actionpack 4.0.1 → 4.2.11.1

data/lib/action_controller/metal/strong_parameters.rb

@@ -1,8 +1,11 @@
 require 'active_support/core_ext/hash/indifferent_access'
 require 'active_support/core_ext/array/wrap'
+require 'active_support/core_ext/string/filters'
+require 'active_support/deprecation'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
 require 'stringio'
+require 'set'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -17,28 +20,30 @@ module ActionController
 
     def initialize(param) # :nodoc:
       @param = param
-      super("param not found: #{param}")
+      super("param is missing or the value is empty: #{param}")
     end
   end
 
-  # Raised when a supplied parameter is not expected.
+  # Raised when a supplied parameter is not expected and
+  # ActionController::Parameters.action_on_unpermitted_parameters
+  # is set to <tt>:raise</tt>.
   #
   #   params = ActionController::Parameters.new(a: "123", b: "456")
   #   params.permit(:c)
-  #   # => ActionController::UnpermittedParameters: found unexpected keys: a, b
+  #   # => ActionController::UnpermittedParameters: found unpermitted parameters: a, b
   class UnpermittedParameters < IndexError
     attr_reader :params # :nodoc:
 
     def initialize(params) # :nodoc:
       @params = params
-      super("found unpermitted parameters: #{params.join(", ")}")
+      super("found unpermitted parameter#{'s' if params.size > 1 }: #{params.join(", ")}")
     end
   end
 
   # == Action Controller \Parameters
   #
   # Allows to choose which attributes should be whitelisted for mass updating
-  # and thus prevent accidentally exposing that which shouldn’t be exposed.
+  # and thus prevent accidentally exposing that which shouldn't be exposed.
   # Provides two methods for this purpose: #require and #permit. The former is
   # used to mark parameters as required. The latter is used to set the parameter
   # as permitted and limit which attributes should be allowed for mass updating.
@@ -89,7 +94,11 @@ module ActionController
   #   params.permit(:c)
   #   # => ActionController::UnpermittedParameters: found unpermitted keys: a, b
   #
-  # <tt>ActionController::Parameters</tt> is inherited from
+  # Please note that these options *are not thread-safe*. In a multi-threaded
+  # environment they should only be set once at boot-time and never mutated at
+  # runtime.
+  #
+  # <tt>ActionController::Parameters</tt> inherits from
   # <tt>ActiveSupport::HashWithIndifferentAccess</tt>, this means
   # that you can fetch values using either <tt>:key</tt> or <tt>"key"</tt>.
   #
@@ -100,9 +109,25 @@ module ActionController
     cattr_accessor :permit_all_parameters, instance_accessor: false
     cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
 
-    # Never raise an UnpermittedParameters exception because of these params
-    # are present. They are added by Rails and it's of no concern.
-    NEVER_UNPERMITTED_PARAMS = %w( controller action )
+    # By default, never raise an UnpermittedParameters exception if these
+    # params are present. The default includes both 'controller' and 'action'
+    # because they are added by Rails and should be of no concern. One way
+    # to change these is to specify `always_permitted_parameters` in your
+    # config. For instance:
+    #
+    #    config.always_permitted_parameters = %w( controller action format )
+    cattr_accessor :always_permitted_parameters
+    self.always_permitted_parameters = %w( controller action )
+
+    def self.const_missing(const_name)
+      super unless const_name == :NEVER_UNPERMITTED_PARAMS
+      ActiveSupport::Deprecation.warn(<<-MSG.squish)
+        `ActionController::Parameters::NEVER_UNPERMITTED_PARAMS` has been deprecated.
+        Use `ActionController::Parameters.always_permitted_parameters` instead.
+      MSG
+
+      always_permitted_parameters
+    end
 
     # Returns a new instance of <tt>ActionController::Parameters</tt>.
     # Also, sets the +permitted+ attribute to the default value of
@@ -125,6 +150,54 @@ module ActionController
       @permitted = self.class.permit_all_parameters
     end
 
