actionpack 3.2.22.5 → 5.2.4

data/lib/action_controller/api.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require "action_view"
+require "action_controller"
+require "action_controller/log_subscriber"
+
+module ActionController
+  # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+  # created for applications that don't require all functionalities that a complete
+  # \Rails controller provides, allowing you to create controllers with just the
+  # features that you need for API only applications.
+  #
+  # An API Controller is different from a normal controller in the sense that
+  # by default it doesn't include a number of features that are usually required
+  # by browser access only: layouts and templates rendering, cookies, sessions,
+  # flash, assets, and so on. This makes the entire controller stack thinner,
+  # suitable for API applications. It doesn't mean you won't have such
+  # features if you need them: they're all available for you to include in
+  # your application, they're just not part of the default API controller stack.
+  #
+  # Normally, +ApplicationController+ is the only controller that inherits from
+  # <tt>ActionController::API</tt>. All other controllers in turn inherit from
+  # +ApplicationController+.
+  #
+  # A sample controller could look like this:
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       posts = Post.all
+  #       render json: posts
+  #     end
+  #   end
+  #
+  # Request, response, and parameters objects all work the exact same way as
+  # <tt>ActionController::Base</tt>.
+  #
+  # == Renders
+  #
+  # The default API Controller stack includes all renderers, which means you
+  # can use <tt>render :json</tt> and brothers freely in your controllers. Keep
+  # in mind that templates are not going to be rendered, so you need to ensure
+  # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
+  # all actions, otherwise it will return 204 No Content.
+  #
+  #   def show
+  #     post = Post.find(params[:id])
+  #     render json: post
+  #   end
+  #
+  # == Redirects
+  #
+  # Redirects are used to move from one action to another. You can use the
+  # <tt>redirect_to</tt> method in your controllers in the same way as in
+  # <tt>ActionController::Base</tt>. For example:
+  #
+  #   def create
+  #     redirect_to root_url and return if not_authorized?
+  #     # do stuff here
+  #   end
+  #
+  # == Adding New Behavior
+  #
+  # In some scenarios you may want to add back some functionality provided by
+  # <tt>ActionController::Base</tt> that is not present by default in
+  # <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
+  # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
+  # you just need to include the module in a specific controller or in
+  # +ApplicationController+ in case you want it available in your entire
+  # application:
+  #
+  #   class ApplicationController < ActionController::API
+  #     include ActionController::MimeResponds
+  #   end
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       posts = Post.all
+  #
+  #       respond_to do |format|
+  #         format.json { render json: posts }
+  #         format.xml  { render xml: posts }
+  #       end
+  #     end
+  #   end
+  #
+  # Make sure to check the modules included in <tt>ActionController::Base</tt>
+  # if you want to use any other functionality that is not provided
+  # by <tt>ActionController::API</tt> out of the box.
+  class API < Metal
+    abstract!
+
+    # Shortcut helper that returns all the ActionController::API modules except
+    # the ones passed as arguments:
+    #
+    #   class MyAPIBaseController < ActionController::Metal
+    #     ActionController::API.without_modules(:ForceSSL, :UrlFor).each do |left|
+    #       include left
+    #     end
+    #   end
+    #
+    # This gives better control over what you want to exclude and makes it easier
+    # to create an API controller class, instead of listing the modules required
+    # manually.
+    def self.without_modules(*modules)
+      modules = modules.map do |m|
+        m.is_a?(Symbol) ? ActionController.const_get(m) : m
+      end
+
+      MODULES - modules
+    end
+
+    MODULES = [
+      AbstractController::Rendering,
+
+      UrlFor,
+      Redirecting,
+      ApiRendering,
+      Renderers::All,
+      ConditionalGet,
+      BasicImplicitRender,
+      StrongParameters,
+
+      ForceSSL,
+      DataStreaming,
+
+      # Before callbacks should also be executed as early as possible, so
+      # also include them at the bottom.
+      AbstractController::Callbacks,
+
+      # Append rescue at the bottom to wrap as much as possible.
+      Rescue,
+
+      # Add instrumentations hooks at the bottom, to ensure they instrument
+      # all the methods properly.
+      Instrumentation,
+
+      # Params wrapper should come before instrumentation so they are
+      # properly showed in logs
+      ParamsWrapper
+    ]
+
+    MODULES.each do |mod|
+      include mod
+    end
+
+    ActiveSupport.run_load_hooks(:action_controller_api, self)
+    ActiveSupport.run_load_hooks(:action_controller, self)
+  end
+end

