actionpack 4.0.1 → 4.2.11.1

data/lib/abstract_controller/url_for.rb

@@ -11,7 +11,7 @@ module AbstractController
 
     def _routes
       raise "In order to use #url_for, you must include routing helpers explicitly. " \
-            "For instance, `include Rails.application.routes.url_helpers"
+            "For instance, `include Rails.application.routes.url_helpers`."
     end
 
     module ClassMethods

data/lib/abstract_controller.rb

@@ -10,12 +10,11 @@ module AbstractController
   autoload :Base
   autoload :Callbacks
   autoload :Collector
+  autoload :DoubleRenderError, "abstract_controller/rendering"
   autoload :Helpers
-  autoload :Layouts
   autoload :Logger
   autoload :Rendering
   autoload :Translation
   autoload :AssetPaths
-  autoload :ViewPaths
   autoload :UrlFor
 end

data/lib/action_controller/base.rb

@@ -1,9 +1,10 @@
+require 'action_view'
 require "action_controller/log_subscriber"
 require "action_controller/metal/params_wrapper"
 
 module ActionController
   # Action Controllers are the core of a web request in \Rails. They are made up of one or more actions that are executed
-  # on request and then either render a template or redirect to another action. An action is defined as a public method
+  # on request and then either it renders a template or redirects to another action. An action is defined as a public method
   # on the controller, which will automatically be made accessible to the web-server through \Rails Routes.
   #
   # By default, only the ApplicationController in a \Rails application inherits from <tt>ActionController::Base</tt>. All other
@@ -43,8 +44,8 @@ module ActionController
   # The full request object is available via the request accessor and is primarily used to query for HTTP headers:
   #
   #   def server_ip
-  #     location = request.env["SERVER_ADDR"]
-  #     render text: "This server hosted at #{location}"
+  #     location = request.env["REMOTE_ADDR"]
+  #     render plain: "This server hosted at #{location}"
   #   end
   #
   # == Parameters
@@ -85,7 +86,7 @@ module ActionController
   # or you can remove the entire session with +reset_session+.
   #
   # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
-  # This prevents the user from tampering with the session but also allows him to see its contents.
+  # This prevents the user from tampering with the session but also allows them to see its contents.
   #
   # Do not put secret information in cookie-based sessions!
   #
@@ -182,7 +183,7 @@ module ActionController
     # Shortcut helper that returns all the modules included in
     # ActionController::Base except the ones passed as arguments:
     #
-    #   class MetalController
+    #   class MyBaseController < ActionController::Metal
     #     ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
     #       include left
     #     end
@@ -200,7 +201,7 @@ module ActionController
     end
 
     MODULES = [
-      AbstractController::Layouts,
+      AbstractController::Rendering,
       AbstractController::Translation,
       AbstractController::AssetPaths,
 
@@ -208,9 +209,11 @@ module ActionController
       HideActions,
       UrlFor,
       Redirecting,
+      ActionView::Layouts,
       Rendering,
       Renderers::All,
       ConditionalGet,
+      EtagWithTemplateDigest,
       RackDelegation,
       Caching,
       MimeResponds,
@@ -223,7 +226,6 @@ module ActionController
       ForceSSL,
       Streaming,
       DataStreaming,
-      RecordIdentifier,
       HttpAuthentication::Basic::ControllerMethods,
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
@@ -249,10 +251,17 @@ module ActionController
     end
 
     # Define some internal variables that should not be propagated to the view.
-    self.protected_instance_variables = [
+    PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + [
       :@_status, :@_headers, :@_params, :@_env, :@_response, :@_request,
-      :@_view_runtime, :@_stream, :@_url_options, :@_action_has_layout
-    ]
+      :@_view_runtime, :@_stream, :@_url_options, :@_action_has_layout ]
+
+    def _protected_ivars # :nodoc:
+      PROTECTED_IVARS
+    end
+
+    def self.protected_instance_variables
+      PROTECTED_IVARS
+    end
 