+    # Returns a safe +Hash+ representation of this parameter with all
+    # unpermitted keys removed.
+    #
+    #   params = ActionController::Parameters.new({
+    #     name: 'Senjougahara Hitagi',
+    #     oddity: 'Heavy stone crab'
+    #   })
+    #   params.to_h # => {}
+    #
+    #   safe_params = params.permit(:name)
+    #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
+    def to_h
+      if permitted?
+        to_hash
+      else
+        slice(*self.class.always_permitted_parameters).permit!.to_h
+      end
+    end
+
+    # Returns an unsafe, unfiltered +Hash+ representation of this parameter.
+    def to_unsafe_h
+      to_hash
+    end
+    alias_method :to_unsafe_hash, :to_unsafe_h
+
+    # Convert all hashes in values into parameters, then yield each pair like
+    # the same way as <tt>Hash#each_pair</tt>
+    def each_pair(&block)
+      super do |key, value|
+        convert_hashes_to_parameters(key, value)
+      end
+
+      super
+    end
+
+    alias_method :each, :each_pair
+
+    # Attribute that keeps track of converted arrays, if any, to avoid double
+    # looping in the common use case permit + mass-assignment. Defined in a
+    # method to instantiate it only if needed.
+    #
+    # Testing membership still loops, but it's going to be faster than our own
+    # loop that converts values. Also, we are not going to build a new array
+    # object per fetch.
+    def converted_arrays
+      @converted_arrays ||= Set.new
+    end
+
     # Returns +true+ if the parameter is permitted, +false+ otherwise.
     #
     #   params = ActionController::Parameters.new
@@ -149,8 +222,9 @@ module ActionController
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def permit!
       each_pair do |key, value|
-        convert_hashes_to_parameters(key, value)
-        self[key].permit! if self[key].respond_to? :permit!
+        Array.wrap(value).each do |v|
+          v.permit! if v.respond_to? :permit!
+        end
       end
 
       @permitted = true
@@ -170,7 +244,12 @@ module ActionController
     #   ActionController::Parameters.new(person: {}).require(:person)
     #   # => ActionController::ParameterMissing: param not found: person
     def require(key)
-      self[key].presence || raise(ParameterMissing.new(key))
+      value = self[key]
+      if value.present? || value == false
+        value
+      else
+        raise ParameterMissing.new(key)
+      end
     end
 
     # Alias of #require.
@@ -284,7 +363,7 @@ module ActionController
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
     def fetch(key, *args)
-      convert_hashes_to_parameters(key, super)
+      convert_hashes_to_parameters(key, super, false)
     rescue KeyError
       raise ActionController::ParameterMissing.new(key)
     end
@@ -297,11 +376,56 @@ module ActionController
     #   params.slice(:a, :b) # => {"a"=>1, "b"=>2}
     #   params.slice(:d)     # => {}
     def slice(*keys)
-      self.class.new(super).tap do |new_instance|
-        new_instance.instance_variable_set :@permitted, @permitted
+      new_instance_with_inherited_permitted_status(super)
+    end
+
+    # Removes and returns the key/value pairs matching the given keys.
+    #
+    #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
+    #   params.extract!(:a, :b) # => {"a"=>1, "b"=>2}
+    #   params                  # => {"c"=>3}
+    def extract!(*keys)
+      new_instance_with_inherited_permitted_status(super)
+    end
+
+    # Returns a new <tt>ActionController::Parameters</tt> with the results of
+    # running +block+ once for every value. The keys are unchanged.
+    #
+    #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
+    #   params.transform_values { |x| x * 2 }
+    #   # => {"a"=>2, "b"=>4, "c"=>6}
+    def transform_values
+      if block_given?
+        new_instance_with_inherited_permitted_status(super)
+      else
+        super
+      end
+    end
+
+    # This method is here only to make sure that the returned object has the
+    # correct +permitted+ status. It should not matter since the parent of
+    # this object is +HashWithIndifferentAccess+
+    def transform_keys # :nodoc:
+      if block_given?
+        new_instance_with_inherited_permitted_status(super)
+      else
+        super
       end
     end
 
