RubyGems - actionpack - Versions diffs - 3.2.22.5 → 4.0.0.beta1 - Mend

actionpack 3.2.22.5 → 4.0.0.beta1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (265) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +641 -418
data/MIT-LICENSE +1 -1
data/README.rdoc +5 -288
data/lib/abstract_controller.rb +1 -8
data/lib/abstract_controller/asset_paths.rb +2 -2
data/lib/abstract_controller/base.rb +39 -37
data/lib/abstract_controller/callbacks.rb +101 -82
data/lib/abstract_controller/collector.rb +7 -3
data/lib/abstract_controller/helpers.rb +23 -11
data/lib/abstract_controller/layouts.rb +68 -73
data/lib/abstract_controller/logger.rb +1 -2
data/lib/abstract_controller/rendering.rb +22 -13
data/lib/abstract_controller/translation.rb +16 -1
data/lib/abstract_controller/url_for.rb +6 -6
data/lib/abstract_controller/view_paths.rb +1 -1
data/lib/action_controller.rb +15 -6
data/lib/action_controller/base.rb +46 -22
data/lib/action_controller/caching.rb +46 -33
data/lib/action_controller/caching/fragments.rb +23 -53
data/lib/action_controller/deprecated.rb +5 -1
data/lib/action_controller/deprecated/integration_test.rb +3 -0
data/lib/action_controller/log_subscriber.rb +11 -8
data/lib/action_controller/metal.rb +16 -30
data/lib/action_controller/metal/conditional_get.rb +76 -32
data/lib/action_controller/metal/data_streaming.rb +20 -26
data/lib/action_controller/metal/exceptions.rb +19 -6
data/lib/action_controller/metal/flash.rb +24 -9
data/lib/action_controller/metal/force_ssl.rb +32 -9
data/lib/action_controller/metal/head.rb +25 -4
data/lib/action_controller/metal/helpers.rb +6 -9
data/lib/action_controller/metal/hide_actions.rb +1 -2
data/lib/action_controller/metal/http_authentication.rb +105 -87
data/lib/action_controller/metal/implicit_render.rb +1 -1
data/lib/action_controller/metal/instrumentation.rb +2 -1
data/lib/action_controller/metal/live.rb +141 -0
data/lib/action_controller/metal/mime_responds.rb +161 -47
data/lib/action_controller/metal/params_wrapper.rb +112 -74
data/lib/action_controller/metal/rack_delegation.rb +9 -3
data/lib/action_controller/metal/redirecting.rb +15 -20
data/lib/action_controller/metal/renderers.rb +11 -9
data/lib/action_controller/metal/rendering.rb +8 -0
data/lib/action_controller/metal/request_forgery_protection.rb +112 -19
data/lib/action_controller/metal/responder.rb +20 -19
data/lib/action_controller/metal/streaming.rb +12 -18
data/lib/action_controller/metal/strong_parameters.rb +516 -0
data/lib/action_controller/metal/testing.rb +13 -18
data/lib/action_controller/metal/url_for.rb +27 -25
data/lib/action_controller/model_naming.rb +12 -0
data/lib/action_controller/railtie.rb +33 -17
data/lib/action_controller/railties/helpers.rb +22 -0
data/lib/action_controller/record_identifier.rb +18 -72
data/lib/action_controller/test_case.rb +215 -123
data/lib/action_controller/vendor/html-scanner.rb +4 -19
data/lib/action_dispatch.rb +27 -19
data/lib/action_dispatch/http/cache.rb +63 -11
data/lib/action_dispatch/http/filter_parameters.rb +18 -8
data/lib/action_dispatch/http/filter_redirect.rb +37 -0
data/lib/action_dispatch/http/headers.rb +27 -19
data/lib/action_dispatch/http/mime_negotiation.rb +25 -2
data/lib/action_dispatch/http/mime_type.rb +145 -113
data/lib/action_dispatch/http/mime_types.rb +1 -1
data/lib/action_dispatch/http/parameter_filter.rb +44 -46
data/lib/action_dispatch/http/parameters.rb +12 -5
data/lib/action_dispatch/http/rack_cache.rb +2 -3
data/lib/action_dispatch/http/request.rb +49 -18
data/lib/action_dispatch/http/response.rb +129 -35
data/lib/action_dispatch/http/upload.rb +60 -17
data/lib/action_dispatch/http/url.rb +53 -31
data/lib/action_dispatch/journey.rb +5 -0
data/lib/action_dispatch/journey/backwards.rb +5 -0
data/lib/action_dispatch/journey/formatter.rb +146 -0
data/lib/action_dispatch/journey/gtg/builder.rb +162 -0
data/lib/action_dispatch/journey/gtg/simulator.rb +44 -0
data/lib/action_dispatch/journey/gtg/transition_table.rb +156 -0
data/lib/action_dispatch/journey/nfa/builder.rb +76 -0
data/lib/action_dispatch/journey/nfa/dot.rb +36 -0
data/lib/action_dispatch/journey/nfa/simulator.rb +47 -0
data/lib/action_dispatch/journey/nfa/transition_table.rb +163 -0
data/lib/action_dispatch/journey/nodes/node.rb +124 -0
data/lib/action_dispatch/journey/parser.rb +206 -0
data/lib/action_dispatch/journey/parser.y +47 -0
data/lib/action_dispatch/journey/parser_extras.rb +23 -0
data/lib/action_dispatch/journey/path/pattern.rb +196 -0
data/lib/action_dispatch/journey/route.rb +116 -0
data/lib/action_dispatch/journey/router.rb +164 -0
data/lib/action_dispatch/journey/router/strexp.rb +24 -0