data/lib/action_controller/base.rb

@@ -1,12 +1,16 @@
+# frozen_string_literal: true
+
+require "action_view"
 require "action_controller/log_subscriber"
+require "action_controller/metal/params_wrapper"
 
 module ActionController
   # Action Controllers are the core of a web request in \Rails. They are made up of one or more actions that are executed
-  # on request and then either render a template or redirect to another action. An action is defined as a public method
+  # on request and then either it renders a template or redirects to another action. An action is defined as a public method
   # on the controller, which will automatically be made accessible to the web-server through \Rails Routes.
   #
   # By default, only the ApplicationController in a \Rails application inherits from <tt>ActionController::Base</tt>. All other
-  # controllers in turn inherit from ApplicationController. This gives you one class to configure things such as
+  # controllers inherit from ApplicationController. This gives you one class to configure things such as
   # request forgery protection and filtering of sensitive request parameters.
   #
   # A sample controller could look like this:
@@ -28,9 +32,9 @@ module ActionController
   #
   # Unlike index, the create action will not render a template. After performing its main purpose (creating a
   # new post), it initiates a redirect instead. This redirect works by returning an external
-  # "302 Moved" HTTP response that takes the user to the index action.
+  # <tt>302 Moved</tt> HTTP response that takes the user to the index action.
   #
-  # These two methods represent the two basic action archetypes used in Action Controllers. Get-and-show and do-and-redirect.
+  # These two methods represent the two basic action archetypes used in Action Controllers: Get-and-show and do-and-redirect.
   # Most actions are variations on these themes.
   #
   # == Requests
@@ -42,23 +46,23 @@ module ActionController
   # The full request object is available via the request accessor and is primarily used to query for HTTP headers:
   #
   #   def server_ip
-  #     location = request.env["SERVER_ADDR"]
-  #     render :text => "This server hosted at #{location}"
+  #     location = request.env["REMOTE_ADDR"]
+  #     render plain: "This server hosted at #{location}"
   #   end
   #
   # == Parameters
   #
-  # All request parameters, whether they come from a GET or POST request, or from the URL, are available through the params method
-  # which returns a hash. For example, an action that was performed through <tt>/posts?category=All&limit=5</tt> will include
-  # <tt>{ "category" => "All", "limit" => "5" }</tt> in params.
+  # All request parameters, whether they come from a query string in the URL or form data submitted through a POST request are
+  # available through the <tt>params</tt> method which returns a hash. For example, an action that was performed through
+  # <tt>/posts?category=All&limit=5</tt> will include <tt>{ "category" => "All", "limit" => "5" }</tt> in <tt>params</tt>.
   #
   # It's also possible to construct multi-dimensional parameter hashes by specifying keys using brackets, such as:
   #
   #   <input type="text" name="post[name]" value="david">
   #   <input type="text" name="post[address]" value="hyacintvej">
   #
-  # A request stemming from a form holding these inputs will include <tt>{ "post" => { "name" => "david", "address" => "hyacintvej" } }</tt>.
-  # If the address input had been named "post[address][street]", the params would have included
+  # A request coming from a form holding these inputs will include <tt>{ "post" => { "name" => "david", "address" => "hyacintvej" } }</tt>.
+  # If the address input had been named <tt>post[address][street]</tt>, the <tt>params</tt> would have included
   # <tt>{ "post" => { "address" => { "street" => "hyacintvej" } } }</tt>. There's no limit to the depth of the nesting.
   #
   # == Sessions
@@ -72,7 +76,7 @@ module ActionController