+    # Deletes and returns a key-value pair from +Parameters+ whose key is equal
+    # to key. If the key is not found, returns the default value. If the
+    # optional code block is given and the key is not found, pass in the key
+    # and return the result of block.
+    def delete(key, &block)
+      convert_hashes_to_parameters(key, super, false)
+    end
+
+    # Equivalent to Hash#keep_if, but returns nil if no changes were made.
+    def select!(&block)
+      convert_value_to_parameters(super)
+    end
+
     # Returns an exact copy of the <tt>ActionController::Parameters</tt>
     # instance. +permitted+ state is kept on the duped object.
     #
@@ -312,17 +436,37 @@ module ActionController
     #   copy_params.permitted?   # => true
     def dup
       super.tap do |duplicate|
-        duplicate.instance_variable_set :@permitted, @permitted
+        duplicate.permitted = @permitted
       end
     end
 
+    protected
+      def permitted=(new_permitted)
+        @permitted = new_permitted
+      end
+
     private
-      def convert_hashes_to_parameters(key, value)
-        if value.is_a?(Parameters) || !value.is_a?(Hash)
+      def new_instance_with_inherited_permitted_status(hash)
+        self.class.new(hash).tap do |new_instance|
+          new_instance.permitted = @permitted
+        end
+      end
+
+      def convert_hashes_to_parameters(key, value, assign_if_converted=true)
+        converted = convert_value_to_parameters(value)
+        self[key] = converted if assign_if_converted && !converted.equal?(value)
+        converted
+      end
+
+      def convert_value_to_parameters(value)
+        if value.is_a?(Array) && !converted_arrays.member?(value)
+          converted = value.map { |_| convert_value_to_parameters(_) }
+          converted_arrays << converted
+          converted
+        elsif value.is_a?(Parameters) || !value.is_a?(Hash)
           value
         else
-          # Convert to Parameters on first access
-          self[key] = self.class.new(value)
+          self.class.new(value)
         end
       end
 
@@ -356,7 +500,7 @@ module ActionController
       end
 
       def unpermitted_keys(params)
-        self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+        self.keys - params.keys - self.always_permitted_parameters
       end
 
       #
@@ -478,7 +622,7 @@ module ActionController
   #       end
   #   end
   #
-  # In order to use <tt>accepts_nested_attribute_for</tt> with Strong \Parameters, you
+  # In order to use <tt>accepts_nested_attributes_for</tt> with Strong \Parameters, you
   # will need to specify which nested attributes should be whitelisted.
   #
   #   class Person

data/lib/action_controller/metal/testing.rb

@@ -17,7 +17,6 @@ module ActionController
 
       def recycle!
         @_url_options = nil
-        self.response_body = nil
         self.formats = nil
         self.params = nil
       end

data/lib/action_controller/metal/url_for.rb

@@ -23,25 +23,24 @@ module ActionController
     include AbstractController::UrlFor
 
     def url_options
-      @_url_options ||= super.reverse_merge(
+      @_url_options ||= {
         :host => request.host,
         :port => request.optional_port,
         :protocol => request.protocol,
-        :_recall => request.symbolized_path_parameters
-      ).freeze
+        :_recall => request.path_parameters
+      }.merge!(super).freeze
 
-      if (same_origin = _routes.equal?(env["action_dispatch.routes"])) ||
+      if (same_origin = _routes.equal?(env["action_dispatch.routes".freeze])) ||
          (script_name = env["ROUTES_#{_routes.object_id}_SCRIPT_NAME"]) ||
-         (original_script_name = env['ORIGINAL_SCRIPT_NAME'])
+         (original_script_name = env['ORIGINAL_SCRIPT_NAME'.freeze])
 