data/lib/action_dispatch/journey/router/utils.rb +54 -0
data/lib/action_dispatch/journey/routes.rb +75 -0
data/lib/action_dispatch/journey/scanner.rb +61 -0
data/lib/action_dispatch/journey/visitors.rb +189 -0
data/lib/action_dispatch/journey/visualizer/fsm.css +34 -0
data/lib/action_dispatch/journey/visualizer/fsm.js +134 -0
data/lib/action_dispatch/journey/visualizer/index.html.erb +52 -0
data/lib/action_dispatch/middleware/callbacks.rb +9 -4
data/lib/action_dispatch/middleware/cookies.rb +168 -57
data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -17
data/lib/action_dispatch/middleware/exception_wrapper.rb +27 -3
data/lib/action_dispatch/middleware/flash.rb +58 -58
data/lib/action_dispatch/middleware/params_parser.rb +14 -29
data/lib/action_dispatch/middleware/public_exceptions.rb +31 -14
data/lib/action_dispatch/middleware/reloader.rb +6 -6
data/lib/action_dispatch/middleware/remote_ip.rb +145 -39
data/lib/action_dispatch/middleware/request_id.rb +2 -6
data/lib/action_dispatch/middleware/session/abstract_store.rb +22 -20
data/lib/action_dispatch/middleware/session/cache_store.rb +3 -3
data/lib/action_dispatch/middleware/session/cookie_store.rb +81 -7
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -3
data/lib/action_dispatch/middleware/show_exceptions.rb +12 -45
data/lib/action_dispatch/middleware/ssl.rb +70 -0
data/lib/action_dispatch/middleware/stack.rb +6 -1
data/lib/action_dispatch/middleware/static.rb +5 -24
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb +14 -11
data/lib/action_dispatch/middleware/templates/rescues/_source.erb +25 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb +15 -9
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +121 -5
data/lib/action_dispatch/middleware/templates/rescues/missing_template.erb +7 -2
data/lib/action_dispatch/middleware/templates/rescues/routing_error.erb +30 -15
data/lib/action_dispatch/middleware/templates/rescues/template_error.erb +39 -13
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb +6 -2
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +16 -0
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +144 -0
data/lib/action_dispatch/railtie.rb +16 -6
data/lib/action_dispatch/request/session.rb +181 -0
data/lib/action_dispatch/routing.rb +41 -40
data/lib/action_dispatch/routing/inspector.rb +240 -0
data/lib/action_dispatch/routing/mapper.rb +501 -273
data/lib/action_dispatch/routing/polymorphic_routes.rb +16 -20
data/lib/action_dispatch/routing/redirection.rb +46 -29
data/lib/action_dispatch/routing/route_set.rb +203 -164
data/lib/action_dispatch/routing/routes_proxy.rb +2 -0
data/lib/action_dispatch/routing/url_for.rb +48 -33
data/lib/action_dispatch/testing/assertions/dom.rb +3 -13
data/lib/action_dispatch/testing/assertions/response.rb +32 -40
data/lib/action_dispatch/testing/assertions/routing.rb +40 -39
data/lib/action_dispatch/testing/assertions/selector.rb +15 -20
data/lib/action_dispatch/testing/assertions/tag.rb +20 -23
data/lib/action_dispatch/testing/integration.rb +41 -22
data/lib/action_dispatch/testing/test_process.rb +9 -6
data/lib/action_dispatch/testing/test_request.rb +7 -3
data/lib/action_pack.rb +1 -1
data/lib/action_pack/version.rb +4 -4
data/lib/action_view.rb +17 -8
data/lib/action_view/base.rb +15 -34
data/lib/action_view/buffers.rb +1 -1
data/lib/action_view/context.rb +4 -4
data/lib/action_view/dependency_tracker.rb +91 -0
data/lib/action_view/digestor.rb +85 -0
data/lib/action_view/flows.rb +1 -4
data/lib/action_view/helpers.rb +2 -4
data/lib/action_view/helpers/active_model_helper.rb +3 -4
data/lib/action_view/helpers/asset_tag_helper.rb +211 -353
data/lib/action_view/helpers/asset_url_helper.rb +354 -0
data/lib/action_view/helpers/atom_feed_helper.rb +13 -10
data/lib/action_view/helpers/cache_helper.rb +150 -18
data/lib/action_view/helpers/capture_helper.rb +42 -29
data/lib/action_view/helpers/csrf_helper.rb +0 -2
data/lib/action_view/helpers/date_helper.rb +268 -247
data/lib/action_view/helpers/debug_helper.rb +10 -11
data/lib/action_view/helpers/form_helper.rb +904 -547
data/lib/action_view/helpers/form_options_helper.rb +341 -166
data/lib/action_view/helpers/form_tag_helper.rb +188 -88
data/lib/action_view/helpers/javascript_helper.rb +23 -16
data/lib/action_view/helpers/number_helper.rb +148 -354
data/lib/action_view/helpers/output_safety_helper.rb +3 -3
data/lib/action_view/helpers/record_tag_helper.rb +17 -22
data/lib/action_view/helpers/rendering_helper.rb +2 -4
data/lib/action_view/helpers/sanitize_helper.rb +3 -6
data/lib/action_view/helpers/tag_helper.rb +43 -37
data/lib/action_view/helpers/tags.rb +39 -0