   #
   #   session[:person] = Person.authenticate(user_name, password)
   #
-  # And retrieved again through the same hash:
+  # You can retrieve it again through the same hash:
   #
   #   Hello #{session[:person]}
   #
@@ -84,19 +88,10 @@ module ActionController
   # or you can remove the entire session with +reset_session+.
   #
   # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
-  # This prevents the user from tampering with the session but also allows him to see its contents.
+  # This prevents the user from tampering with the session but also allows them to see its contents.
   #
   # Do not put secret information in cookie-based sessions!
   #
-  # Other options for session storage:
-  #
-  # * ActiveRecord::SessionStore - Sessions are stored in your database, which works better than PStore with multiple app servers and,
-  #   unlike CookieStore, hides your session contents from the user. To use ActiveRecord::SessionStore, set
-  #
-  #     MyApplication::Application.config.session_store :active_record_store
-  #
-  #   in your <tt>config/initializers/session_store.rb</tt> and run <tt>script/rails g session_migration</tt>.
-  #
   # == Responses
   #
   # Each action results in a response, which holds the headers and document to be sent to the user's browser. The actual response
@@ -116,15 +111,15 @@ module ActionController
   #
   #   Title: <%= @post.title %>
   #
-  # You don't have to rely on the automated rendering. For example, actions that could result in the rendering of different templates 
+  # You don't have to rely on the automated rendering. For example, actions that could result in the rendering of different templates
   # will use the manual rendering methods:
   #
   #   def search
   #     @results = Search.find(params[:query])
   #     case @results.count
-  #       when 0 then render :action => "no_results"
-  #       when 1 then render :action => "show"
-  #       when 2..10 then render :action => "show_many"
+  #       when 0 then render action: "no_results"
+  #       when 1 then render action: "show"
+  #       when 2..10 then render action: "show_many"
   #     end
   #   end
   #
@@ -133,14 +128,14 @@ module ActionController
   # == Redirects
   #
   # Redirects are used to move from one action to another. For example, after a <tt>create</tt> action, which stores a blog entry to the
-  # database, we might like to show the user the new entry. Because we're following good DRY principles (Don't Repeat Yourself), we're 
+  # database, we might like to show the user the new entry. Because we're following good DRY principles (Don't Repeat Yourself), we're
   # going to reuse (and redirect to) a <tt>show</tt> action that we'll assume has already been created. The code might look like this:
   #
   #   def create
   #     @entry = Entry.new(params[:entry])
   #     if @entry.save
   #       # The entry was saved correctly, redirect to show
-  #       redirect_to :action => 'show', :id => @entry.id
+  #       redirect_to action: 'show', id: @entry.id
   #     else
   #       # things didn't go so well, do something else
   #     end
@@ -157,20 +152,48 @@ module ActionController
   # An action may contain only a single render or a single redirect. Attempting to try to do either again will result in a DoubleRenderError:
   #
   #   def do_something
-  #     redirect_to :action => "elsewhere"
-  #     render :action => "overthere" # raises DoubleRenderError
+  #     redirect_to action: "elsewhere"
+  #     render action: "overthere" # raises DoubleRenderError
   #   end
   #
   # If you need to redirect on the condition of something, then be sure to add "and return" to halt execution.
   #
   #   def do_something
-  #     redirect_to(:action => "elsewhere") and return if monkeys.nil?
-  #     render :action => "overthere" # won't be called if monkeys is nil
+  #     redirect_to(action: "elsewhere") and return if monkeys.nil?
+  #     render action: "overthere" # won't be called if monkeys is nil
   #   end
   #
   class Base < Metal
     abstract!
 