-        @_url_options.dup.tap do |options|
-          if original_script_name
-            options[:original_script_name] = original_script_name
-          else
-            options[:script_name] = same_origin ? request.script_name.dup : script_name
-          end
-          options.freeze
+        options = @_url_options.dup
+        if original_script_name
+          options[:original_script_name] = original_script_name
+        else
+          options[:script_name] = same_origin ? request.script_name.dup : script_name
         end
+        options.freeze
       else
         @_url_options
       end

data/lib/action_controller/metal.rb

@@ -30,10 +30,8 @@ module ActionController
       end
     end
 
-    def build(action, app=nil, &block)
-      app  ||= block
+    def build(action, app = Proc.new)
       action = action.to_s
-      raise "MiddlewareStack#build requires an app" unless app
 
       middlewares.reverse.inject(app) do |a, middleware|
         middleware.valid?(action) ? middleware.build(a) : a
@@ -70,7 +68,8 @@ module ActionController
   # can do the following:
   #
   #   class HelloController < ActionController::Metal
-  #     include ActionController::Rendering
+  #     include AbstractController::Rendering
+  #     include ActionView::Layouts
   #     append_view_path "#{Rails.root}/app/views"
   #
   #     def index
@@ -166,7 +165,7 @@ module ActionController
       headers["Location"] = url
     end
 
-    # basic url_for that can be overridden for more robust functionality
+    # Basic url_for that can be overridden for more robust functionality
     def url_for(string)
       string
     end
@@ -174,6 +173,7 @@ module ActionController
     def status
       @_status
     end
+    alias :response_code :status # :nodoc:
 
     def status=(status)
       @_status = Rack::Utils.status_code(status)
@@ -184,6 +184,7 @@ module ActionController
       super
     end
 
+    # Tests if render or redirect has already happened.
     def performed?
       response_body || (response && response.committed?)
     end
@@ -222,13 +223,18 @@ module ActionController
     # Makes the controller a Rack endpoint that runs the action in the given
     # +env+'s +action_dispatch.request.path_parameters+ key.
     def self.call(env)
-      action(env['action_dispatch.request.path_parameters'][:action]).call(env)
+      req = ActionDispatch::Request.new env
+      action(req.path_parameters[:action]).call(env)
     end
 
     # Returns a Rack endpoint for the given action name.
     def self.action(name, klass = ActionDispatch::Request)
-      middleware_stack.build(name.to_s) do |env|
-        new.dispatch(name, klass.new(env))
+      if middleware_stack.any?
+        middleware_stack.build(name) do |env|
+          new.dispatch(name, klass.new(env))
+        end
+      else
+        lambda { |env| new.dispatch(name, klass.new(env)) }
       end
     end
   end

data/lib/action_controller/model_naming.rb

@@ -6,7 +6,7 @@ module ActionController
     end
 
     def model_name_from_record_or_class(record_or_class)
-      (record_or_class.is_a?(Class) ? record_or_class : convert_to_model(record_or_class).class).model_name
+      convert_to_model(record_or_class).model_name
     end
   end
 end

data/lib/action_controller/railtie.rb

@@ -1,9 +1,9 @@
 require "rails"
 require "action_controller"
 require "action_dispatch/railtie"
-require "action_view/railtie"
 require "abstract_controller/railties/routes_helpers"
 require "action_controller/railties/helpers"
+require "action_view/railtie"
 
 module ActionController
   class Railtie < Rails::Railtie #:nodoc:
@@ -23,6 +23,10 @@ module ActionController
       options = app.config.action_controller
 
       ActionController::Parameters.permit_all_parameters = options.delete(:permit_all_parameters) { false }
+      if app.config.action_controller[:always_permitted_parameters]
+        ActionController::Parameters.always_permitted_parameters =
+          app.config.action_controller.delete(:always_permitted_parameters)
+      end
       ActionController::Parameters.action_on_unpermitted_parameters = options.delete(:action_on_unpermitted_parameters) do
         (Rails.env.test? || Rails.env.development?) ? :log : false
       end