data/lib/action_view/helpers/tags/base.rb +148 -0
data/lib/action_view/helpers/tags/check_box.rb +64 -0
data/lib/action_view/helpers/tags/checkable.rb +16 -0
data/lib/action_view/helpers/tags/collection_check_boxes.rb +43 -0
data/lib/action_view/helpers/tags/collection_helpers.rb +83 -0
data/lib/action_view/helpers/tags/collection_radio_buttons.rb +36 -0
data/lib/action_view/helpers/tags/collection_select.rb +28 -0
data/lib/action_view/helpers/tags/color_field.rb +25 -0
data/lib/action_view/helpers/tags/date_field.rb +13 -0
data/lib/action_view/helpers/tags/date_select.rb +72 -0
data/lib/action_view/helpers/tags/datetime_field.rb +22 -0
data/lib/action_view/helpers/tags/datetime_local_field.rb +19 -0
data/lib/action_view/helpers/tags/datetime_select.rb +8 -0
data/lib/action_view/helpers/tags/email_field.rb +8 -0
data/lib/action_view/helpers/tags/file_field.rb +8 -0
data/lib/action_view/helpers/tags/grouped_collection_select.rb +29 -0
data/lib/action_view/helpers/tags/hidden_field.rb +8 -0
data/lib/action_view/helpers/tags/label.rb +65 -0
data/lib/action_view/helpers/tags/month_field.rb +13 -0
data/lib/action_view/helpers/tags/number_field.rb +18 -0
data/lib/action_view/helpers/tags/password_field.rb +12 -0
data/lib/action_view/helpers/tags/radio_button.rb +31 -0
data/lib/action_view/helpers/tags/range_field.rb +8 -0
data/lib/action_view/helpers/tags/search_field.rb +24 -0
data/lib/action_view/helpers/tags/select.rb +41 -0
data/lib/action_view/helpers/tags/tel_field.rb +8 -0
data/lib/action_view/helpers/tags/text_area.rb +18 -0
data/lib/action_view/helpers/tags/text_field.rb +29 -0
data/lib/action_view/helpers/tags/time_field.rb +13 -0
data/lib/action_view/helpers/tags/time_select.rb +8 -0
data/lib/action_view/helpers/tags/time_zone_select.rb +20 -0
data/lib/action_view/helpers/tags/url_field.rb +8 -0
data/lib/action_view/helpers/tags/week_field.rb +13 -0
data/lib/action_view/helpers/text_helper.rb +126 -113
data/lib/action_view/helpers/translation_helper.rb +32 -16
data/lib/action_view/helpers/url_helper.rb +200 -271
data/lib/action_view/locale/en.yml +1 -105
data/lib/action_view/log_subscriber.rb +6 -4
data/lib/action_view/lookup_context.rb +15 -39
data/lib/action_view/model_naming.rb +12 -0
data/lib/action_view/path_set.rb +9 -39
data/lib/action_view/railtie.rb +6 -22
data/lib/action_view/record_identifier.rb +84 -0
data/lib/action_view/renderer/abstract_renderer.rb +10 -19
data/lib/action_view/renderer/partial_renderer.rb +144 -81
data/lib/action_view/renderer/renderer.rb +2 -19
data/lib/action_view/renderer/streaming_template_renderer.rb +2 -5
data/lib/action_view/renderer/template_renderer.rb +14 -13
data/lib/action_view/routing_url_for.rb +107 -0
data/lib/action_view/template.rb +22 -21
data/lib/action_view/template/error.rb +22 -12
data/lib/action_view/template/handlers.rb +12 -9
data/lib/action_view/template/handlers/builder.rb +1 -1
data/lib/action_view/template/handlers/erb.rb +11 -16
data/lib/action_view/template/handlers/raw.rb +11 -0
data/lib/action_view/template/resolver.rb +111 -83
data/lib/action_view/template/text.rb +12 -8
data/lib/action_view/template/types.rb +57 -0
data/lib/action_view/test_case.rb +66 -43
data/lib/action_view/testing/resolvers.rb +3 -2
data/lib/action_view/vendor/html-scanner.rb +20 -0
data/lib/{action_controller → action_view}/vendor/html-scanner/html/document.rb +0 -0
data/lib/{action_controller → action_view}/vendor/html-scanner/html/node.rb +12 -12
data/lib/{action_controller → action_view}/vendor/html-scanner/html/sanitizer.rb +18 -7
data/lib/{action_controller → action_view}/vendor/html-scanner/html/selector.rb +1 -1
data/lib/{action_controller → action_view}/vendor/html-scanner/html/tokenizer.rb +1 -1
data/lib/{action_controller → action_view}/vendor/html-scanner/html/version.rb +0 -0
metadata +135 -125
data/lib/action_controller/caching/actions.rb +0 -185
data/lib/action_controller/caching/pages.rb +0 -187
data/lib/action_controller/caching/sweeping.rb +0 -97
data/lib/action_controller/deprecated/performance_test.rb +0 -1
data/lib/action_controller/metal/compatibility.rb +0 -65
data/lib/action_controller/metal/session_management.rb +0 -14
data/lib/action_controller/railties/paths.rb +0 -25
data/lib/action_dispatch/middleware/best_standards_support.rb +0 -30
data/lib/action_dispatch/middleware/body_proxy.rb +0 -30
data/lib/action_dispatch/middleware/head.rb +0 -18
data/lib/action_dispatch/middleware/rescue.rb +0 -26
data/lib/action_dispatch/testing/performance_test.rb +0 -10
data/lib/action_view/asset_paths.rb +0 -142
data/lib/action_view/helpers/asset_paths.rb +0 -7