     ActiveSupport.run_load_hooks(:action_controller, self)
   end

data/lib/action_controller/caching/fragments.rb

@@ -90,7 +90,13 @@ module ActionController
       end
 
       def instrument_fragment_cache(name, key) # :nodoc:
-        ActiveSupport::Notifications.instrument("#{name}.action_controller", :key => key){ yield }
+        payload = {
+          controller: controller_name,
+          action: action_name,
+          key: key
+        }
+
+        ActiveSupport::Notifications.instrument("#{name}.action_controller", payload) { yield }
       end
     end
   end

data/lib/action_controller/caching.rb

@@ -9,14 +9,14 @@ module ActionController
   # You can read more about each approach by clicking the modules below.
   #
   # Note: To turn off all caching, set
-  #   config.action_controller.perform_caching = false.
+  #   config.action_controller.perform_caching = false
   #
   # == \Caching stores
   #
   # All the caching stores from ActiveSupport::Cache are available to be used as backends
   # for Action Controller caching.
   #
-  # Configuration examples (MemoryStore is the default):
+  # Configuration examples (FileStore is the default):
   #
   #   config.action_controller.cache_store = :memory_store
   #   config.action_controller.cache_store = :file_store, '/path/to/cache/directory'
@@ -58,16 +58,6 @@ module ActionController
       config_accessor :default_static_extension
       self.default_static_extension ||= '.html'
 
-      def self.page_cache_extension=(extension)
-        ActiveSupport::Deprecation.deprecation_warning(:page_cache_extension, :default_static_extension)
-        self.default_static_extension = extension
-      end
-
-      def self.page_cache_extension
-        ActiveSupport::Deprecation.deprecation_warning(:page_cache_extension, :default_static_extension)
-        default_static_extension
-      end
-
       config_accessor :perform_caching
       self.perform_caching = true if perform_caching.nil?
 

data/lib/action_controller/log_subscriber.rb

@@ -1,4 +1,3 @@
-
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
@@ -16,41 +15,51 @@ module ActionController
     end
 
     def process_action(event)
-      return unless logger.info?
-
-      payload   = event.payload
-      additions = ActionController::Base.log_process_action(payload)
-
-      status = payload[:status]
-      if status.nil? && payload[:exception].present?
-        exception_class_name = payload[:exception].first
-        status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+      info do
+        payload   = event.payload
+        additions = ActionController::Base.log_process_action(payload)
+
+        status = payload[:status]
+        if status.nil? && payload[:exception].present?
+          exception_class_name = payload[:exception].first
+          status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+        end
+        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << " (#{additions.join(" | ")})" unless additions.blank?
+        message
       end
-      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-      message << " (#{additions.join(" | ")})" unless additions.blank?
-
-      info(message)
     end
 
     def halted_callback(event)
-      info("Filter chain halted as #{event.payload[:filter]} rendered or redirected")
+      info { "Filter chain halted as #{event.payload[:filter].inspect} rendered or redirected" }
     end
 
     def send_file(event)
-      info("Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)")
+      info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
     end
 
     def redirect_to(event)
-      info("Redirected to #{event.payload[:location]}")
+      info { "Redirected to #{event.payload[:location]}" }
     end
 
     def send_data(event)
-      info("Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)")
+      info { "Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)" }
     end
 
     def unpermitted_parameters(event)
-      unpermitted_keys = event.payload[:keys]
-      debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}")
+      debug do
+        unpermitted_keys = event.payload[:keys]
+        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.join(", ")}"
+      end
+    end
+
+    def deep_munge(event)
+      debug do
+        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
+        "to nil, because it was one of [], [null] or [null, null, ...]. "\
+        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
+        "for more information."\
+      end
     end
 
     %w(write_fragment read_fragment exist_fragment?

data/lib/action_controller/metal/conditional_get.rb

@@ -13,9 +13,9 @@ module ActionController
     end
 
     module ClassMethods
-      # Allows you to consider additional controller-wide information when generating an etag.
+      # Allows you to consider additional controller-wide information when generating an ETag.
       # For example, if you serve pages tailored depending on who's logged in at the moment, you
-      # may want to add the current user id to be part of the etag to prevent authorized displaying
+      # may want to add the current user id to be part of the ETag to prevent authorized displaying
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
@@ -32,7 +32,7 @@ module ActionController
       end
     end
 
