alert: "Something serious happened"
     #
     # When using <tt>redirect_to :back</tt>, if there is no referrer, ActionController::RedirectBackError will be raised. You may specify some fallback
     # behavior for this case by rescuing ActionController::RedirectBackError.
@@ -92,18 +88,17 @@ module ActionController
         # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
         # characters; and is terminated by a colon (":").
         # The protocol relative scheme starts with a double slash "//"
-        when %r{^(\w[\w+.-]*:|//).*}
+        when %r{\A(\w[\w+.-]*:|//).*}
           options
         when String
           request.protocol + request.host_with_port + options
         when :back
-          raise RedirectBackError unless refer = request.headers["Referer"]
-          refer
+          request.headers["Referer"] or raise RedirectBackError
         when Proc
           _compute_redirect_to_location options.call
         else
           url_for(options)
-        end.gsub(/[\0\r\n]/, '')
+        end.delete("\0\r\n")
       end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -1,5 +1,3 @@
-require 'active_support/core_ext/class/attribute'
-require 'active_support/core_ext/object/blank'
 require 'set'
 
 module ActionController
@@ -49,14 +47,13 @@ module ActionController
     # is the value paired with its key and the second is the remaining
     # hash of options passed to +render+.
     #
-    # === Example
     # Create a csv renderer:
     #
     #   ActionController::Renderers.add :csv do |obj, options|
     #     filename = options[:filename] || 'data'
     #     str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
-    #     send_data str, :type => Mime::CSV,
-    #       :disposition => "attachment; filename=#{filename}.csv"
+    #     send_data str, type: Mime::CSV,
+    #       disposition: "attachment; filename=#{filename}.csv"
     #   end
     #
     # Note that we used Mime::CSV for the csv mime type as it comes with Rails.
@@ -69,7 +66,7 @@ module ActionController
     #     @csvable = Csvable.find(params[:id])
     #     respond_to do |format|
     #       format.html
-    #       format.csv { render :csv => @csvable, :filename => @csvable.name }
+    #       format.csv { render csv: @csvable, filename: @csvable.name }
     #     }
     #   end
     # To use renderers and their mime types in more concise ways, see
@@ -91,9 +88,14 @@ module ActionController
 
     add :json do |json, options|
       json = json.to_json(options) unless json.kind_of?(String)
-      json = "#{options[:callback]}(#{json})" unless options[:callback].blank?
-      self.content_type ||= Mime::JSON
-      json
+
+      if options[:callback].present?
+        self.content_type ||= Mime::JS
+        "#{options[:callback]}(#{json})"
+      else
+        self.content_type ||= Mime::JSON
+        json
+      end
     end
 
     add :js do |js, options|

data/lib/action_controller/metal/rendering.rb

@@ -29,6 +29,10 @@ module ActionController
       self.response_body = nil
     end
 
+    def render_to_body(*)
+      super || " "
+    end
+
     private
 
     # Normalize arguments by catching blocks and setting them on :update.
@@ -44,6 +48,10 @@ module ActionController
         options[:text] = options[:text].to_text
       end
 
+      if options.delete(:nothing) || (options.key?(:text) && options[:text].nil?)
+        options[:text] = " "
+      end
+
       if options[:status]
         options[:status] = Rack::Utils.status_code(options[:status])
       end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -1,4 +1,4 @@
-require 'active_support/core_ext/class/attribute'
+require 'rack/session/abstract/id'
 require 'action_controller/metal/exceptions'
 
 module ActionController #:nodoc:
@@ -14,10 +14,23 @@ module ActionController #:nodoc:
   # authentication scheme there anyway). Also, GET requests are not protected as these
   # should be idempotent.
   #
+  # It's important to remember that XML or JSON requests are also affected and if
+  # you're building an API you'll need something like:
+  #
+  #   class ApplicationController < ActionController::Base
+  #     protect_from_forgery
+  #     skip_before_action :verify_authenticity_token, if: :json_request?
+  #
+  #     protected
+  #
+  #     def json_request?
+  #       request.format.json?
+  #     end
+  #   end
+  #
   # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
   # which checks the token and resets the session if it doesn't match what was expected.
   # A call to this method is generated for new \Rails applications by default.
-  # You can customize the error message by editing public/422.html.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
@@ -37,6 +50,10 @@ module ActionController #:nodoc:
       config_accessor :request_forgery_protection_token
       self.request_forgery_protection_token ||= :authenticity_token
 