data/lib/action_view/helpers/asset_tag_helpers/asset_include_tag.rb +0 -146
data/lib/action_view/helpers/asset_tag_helpers/asset_paths.rb +0 -93
data/lib/action_view/helpers/asset_tag_helpers/javascript_tag_helpers.rb +0 -193
data/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb +0 -148
data/lib/sprockets/assets.rake +0 -99
data/lib/sprockets/bootstrap.rb +0 -37
data/lib/sprockets/compressors.rb +0 -83
data/lib/sprockets/helpers.rb +0 -6
data/lib/sprockets/helpers/isolated_helper.rb +0 -13
data/lib/sprockets/helpers/rails_helper.rb +0 -182
data/lib/sprockets/railtie.rb +0 -62
data/lib/sprockets/static_compiler.rb +0 -56

data/lib/action_controller/metal/responder.rb CHANGED

@@ -45,15 +45,15 @@ module ActionController #:nodoc:
   #       if @user.save
   #         flash[:notice] = 'User was successfully created.'
   #         format.html { redirect_to(@user) }
-  #         format.xml { render :xml => @user, :status => :created, :location => @user }
+  #         format.xml { render xml: @user, status: :created, location: @user }
   #       else
-  #         format.html { render :action => "new" }
-  #         format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
+  #         format.html { render action: "new" }
+  #         format.xml { render xml: @user.errors, status: :unprocessable_entity }
   #       end
   #     end
   #   end
   #
-  # The same happens for PUT and DELETE requests.
+  # The same happens for PATCH/PUT and DELETE requests.
   #
   # === Nested resources
   #
@@ -63,7 +63,7 @@ module ActionController #:nodoc:
   #
   #   def create
   #     @project = Project.find(params[:project_id])
-  #     @task = @project.comments.build(params[:task])
+  #     @task = @project.tasks.build(params[:task])
   #     flash[:notice] = 'Task was successfully created.' if @task.save
   #     respond_with(@project, @task)
   #   end
@@ -90,9 +90,9 @@ module ActionController #:nodoc:
   #
   #   def create
   #     @project = Project.find(params[:project_id])
-  #     @task = @project.comments.build(params[:task])
+  #     @task = @project.tasks.build(params[:task])
   #     flash[:notice] = 'Task was successfully created.' if @task.save
-  #     respond_with(@project, @task, :status => 201)
+  #     respond_with(@project, @task, status: 201)
   #   end
   #
   # This will return status 201 if the task was saved successfully. If not,
@@ -102,8 +102,8 @@ module ActionController #:nodoc:
   #
   #   def create
   #     @project = Project.find(params[:project_id])
-  #     @task = @project.comments.build(params[:task])
-  #     respond_with(@project, @task, :status => 201) do |format|
+  #     @task = @project.tasks.build(params[:task])
+  #     respond_with(@project, @task, status: 201) do |format|
   #       if @task.save
   #         flash[:notice] = 'Task was successfully created.'
   #       else
@@ -116,8 +116,9 @@ module ActionController #:nodoc:
   class Responder
     attr_reader :controller, :request, :format, :resource, :resources, :options
-    ACTIONS_FOR_VERBS = {
+    DEFAULT_ACTIONS_FOR_VERBS = {
       :post => :new,
+      :patch => :edit,
       :put => :edit
     }
@@ -133,7 +134,7 @@ module ActionController #:nodoc:
     end
     delegate :head, :render, :redirect_to,   :to => :controller
-    delegate :get?, :post?, :put?, :delete?, :to => :request
+    delegate :get?, :post?, :patch?, :put?, :delete?, :to => :request
     # Undefine :to_json and :to_yaml since it's defined on Object
     undef_method(:to_json) if method_defined?(:to_json)
@@ -235,20 +236,20 @@ module ActionController #:nodoc:
     # Display is just a shortcut to render a resource with the current format.
     #
-    #   display @user, :status => :ok
+    #   display @user, status: :ok
     #
     # For XML requests it's equivalent to:
     #
-    #   render :xml => @user, :status => :ok
+    #   render xml: @user, status: :ok
     #
     # Options sent by the user are also used:
     #
-    #   respond_with(@user, :status => :created)
-    #   display(@user, :status => :ok)
+    #   respond_with(@user, status: :created)
+    #   display(@user, status: :ok)
     #
     # Results in:
     #
-    #   render :xml => @user, :status => :created
+    #   render xml: @user, status: :created
     #
     def display(resource, given_options={})
       controller.render given_options.merge!(options).merge!(format => resource)
@@ -264,11 +265,11 @@ module ActionController #:nodoc:
       resource.respond_to?(:errors) && !resource.errors.empty?
     end
-    # By default, render the <code>:edit</code> action for HTML requests with failure, unless
-    # the verb is POST.