-    # Sets the etag, +last_modified+, or both on the response and renders a
+    # Sets the +etag+, +last_modified+, or both on the response and renders a
     # <tt>304 Not Modified</tt> response if the request is already fresh.
     #
     # === Parameters:
@@ -41,6 +41,11 @@ module ActionController
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    # * <tt>:template</tt> By default, the template digest for the current
+    #   controller/action is included in ETags. If the action renders a
+    #   different template, you can include its digest instead. If the action
+    #   doesn't render a template at all, you can pass <tt>template: false</tt>
+    #   to skip any attempt to check for a template digest.
     #
     # === Example:
     #
@@ -49,11 +54,11 @@ module ActionController
     #     fresh_when(etag: @article, last_modified: @article.created_at, public: true)
     #   end
     #
-    # This will render the show template if the request isn't sending a matching etag or
+    # This will render the show template if the request isn't sending a matching ETag or
     # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
     #
     # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the etag by passing the object itself.
+    # +updated_at+ and the +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -66,18 +71,24 @@ module ActionController
     #     @article = Article.find(params[:id])
     #     fresh_when(@article, public: true)
     #   end
+    #
+    # When rendering a different template than the default controller/action
+    # style, you can indicate which digest to include in the ETag:
+    #
+    #   before_action { fresh_when @article, template: 'widgets/show' }
+    #
     def fresh_when(record_or_options, additional_options = {})
       if record_or_options.is_a? Hash
         options = record_or_options
-        options.assert_valid_keys(:etag, :last_modified, :public)
+        options.assert_valid_keys(:etag, :last_modified, :public, :template)
       else
         record  = record_or_options
         options = { etag: record, last_modified: record.try(:updated_at) }.merge!(additional_options)
       end
 
-      response.etag          = combine_etags(options[:etag]) if options[:etag]
-      response.last_modified = options[:last_modified]       if options[:last_modified]
-      response.cache_control[:public] = true                 if options[:public]
+      response.etag          = combine_etags(options)   if options[:etag] || options[:template]
+      response.last_modified = options[:last_modified]  if options[:last_modified]
+      response.cache_control[:public] = true            if options[:public]
 
       head :not_modified if request.fresh?(response)
     end
@@ -93,6 +104,11 @@ module ActionController
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    # * <tt>:template</tt> By default, the template digest for the current
+    #   controller/action is included in ETags. If the action renders a
+    #   different template, you can include its digest instead. If the action
+    #   doesn't render a template at all, you can pass <tt>template: false</tt>
+    #   to skip any attempt to check for a template digest.
     #
     # === Example:
     #
@@ -108,7 +124,7 @@ module ActionController
     #   end
     #
     # You can also just pass a record where +last_modified+ will be set by calling
-    # updated_at and the etag by passing the object itself.
+    # +updated_at+ and the +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -133,6 +149,14 @@ module ActionController
     #       end
     #     end
     #   end
+    #
+    # When rendering a different template than the default controller/action
+    # style, you can indicate which digest to include in the ETag:
+    #
+    #   def show
+    #     super if stale? @article, template: 'widgets/show'
+    #   end
+    #
     def stale?(record_or_options, additional_options = {})
       fresh_when(record_or_options, additional_options)
       !request.fresh?(response)
@@ -168,8 +192,9 @@ module ActionController
     end
 
     private
-      def combine_etags(etag)
-        [ etag, *etaggers.map { |etagger| instance_exec(&etagger) }.compact ]
+      def combine_etags(options)
+        etags = etaggers.map { |etagger| instance_exec(options, &etagger) }.compact
+        etags.unshift options[:etag]
       end
   end
 end

data/lib/action_controller/metal/data_streaming.rb

@@ -96,7 +96,7 @@ module ActionController #:nodoc:
       end
 
       # Sends the given binary data to the browser. This method is similar to
-      # <tt>render text: data</tt>, but also allows you to specify whether
+      # <tt>render plain: data</tt>, but also allows you to specify whether
       # the browser should display the response as a file attachment (i.e. in a
       # download dialog) or as inline data. You may also set the content type,
       # the apparent file name, and other things.

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -0,0 +1,50 @@
+module ActionController
+  # When our views change, they should bubble up into HTTP cache freshness
+  # and bust browser caches. So the template digest for the current action
+  # is automatically included in the ETag.
+  #
+  # Enabled by default for apps that use Action View. Disable by setting
+  #
+  #   config.action_controller.etag_with_template_digest = false
+  #
+  # Override the template to digest by passing +:template+ to +fresh_when+
+  # and +stale?+ calls. For example:
+  #
+  #   # We're going to render widgets/show, not posts/show
+  #   fresh_when @post, template: 'widgets/show'
+  #
+  #   # We're not going to render a template, so omit it from the ETag.
+  #   fresh_when @post, template: false
+  #
+  module EtagWithTemplateDigest
+    extend ActiveSupport::Concern
+
+    include ActionController::ConditionalGet
+
+    included do
+      class_attribute :etag_with_template_digest
+      self.etag_with_template_digest = true
+
+      ActiveSupport.on_load :action_view, yield: true do |action_view_base|
+        etag do |options|
+          determine_template_etag(options) if etag_with_template_digest
+        end
+      end
+    end
+
+    private
+    def determine_template_etag(options)
+      if template = pick_template_for_etag(options)
+        lookup_and_digest_template(template)
+      end
+    end
+
+    def pick_template_for_etag(options)
+      options.fetch(:template) { "#{controller_name}/#{action_name}" }
+    end
+
+    def lookup_and_digest_template(template)
+      ActionView::Digestor.digest name: template, finder: lookup_context
+    end
+  end
+end