+    # We document the request and response methods here because albeit they are
+    # implemented in ActionController::Metal, the type of the returned objects
+    # is unknown at that level.
+
+    ##
+    # :method: request
+    #
+    # Returns an ActionDispatch::Request instance that represents the
+    # current request.
+
+    ##
+    # :method: response
+    #
+    # Returns an ActionDispatch::Response that represents the current
+    # response.
+
+    # Shortcut helper that returns all the modules included in
+    # ActionController::Base except the ones passed as arguments:
+    #
+    #   class MyBaseController < ActionController::Metal
+    #     ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
+    #       include left
+    #     end
+    #   end
+    #
+    # This gives better control over what you want to exclude and makes it
+    # easier to create a bare controller class, instead of listing the modules
+    # required manually.
     def self.without_modules(*modules)
       modules = modules.map do |m|
         m.is_a?(Symbol) ? ActionController.const_get(m) : m
@@ -180,34 +203,37 @@ module ActionController
     end
 
     MODULES = [
-      AbstractController::Layouts,
+      AbstractController::Rendering,
       AbstractController::Translation,
       AbstractController::AssetPaths,
 
       Helpers,
-      HideActions,
       UrlFor,
       Redirecting,
+      ActionView::Layouts,
       Rendering,
       Renderers::All,
       ConditionalGet,
-      RackDelegation,
+      EtagWithTemplateDigest,
+      EtagWithFlash,
       Caching,
       MimeResponds,
       ImplicitRender,
-
+      StrongParameters,
+      ParameterEncoding,
       Cookies,
       Flash,
+      FormBuilder,
       RequestForgeryProtection,
+      ContentSecurityPolicy,
       ForceSSL,
       Streaming,
       DataStreaming,
-      RecordIdentifier,
       HttpAuthentication::Basic::ControllerMethods,
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
 
-      # Before callbacks should also be executed the earliest as possible, so
+      # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.
       AbstractController::Callbacks,
 
@@ -226,10 +252,25 @@ module ActionController
     MODULES.each do |mod|
       include mod
     end
+    setup_renderer!
 
-    # Rails 2.x compatibility
-    include ActionController::Compatibility
+    # Define some internal variables that should not be propagated to the view.
+    PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + %i(
+      @_params @_response @_request @_config @_url_options @_action_has_layout @_view_context_class
+      @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
+    )
+
+    def _protected_ivars # :nodoc:
+      PROTECTED_IVARS
+    end
+
+    def self.make_response!(request)
+      ActionDispatch::Response.create.tap do |res|
+        res.request = request
+      end
+    end
 
+    ActiveSupport.run_load_hooks(:action_controller_base, self)
     ActiveSupport.run_load_hooks(:action_controller, self)
   end
 end

data/lib/action_controller/caching.rb

@@ -1,86 +1,46 @@
-require 'fileutils'
-require 'uri'
-require 'set'
+# frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController
   # \Caching is a cheap way of speeding up slow applications by keeping the result of
   # calculations, renderings, and database calls around for subsequent requests.
-  # Action Controller affords you three approaches in varying levels of granularity:
-  # Page, Action, Fragment.
   #
-  # You can read more about each approach and the sweeping assistance by clicking the
-  # modules below.
+  # You can read more about each approach by clicking the modules below.
   #
-  # Note: To turn off all caching and sweeping, set
-  #   config.action_controller.perform_caching = false.
+  # Note: To turn off all caching provided by Action Controller, set
+  #   config.action_controller.perform_caching = false
   #
   # == \Caching stores
   #
   # All the caching stores from ActiveSupport::Cache are available to be used as backends
-  # for Action Controller caching. This setting only affects action and fragment caching
-  # as page caching is always written to disk.
+  # for Action Controller caching.
   #
-  # Configuration examples (MemoryStore is the default):
+  # Configuration examples (FileStore is the default):
   #
   #   config.action_controller.cache_store = :memory_store
-  #   config.action_controller.cache_store = :file_store, "/path/to/cache/directory"
-  #   config.action_controller.cache_store = :mem_cache_store, "localhost"
-  #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new("localhost:11211")
-  #   config.action_controller.cache_store = MyOwnStore.new("parameter")
+  #   config.action_controller.cache_store = :file_store, '/path/to/cache/directory'
+  #   config.action_controller.cache_store = :mem_cache_store, 'localhost'
+  #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
+  #   config.action_controller.cache_store = MyOwnStore.new('parameter')
   module Caching
-    extend ActiveSupport::Concern
     extend ActiveSupport::Autoload
+    extend ActiveSupport::Concern
 
-    eager_autoload do
-      autoload :Actions
-      autoload :Fragments
-      autoload :Pages
-      autoload :Sweeper, 'action_controller/caching/sweeping'
-      autoload :Sweeping, 'action_controller/caching/sweeping'
+    included do
+      include AbstractController::Caching
     end
 
-    module ConfigMethods
-      def cache_store
-        config.cache_store
-      end
-
-      def cache_store=(store)
-        config.cache_store = ActiveSupport::Cache.lookup_store(store)
-      end
-
     private
 