+    # By default, render the <code>:edit</code> action for HTML requests with errors, unless
+    # the verb was POST.
     #
     def default_action
-      @action ||= ACTIONS_FOR_VERBS[request.request_method_symbol]
+      @action ||= DEFAULT_ACTIONS_FOR_VERBS[request.request_method_symbol]
     end
     def resource_errors

data/lib/action_controller/metal/streaming.rb CHANGED

@@ -1,4 +1,3 @@
-require 'active_support/core_ext/file/path'
 require 'rack/chunked'
 module ActionController #:nodoc:
@@ -22,15 +21,13 @@ module ActionController #:nodoc:
   # supports fibers (fibers are supported since version 1.9.2 of the main
   # Ruby implementation).
   #
-  # == Examples
-  #
   # Streaming can be added to a given template easily, all you need to do is
   # to pass the :stream option.
   #
   #   class PostsController
   #     def index
-  #       @posts = Post.scoped
-  #       render :stream => true
+  #       @posts = Post.all
+  #       render stream: true
   #     end
   #   end
   #
@@ -54,10 +51,10 @@ module ActionController #:nodoc:
   #
   #   def dashboard
   #     # Allow lazy execution of the queries
-  #     @posts = Post.scoped
-  #     @pages = Page.scoped
-  #     @articles = Article.scoped
-  #     render :stream => true
+  #     @posts = Post.all
+  #     @pages = Page.all
+  #     @articles = Article.all
+  #     render stream: true
   #   end
   #
   # Notice that :stream only works with templates. Rendering :json
@@ -140,17 +137,14 @@ module ActionController #:nodoc:
   # session or flash after the template starts rendering will not propagate
   # to the client.
   #
-  # If you try to modify cookies, session or flash, an +ActionDispatch::ClosedError+
-  # will be raised, showing those objects are closed for modification.
-  #
   # == Middlewares
   #
   # Middlewares that need to manipulate the body won't work with streaming.
   # You should disable those middlewares whenever streaming in development
-  # or production. For instance, +Rack::Bug+ won't work when streaming as it
+  # or production. For instance, <tt>Rack::Bug</tt> won't work when streaming as it
   # needs to inject contents in the HTML body.
   #
-  # Also +Rack::Cache+ won't work with streaming as it does not support
+  # Also <tt>Rack::Cache</tt> won't work with streaming as it does not support
   # streaming bodies yet. Whenever streaming Cache-Control is automatically
   # set to "no-cache".
   #
@@ -163,7 +157,7 @@ module ActionController #:nodoc:
   # Currently, when an exception happens in development or production, Rails
   # will automatically stream to the client:
   #
-  #   "><script type="text/javascript">window.location = "/500.html"</script></html>
+  #   "><script>window.location = "/500.html"</script></html>
   #
   # The first two characters (">) are required in case the exception happens
   # while rendering attributes for a given tag. You can check the real cause
@@ -180,7 +174,7 @@ module ActionController #:nodoc:
   # need to create a config file as follow:
   #
   #   # unicorn.config.rb
-  #   listen 3000, :tcp_nopush => false
+  #   listen 3000, tcp_nopush: false
   #
   # And use it on initialization:
   #
@@ -195,7 +189,7 @@ module ActionController #:nodoc:
   # ==== Passenger
   #
   # To be described.
-  #
+  #
   module Streaming
     extend ActiveSupport::Concern
@@ -217,7 +211,7 @@ module ActionController #:nodoc:
       end
     end
-    # Call render_to_body if we are streaming instead of usual +render+.
+    # Call render_body if we are streaming instead of usual +render+.
     def _render_template(options) #:nodoc:
       if options.delete(:stream)
         Rack::Chunked::Body.new view_renderer.render_body(view_context, options)

data/lib/action_controller/metal/strong_parameters.rb ADDED

@@ -0,0 +1,516 @@
+require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/array/wrap'
+require 'active_support/rescuable'
+require 'action_dispatch/http/upload'
+module ActionController
+  # Raised when a required parameter is missing.
+  #
+  #   params = ActionController::Parameters.new(a: {})
+  #   params.fetch(:b)
+  #   # => ActionController::ParameterMissing: param not found: b
+  #   params.require(:a)
+  #   # => ActionController::ParameterMissing: param not found: a
+  class ParameterMissing < KeyError
+    attr_reader :param # :nodoc:
+    def initialize(param) # :nodoc:
+      @param = param
+      super("param not found: #{param}")
+    end
+  end
+  # Raised when a supplied parameter is not expected.
+  #
+  #   params = ActionController::Parameters.new(a: "123", b: "456")
+  #   params.permit(:c)
+  #   # => ActionController::UnpermittedParameters: found unexpected keys: a, b
+  class UnpermittedParameters < IndexError
+    attr_reader :params # :nodoc:
+    def initialize(params) # :nodoc:
+      @params = params
+      super("found unpermitted parameters: #{params.join(", ")}")
+    end
+  end
+  # == Action Controller \Parameters
+  #
+  # Allows to choose which attributes should be whitelisted for mass updating
+  # and thus prevent accidentally exposing that which shouldn’t be exposed.