data/lib/action_controller/metal/exceptions.rb

@@ -25,7 +25,7 @@ module ActionController
     end
   end
 
-  class ActionController::UrlGenerationError < RoutingError #:nodoc:
+  class ActionController::UrlGenerationError < ActionControllerError #:nodoc:
   end
 
   class MethodNotAllowed < ActionControllerError #:nodoc:

data/lib/action_controller/metal/flash.rb

@@ -11,6 +11,23 @@ module ActionController #:nodoc:
     end
 
     module ClassMethods
+      # Creates new flash types. You can pass as many types as you want to create
+      # flash types other than the default <tt>alert</tt> and <tt>notice</tt> in
+      # your controllers and views. For instance:
+      #
+      #   # in application_controller.rb
+      #   class ApplicationController < ActionController::Base
+      #     add_flash_types :warning
+      #   end
+      #
+      #   # in your controller
+      #   redirect_to user_path(@user), warning: "Incomplete profile"
+      #
+      #   # in your view
+      #   <%= warning %>
+      #
+      # This method will automatically define a new method for each of the given
+      # names, and it will be available in your views.
       def add_flash_types(*types)
         types.each do |type|
           next if _flash_types.include?(type)

data/lib/action_controller/metal/force_ssl.rb

@@ -48,7 +48,7 @@ module ActionController
       # You can pass any of the following options to affect the redirect status and response
       # * <tt>status</tt>     - Redirect with a custom status (default is 301 Moved Permanently)
       # * <tt>flash</tt>      - Set a flash message when redirecting
-      # * <tt>alert</tt>      - Set a alert message when redirecting
+      # * <tt>alert</tt>      - Set an alert message when redirecting
       # * <tt>notice</tt>     - Set a notice message when redirecting
       #
       # ==== Action Options
@@ -85,7 +85,7 @@ module ActionController
         if host_or_options.is_a?(Hash)
           options.merge!(host_or_options)
         elsif host_or_options
-          options.merge!(:host => host_or_options)
+          options[:host] = host_or_options
         end
 
         secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS))

data/lib/action_controller/metal/head.rb

@@ -1,8 +1,6 @@
 module ActionController
   module Head
-    extend ActiveSupport::Concern
-
-    # Return a response that has no content (merely headers). The options
+    # Returns a response that has no content (merely headers). The options
     # argument is interpreted to be a hash of header names and values.
     # This allows you to easily return a response that consists only of
     # significant headers:
@@ -16,6 +14,8 @@ module ActionController
     #   return head(:method_not_allowed) unless request.post?
     #   return head(:bad_request) unless valid_request?
     #   render
+    #
+    # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
     def head(status, options = {})
       options, status = status, nil if status.is_a?(Hash)
       status ||= options.delete(:status) || :ok
@@ -29,15 +29,17 @@ module ActionController
       self.status = status
       self.location = url_for(location) if location
 
-      if include_content?(self.status)
+      self.response_body = ""
+
+      if include_content?(self.response_code)
         self.content_type = content_type || (Mime[formats.first] if formats)
         self.response.charset = false if self.response
-        self.response_body = " "
       else
         headers.delete('Content-Type')
         headers.delete('Content-Length')
-        self.response_body = ""
       end
+      
+      true
     end
 
     private

data/lib/action_controller/metal/helpers.rb

@@ -5,7 +5,7 @@ module ActionController
   #
   # In addition to using the standard template helpers provided, creating custom helpers to
   # extract complicated logic or reusable functionality is strongly encouraged. By default, each controller
-  # will include all helpers.
+  # will include all helpers. These helpers are only accessible on the controller through <tt>.helpers</tt>
   #
   # In previous versions of \Rails the controller will include a helper whose
   # name matches that of the controller, e.g., <tt>MyController</tt> will automatically
@@ -73,7 +73,11 @@ module ActionController
 
       # Provides a proxy to access helpers methods from outside the view.
       def helpers
-        @helper_proxy ||= ActionView::Base.new.extend(_helpers)
+        @helper_proxy ||= begin 
+          proxy = ActionView::Base.new
+          proxy.config = config.inheritable_copy
+          proxy.extend(_helpers)
+        end
       end
 
       # Overwrite modules_for_helpers to accept :all as argument, which loads