+      # Holds the class which implements the request forgery protection.
+      config_accessor :forgery_protection_strategy
+      self.forgery_protection_strategy = nil
+
       # Controls whether request forgery protection is turned on or not. Turned off by default only in test mode.
       config_accessor :allow_forgery_protection
       self.allow_forgery_protection = true if allow_forgery_protection.nil?
@@ -48,50 +65,126 @@ module ActionController #:nodoc:
     module ClassMethods
       # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
       #
-      # Example:
-      #
       #   class FooController < ApplicationController
-      #     protect_from_forgery :except => :index
+      #     protect_from_forgery except: :index
       #
       # You can disable csrf protection on controller-by-controller basis:
       #
-      #   skip_before_filter :verify_authenticity_token
+      #   skip_before_action :verify_authenticity_token
       #
       # It can also be disabled for specific controller actions:
       #
-      #   skip_before_filter :verify_authenticity_token, :except => [:create]
+      #   skip_before_action :verify_authenticity_token, except: [:create]
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set which actions are verified.
+      # * <tt>:only/:except</tt> - Passed to the <tt>before_action</tt> call. Set which actions are verified.
+      # * <tt>:with</tt> - Set the method to handle unverified request.
+      #
+      # Valid unverified request handling methods are:
+      # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
+      # * <tt>:reset_session</tt> - Resets the session.
+      # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
       def protect_from_forgery(options = {})
+        self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
-        prepend_before_filter :verify_authenticity_token, options
+        prepend_before_action :verify_authenticity_token, options
+      end
+
+      private
+
+      def protection_method_class(name)
+        ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
+      rescue NameError
+        raise ArgumentError, 'Invalid request forgery protection method, use :null_session, :exception, or :reset_session'
+      end
+    end
+
+    module ProtectionMethods
+      class NullSession
+        def initialize(controller)
+          @controller = controller
+        end
+
+        # This is the method that defines the application behavior when a request is found to be unverified.
+        def handle_unverified_request
+          request = @controller.request
+          request.session = NullSessionHash.new(request.env)
+          request.env['action_dispatch.request.flash_hash'] = nil
+          request.env['rack.session.options'] = { skip: true }
+          request.env['action_dispatch.cookies'] = NullCookieJar.build(request)
+        end
+
+        protected
+
+        class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+          def initialize(env)
+            super(nil, env)
+            @data = {}
+            @loaded = true
+          end
+
+          def exists?
+            true
+          end
+        end
+
+        class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+          def self.build(request)
+            key_generator = request.env[ActionDispatch::Cookies::GENERATOR_KEY]
+            host          = request.host
+            secure        = request.ssl?
+
+            new(key_generator, host, secure, options_for_env({}))
+          end
+
+          def write(*)
+            # nothing
+          end
+        end
+      end
+
+      class ResetSession
+        def initialize(controller)
+          @controller = controller
+        end
+
+        def handle_unverified_request
+          @controller.reset_session
+        end
+      end
+
+      class Exception
+        def initialize(controller)
+          @controller = controller
+        end
+
+        def handle_unverified_request
+          raise ActionController::InvalidAuthenticityToken
+        end
       end
     end
 
     protected
-      # The actual before_filter that is used. Modify this to change how you handle unverified requests.
+      def handle_unverified_request
+        forgery_protection_strategy.new(self).handle_unverified_request
+      end
+
+      # The actual before_action that is used. Modify this to change how you handle unverified requests.
       def verify_authenticity_token
         unless verified_request?
-          logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
+          logger.warn "Can't verify CSRF token authenticity" if logger
           handle_unverified_request
         end
       end
 
-      # This is the method that defines the application behavior when a request is found to be unverified.
-      # By default, \Rails resets the session when it finds an unverified request.
-      def handle_unverified_request
-        reset_session
-      end
-
       # Returns true or false if a request is verified. Checks:
       #
-      # * is it a GET request?  Gets should be safe and idempotent
+      # * is it a GET or HEAD request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       # * Does the X-CSRF-Token header match the form_authenticity_token
       def verified_request?
-        !protect_against_forgery? || request.get? ||
+        !protect_against_forgery? || request.get? || request.head? ||
           form_authenticity_token == params[request_forgery_protection_token] ||
           form_authenticity_token == request.headers['X-CSRF-Token']
       end