+  # Provides two methods for this purpose: #require and #permit. The former is
+  # used to mark parameters as required. The latter is used to set the parameter
+  # as permitted and limit which attributes should be allowed for mass updating.
+  #
+  #   params = ActionController::Parameters.new({
+  #     person: {
+  #       name: 'Francesco',
+  #       age:  22,
+  #       role: 'admin'
+  #     }
+  #   })
+  #
+  #   permitted = params.require(:person).permit(:name, :age)
+  #   permitted            # => {"name"=>"Francesco", "age"=>22}
+  #   permitted.class      # => ActionController::Parameters
+  #   permitted.permitted? # => true
+  #
+  #   Person.first.update!(permitted)
+  #   # => #<Person id: 1, name: "Francesco", age: 22, role: "user">
+  #
+  # It provides two options that controls the top-level behavior of new instances:
+  #
+  # * +permit_all_parameters+ - If it's +true+, all the parameters will be
+  #   permitted by default. The default is +false+.
+  # * +action_on_unpermitted_parameters+ - Allow to control the behavior when parameters
+  #   that are not explicitly permitted are found. The values can be <tt>:log</tt> to
+  #   write a message on the logger or <tt>:raise</tt> to raise
+  #   ActionController::UnpermittedParameters exception. The default value is <tt>:log</tt>
+  #   in test and development environments, +false+ otherwise.
+  #
+  #   params = ActionController::Parameters.new
+  #   params.permitted? # => false
+  #
+  #   ActionController::Parameters.permit_all_parameters = true
+  #
+  #   params = ActionController::Parameters.new
+  #   params.permitted? # => true
+  #
+  #   params = ActionController::Parameters.new(a: "123", b: "456")
+  #   params.permit(:c)
+  #   # => {}
+  #
+  #   ActionController::Parameters.action_on_unpermitted_parameters = :raise
+  #
+  #   params = ActionController::Parameters.new(a: "123", b: "456")
+  #   params.permit(:c)
+  #   # => ActionController::UnpermittedParameters: found unpermitted keys: a, b
+  #
+  # <tt>ActionController::Parameters</tt> is inherited from
+  # <tt>ActiveSupport::HashWithIndifferentAccess</tt>, this means
+  # that you can fetch values using either <tt>:key</tt> or <tt>"key"</tt>.
+  #
+  #   params = ActionController::Parameters.new(key: 'value')
+  #   params[:key]  # => "value"
+  #   params["key"] # => "value"
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :permit_all_parameters, instance_accessor: false
+    cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
+    # Never raise an UnpermittedParameters exception because of these params
+    # are present. They are added by Rails and it's of no concern.
+    NEVER_UNPERMITTED_PARAMS = %w( controller action )
+    # Returns a new instance of <tt>ActionController::Parameters</tt>.
+    # Also, sets the +permitted+ attribute to the default value of
+    # <tt>ActionController::Parameters.permit_all_parameters</tt>.
+    #
+    #   class Person < ActiveRecord::Base
+    #   end
+    #
+    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params.permitted?  # => false
+    #   Person.new(params) # => ActiveModel::ForbiddenAttributesError
+    #
+    #   ActionController::Parameters.permit_all_parameters = true
+    #
+    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params.permitted?  # => true
+    #   Person.new(params) # => #<Person id: nil, name: "Francesco">
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = self.class.permit_all_parameters
+    end
+    # Returns +true+ if the parameter is permitted, +false+ otherwise.
+    #
+    #   params = ActionController::Parameters.new
+    #   params.permitted? # => false
+    #   params.permit!
+    #   params.permitted? # => true
+    def permitted?
+      @permitted
+    end
+    # Sets the +permitted+ attribute to +true+. This can be used to pass
+    # mass assignment. Returns +self+.
+    #
+    #   class Person < ActiveRecord::Base
+    #   end
+    #
+    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params.permitted?  # => false
+    #   Person.new(params) # => ActiveModel::ForbiddenAttributesError
+    #   params.permit!
+    #   params.permitted?  # => true
+    #   Person.new(params) # => #<Person id: nil, name: "Francesco">
+    def permit!
+      each_pair do |key, value|
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
+      end
+      @permitted = true
+      self
+    end
+    # Ensures that a parameter is present. If it's present, returns
+    # the parameter at the given +key+, otherwise raises an
+    # <tt>ActionController::ParameterMissing</tt> error.
+    #
+    #   ActionController::Parameters.new(person: { name: 'Francesco' }).require(:person)
+    #   # => {"name"=>"Francesco"}
+    #
+    #   ActionController::Parameters.new(person: nil).require(:person)
+    #   # => ActionController::ParameterMissing: param not found: person
+    #
+    #   ActionController::Parameters.new(person: {}).require(:person)
+    #   # => ActionController::ParameterMissing: param not found: person
+    def require(key)
+      self[key].presence || raise(ParameterMissing.new(key))
+    end
+    # Alias of #require.
+    alias :required :require
+    # Returns a new <tt>ActionController::Parameters</tt> instance that
+    # includes only the given +filters+ and sets the +permitted+ attribute
+    # for the object to +true+. This is useful for limiting which attributes
+    # should be allowed for mass updating.