-      def cache_configured?
-        perform_caching && cache_store
+      def instrument_payload(key)
+        {
+          controller: controller_name,
+          action: action_name,
+          key: key
+        }
       end
-    end
-
-    include RackDelegation
-    include AbstractController::Callbacks
 
-    include ConfigMethods
-    include Pages, Actions, Fragments
-    include Sweeping if defined?(ActiveRecord)
-
-    included do
-      extend ConfigMethods
-
-      config_accessor :perform_caching
-      self.perform_caching = true if perform_caching.nil?
-    end
-
-    def caching_allowed?
-      request.get? && response.status == 200
-    end
-
-  protected
-    # Convenience accessor
-    def cache(key, options = {}, &block)
-      if cache_configured?
-        cache_store.fetch(ActiveSupport::Cache.expand_cache_key(key, :controller), options, &block)
-      else
-        yield
+      def instrument_name
+        "action_controller".freeze
       end
-    end
   end
 end

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module ActionController
+  # Override the default form builder for all views rendered by this
+  # controller and any of its descendants. Accepts a subclass of
+  # +ActionView::Helpers::FormBuilder+.
+  #
+  # For example, given a form builder:
+  #
+  #   class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #     def special_field(name)
+  #     end
+  #   end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #   class AdminAreaController < ApplicationController
+  #     default_form_builder AdminFormBuilder
+  #   end
+  #
+  # Then in the view any form using +form_for+ will be an instance of the
+  # specified form builder:
+  #
+  #   <%= form_for(@instance) do |builder| %>
+  #     <%= builder.special_field(:name) %>
+  #   <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms
+      # in the views rendered by this controller and its subclasses.
+      #
+      # ==== Parameters
+      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -1,10 +1,12 @@
-require 'active_support/core_ext/object/blank'
+# frozen_string_literal: true
 
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
 
     def start_processing(event)
+      return unless logger.info?
+
       payload = event.payload
       params  = payload[:params].except(*INTERNAL_PARAMS)
       format  = payload[:format]
@@ -15,44 +17,54 @@ module ActionController
     end
 
     def process_action(event)
-      payload   = event.payload
-      additions = ActionController::Base.log_process_action(payload)
+      info do
+        payload   = event.payload
+        additions = ActionController::Base.log_process_action(payload)
 
-      status = payload[:status]
-      if status.nil? && payload[:exception].present?
-        exception_class_name = payload[:exception].first
-        status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
-      end
-      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}"
-      message << " (#{additions.join(" | ")})" unless additions.blank?
+        status = payload[:status]
+        if status.nil? && payload[:exception].present?
+          exception_class_name = payload[:exception].first
+          status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+        end
+        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms".dup
+        message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
 
-      info(message)
+        message
+      end
     end
 
     def halted_callback(event)
-      info "Filter chain halted as #{event.payload[:filter]} rendered or redirected"
+      info { "Filter chain halted as #{event.payload[:filter].inspect} rendered or redirected" }
     end
 
     def send_file(event)
-      info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})")
+      info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
     end
 
     def redirect_to(event)
-      info "Redirected to #{event.payload[:location]}"
+      info { "Redirected to #{event.payload[:location]}" }
     end
 
     def send_data(event)
-      info("Sent data #{event.payload[:filename]}  (#{format_duration(event.duration)})")
+      info { "Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)" }
+    end
+
+    def unpermitted_parameters(event)
+      debug do
+        unpermitted_keys = event.payload[:keys]
+        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}"
+      end
     end
 
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{method}(event)
-          key_or_path = event.payload[:key] || event.payload[:path]
+          return unless logger.info? && ActionController::Base.enable_fragment_cache_logging
+          key         = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
           human_name  = #{method.to_s.humanize.inspect}
-          duration = format_duration(event.duration)
-          info("\#{human_name} \#{key_or_path} \#{duration}")
+          info("\#{human_name} \#{key} (\#{event.duration.round(1)}ms)")
         end
       METHOD
     end

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ActionController
+  module BasicImplicitRender # :nodoc:
+    def send_action(method, *args)
+      super.tap { default_render unless performed? }
+    end
+
+    def default_render(*args)
+      head :no_content
+    end
+  end
+end