+    #
+    #   params = ActionController::Parameters.new(user: { name: 'Francesco', age: 22, role: 'admin' })
+    #   permitted = params.require(:user).permit(:name, :age)
+    #   permitted.permitted?      # => true
+    #   permitted.has_key?(:name) # => true
+    #   permitted.has_key?(:age)  # => true
+    #   permitted.has_key?(:role) # => false
+    #
+    # Only permitted scalars pass the filter. For example, given
+    #
+    #   params.permit(:name)
+    #
+    # +:name+ passes it is a key of +params+ whose associated value is of type
+    # +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
+    # +Date+, +Time+, +DateTime+, +StringIO+, +IO+,
+    # +ActionDispatch::Http::UploadedFile+ or +Rack::Test::UploadedFile+.
+    # Otherwise, the key +:name+ is filtered out.
+    #
+    # You may declare that the parameter should be an array of permitted scalars
+    # by mapping it to an empty array:
+    #
+    #   params.permit(tags: [])
+    #
+    # You can also use +permit+ on nested parameters, like:
+    #
+    #   params = ActionController::Parameters.new({
+    #     person: {
+    #       name: 'Francesco',
+    #       age:  22,
+    #       pets: [{
+    #         name: 'Purplish',
+    #         category: 'dogs'
+    #       }]
+    #     }
+    #   })
+    #
+    #   permitted = params.permit(person: [ :name, { pets: :name } ])
+    #   permitted.permitted?                    # => true
+    #   permitted[:person][:name]               # => "Francesco"
+    #   permitted[:person][:age]                # => nil
+    #   permitted[:person][:pets][0][:name]     # => "Purplish"
+    #   permitted[:person][:pets][0][:category] # => nil
+    #
+    # Note that if you use +permit+ in a key that points to a hash,
+    # it won't allow all the hash. You also need to specify which
+    # attributes inside the hash should be whitelisted.
+    #
+    #   params = ActionController::Parameters.new({
+    #     person: {
+    #       contact: {
+    #         email: 'none@test.com'
+    #         phone: '555-1234'
+    #       }
+    #     }
+    #   })
+    #
+    #   params.require(:person).permit(:contact)
+    #   # => {}
+    #
+    #   params.require(:person).permit(contact: :phone)
+    #   # => {"contact"=>{"phone"=>"555-1234"}}
+    #
+    #   params.require(:person).permit(contact: [ :email, :phone ])
+    #   # => {"contact"=>{"email"=>"none@test.com", "phone"=>"555-1234"}}
+    def permit(*filters)
+      params = self.class.new
+      filters.flatten.each do |filter|
+        case filter
+        when Symbol, String
+          permitted_scalar_filter(params, filter)
+        when Hash then
+          hash_filter(params, filter)
+        end
+      end
+      unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters
+      params.permit!
+    end
+    # Returns a parameter for the given +key+. If not found,
+    # returns +nil+.
+    #
+    #   params = ActionController::Parameters.new(person: { name: 'Francesco' })
+    #   params[:person] # => {"name"=>"Francesco"}
+    #   params[:none]   # => nil
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+    # Returns a parameter for the given +key+. If the +key+
+    # can't be found, there are several options: With no other arguments,
+    # it will raise an <tt>ActionController::ParameterMissing</tt> error;
+    # if more arguments are given, then that will be returned; if a block
+    # is given, then that will be run and its result returned.
+    #
+    #   params = ActionController::Parameters.new(person: { name: 'Francesco' })
+    #   params.fetch(:person)               # => {"name"=>"Francesco"}
+    #   params.fetch(:none)                 # => ActionController::ParameterMissing: param not found: none
+    #   params.fetch(:none, 'Francesco')    # => "Francesco"
+    #   params.fetch(:none) { 'Francesco' } # => "Francesco"
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError
+      raise ActionController::ParameterMissing.new(key)
+    end
+    # Returns a new <tt>ActionController::Parameters</tt> instance that
+    # includes only the given +keys+. If the given +keys+
+    # don't exist, returns an empty hash.
+    #
+    #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
+    #   params.slice(:a, :b) # => {"a"=>1, "b"=>2}
+    #   params.slice(:d)     # => {}
+    def slice(*keys)
+      self.class.new(super).tap do |new_instance|
+        new_instance.instance_variable_set :@permitted, @permitted
+      end
+    end
+    # Returns an exact copy of the <tt>ActionController::Parameters</tt>
+    # instance. +permitted+ state is kept on the duped object.
+    #
+    #   params = ActionController::Parameters.new(a: 1)
+    #   params.permit!
+    #   params.permitted?        # => true
+    #   copy_params = params.dup # => {"a"=>1}
+    #   copy_params.permitted?   # => true
+    def dup
+      super.tap do |duplicate|
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+      def each_element(object)
+        if object.is_a?(Array)
+          object.map { |el| yield el }.compact
+        elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = object.class.new
+          object.each { |k,v| hash[k] = yield v }
+          hash
+        else
+          yield object
+        end
+      end
+      def unpermitted_parameters!(params)
+        unpermitted_keys = unpermitted_keys(params)
+        if unpermitted_keys.any?
+          case self.class.action_on_unpermitted_parameters
+          when :log
+            ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+          when :raise
+            raise ActionController::UnpermittedParameters.new(unpermitted_keys)
+          end
+        end
+      end
+      def unpermitted_keys(params)
+        self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+      end
+      #
+      # --- Filtering ----------------------------------------------------------
+      #
+      # This is a white list of permitted scalar types that includes the ones
+      # supported in XML and JSON requests.
+      #
+      # This list is in particular used to filter ordinary requests, String goes
+      # as first element to quickly short-circuit the common case.
+      #
+      # If you modify this collection please update the API of +permit+ above.
+      PERMITTED_SCALAR_TYPES = [
+        String,
+        Symbol,
+        NilClass,
+        Numeric,
+        TrueClass,
+        FalseClass,
+        Date,
+        Time,
+        # DateTimes are Dates, we document the type but avoid the redundant check.
+        StringIO,
+        IO,
+        ActionDispatch::Http::UploadedFile,
+        Rack::Test::UploadedFile,
+      ]
+      def permitted_scalar?(value)
+        PERMITTED_SCALAR_TYPES.any? {|type| value.is_a?(type)}
+      end
+      def permitted_scalar_filter(params, key)
+        if has_key?(key) && permitted_scalar?(self[key])
+          params[key] = self[key]
+        end
+        keys.grep(/\A#{Regexp.escape(key)}\(\d+[if]?\)\z/) do |k|
+          if permitted_scalar?(self[k])
+            params[k] = self[k]
+          end
+        end
+      end
+      def array_of_permitted_scalars?(value)
+        if value.is_a?(Array)
+          value.all? {|element| permitted_scalar?(element)}
+        end
+      end
+      def array_of_permitted_scalars_filter(params, key)
+        if has_key?(key) && array_of_permitted_scalars?(self[key])
+          params[key] = self[key]
+        end
+      end
+      EMPTY_ARRAY = []
+      def hash_filter(params, filter)
+        filter = filter.with_indifferent_access
+        # Slicing filters out non-declared keys.
+        slice(*filter.keys).each do |key, value|
+          return unless value
+          if filter[key] == EMPTY_ARRAY
+            # Declaration { comment_ids: [] }.
+            array_of_permitted_scalars_filter(params, key)
+          else
+            # Declaration { user: :name } or { user: [:name, :age, { adress: ... }] }.
+            params[key] = each_element(value) do |element|
+              if element.is_a?(Hash)
+                element = self.class.new(element) unless element.respond_to?(:permit)
+                element.permit(*Array.wrap(filter[key]))
+              end
+            end
+          end
+        end
+      end
+  end
+  # == Strong \Parameters
+  #
+  # It provides an interface for protecting attributes from end-user
+  # assignment. This makes Action Controller parameters forbidden
+  # to be used in Active Model mass assignment until they have been
+  # whitelisted.
+  #
+  # In addition, parameters can be marked as required and flow through a
+  # predefined raise/rescue flow to end up as a 400 Bad Request with no
+  # effort.
+  #
+  #   class PeopleController < ActionController::Base
+  #     # Using "Person.create(params[:person])" would raise an
+  #     # ActiveModel::ForbiddenAttributes exception because it'd
+  #     # be using mass assignment without an explicit permit step.
+  #     # This is the recommended form:
+  #     def create
+  #       Person.create(person_params)
+  #     end
+  #
+  #     # This will pass with flying colors as long as there's a person key in the
+  #     # parameters, otherwise it'll raise an ActionController::MissingParameter
+  #     # exception, which will get caught by ActionController::Base and turned
+  #     # into a 400 Bad Request reply.
+  #     def update
+  #       redirect_to current_account.people.find(params[:id]).tap { |person|
+  #         person.update!(person_params)
+  #       }
+  #     end
+  #
+  #     private
+  #       # Using a private method to encapsulate the permissible parameters is
+  #       # just a good pattern since you'll be able to reuse the same permit
+  #       # list between create and update. Also, you can specialize this method
+  #       # with per-user checking of permissible attributes.
+  #       def person_params
+  #         params.require(:person).permit(:name, :age)
+  #       end
+  #   end
+  #
+  # In order to use <tt>accepts_nested_attribute_for</tt> with Strong \Parameters, you
+  # will need to specify which nested attributes should be whitelisted.
+  #
+  #   class Person
+  #     has_many :pets
+  #     accepts_nested_attributes_for :pets
+  #   end
+  #
+  #   class PeopleController < ActionController::Base
+  #     def create
+  #       Person.create(person_params)
+  #     end
+  #
+  #     ...
+  #
+  #     private
+  #
+  #       def person_params
+  #         # It's mandatory to specify the nested attributes that should be whitelisted.
+  #         # If you use `permit` with just the key that points to the nested attributes hash,
+  #         # it will return an empty hash.
+  #         params.require(:person).permit(:name, :age, pets_attributes: [ :name, :category ])
+  #       end
+  #   end
+  #
+  # See ActionController::Parameters.require and ActionController::Parameters.permit
+  # for more information.
+  module StrongParameters
+    extend ActiveSupport::Concern
+    include ActiveSupport::Rescuable
+    # Returns a new ActionController::Parameters object that
+    # has been instantiated with the <tt>request.parameters</tt>.
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+    # Assigns the given +value+ to the +params+ hash. If +value+
+    # is a Hash, this will create an ActionController::Parameters
+    # object that has been instantiated with the given +value+ hash.
+    def params=(value)
+      @_params = value.is_a?(Hash) ? Parameters.new(value) : value
+    end
+  end
+end