actionpack 4.1.16 → 4.2.0.beta1

data/lib/action_controller/metal/conditional_get.rb

@@ -41,6 +41,11 @@ module ActionController
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    # * <tt>:template</tt> By default, the template digest for the current
+    #   controller/action is included in ETags. If the action renders a
+    #   different template, you can include its digest instead. If the action
+    #   doesn't render a template at all, you can pass <tt>template: false</tt>
+    #   to skip any attempt to check for a template digest.
     #
     # === Example:
     #
@@ -66,18 +71,24 @@ module ActionController
     #     @article = Article.find(params[:id])
     #     fresh_when(@article, public: true)
     #   end
+    #
+    # When rendering a different template than the default controller/action
+    # style, you can indicate which digest to include in the ETag:
+    #
+    #   before_action { fresh_when @article, template: 'widgets/show' }
+    #
     def fresh_when(record_or_options, additional_options = {})
       if record_or_options.is_a? Hash
         options = record_or_options
-        options.assert_valid_keys(:etag, :last_modified, :public)
+        options.assert_valid_keys(:etag, :last_modified, :public, :template)
       else
         record  = record_or_options
         options = { etag: record, last_modified: record.try(:updated_at) }.merge!(additional_options)
       end
 
-      response.etag          = combine_etags(options[:etag]) if options[:etag]
-      response.last_modified = options[:last_modified]       if options[:last_modified]
-      response.cache_control[:public] = true                 if options[:public]
+      response.etag          = combine_etags(options)   if options[:etag] || options[:template]
+      response.last_modified = options[:last_modified]  if options[:last_modified]
+      response.cache_control[:public] = true            if options[:public]
 
       head :not_modified if request.fresh?(response)
     end
@@ -93,6 +104,11 @@ module ActionController
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    # * <tt>:template</tt> By default, the template digest for the current
+    #   controller/action is included in ETags. If the action renders a
+    #   different template, you can include its digest instead. If the action
+    #   doesn't render a template at all, you can pass <tt>template: false</tt>
+    #   to skip any attempt to check for a template digest.
     #
     # === Example:
     #
@@ -133,6 +149,14 @@ module ActionController
     #       end
     #     end
     #   end
+    #
+    # When rendering a different template than the default controller/action
+    # style, you can indicate which digest to include in the ETag:
+    #
+    #   def show
+    #     super if stale? @article, template: 'widgets/show'
+    #   end
+    #
     def stale?(record_or_options, additional_options = {})
       fresh_when(record_or_options, additional_options)
       !request.fresh?(response)
@@ -168,8 +192,9 @@ module ActionController
     end
 
     private
-      def combine_etags(etag)
-        [ etag, *etaggers.map { |etagger| instance_exec(&etagger) }.compact ]
+      def combine_etags(options)
+        etags = etaggers.map { |etagger| instance_exec(options, &etagger) }.compact
+        etags.unshift options[:etag]
       end
   end
 end

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -0,0 +1,50 @@
+module ActionController
+  # When our views change, they should bubble up into HTTP cache freshness
+  # and bust browser caches. So the template digest for the current action
+  # is automatically included in the ETag.
+  #
+  # Enabled by default for apps that use Action View. Disable by setting
+  #
+  #   config.action_controller.etag_with_template_digest = false
+  #
+  # Override the template to digest by passing `:template` to `fresh_when`
+  # and `stale?` calls. For example:
+  #
+  #   # We're going to render widgets/show, not posts/show
+  #   fresh_when @post, template: 'widgets/show'
+  #
+  #   # We're not going to render a template, so omit it from the ETag.
+  #   fresh_when @post, template: false
+  #
+  module EtagWithTemplateDigest
+    extend ActiveSupport::Concern
+
+    include ActionController::ConditionalGet
+
+    included do
+      class_attribute :etag_with_template_digest
+      self.etag_with_template_digest = true
+
+      ActiveSupport.on_load :action_view, yield: true do |action_view_base|
+        etag do |options|
+          determine_template_etag(options) if etag_with_template_digest
+        end
+      end
+    end
+
+    private
+    def determine_template_etag(options)
+      if template = pick_template_for_etag(options)
+        lookup_and_digest_template(template)
+      end
+    end
+
+    def pick_template_for_etag(options)
+      options.fetch(:template) { "#{controller_name}/#{action_name}" }
+    end
+
+    def lookup_and_digest_template(template)
+      ActionView::Digestor.digest name: template, finder: lookup_context
+    end
+  end
+end

data/lib/action_controller/metal/force_ssl.rb

@@ -85,7 +85,7 @@ module ActionController
         if host_or_options.is_a?(Hash)
           options.merge!(host_or_options)
         elsif host_or_options
-          options.merge!(:host => host_or_options)
+          options[:host] = host_or_options
         end
 
         secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS))

data/lib/action_controller/metal/head.rb

@@ -14,6 +14,8 @@ module ActionController
     #   return head(:method_not_allowed) unless request.post?
     #   return head(:bad_request) unless valid_request?
     #   render
+    #
+    # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
     def head(status, options = {})
       options, status = status, nil if status.is_a?(Hash)
       status ||= options.delete(:status) || :ok

data/lib/action_controller/metal/http_authentication.rb

@@ -1,5 +1,4 @@
 require 'base64'
-require 'active_support/security_utils'
 
 module ActionController
   # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@@ -71,11 +70,7 @@ module ActionController
           def http_basic_authenticate_with(options = {})
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
-                # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                name == options[:name] && password == options[:password]
               end
             end
           end
@@ -402,7 +397,6 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
-      TOKEN_KEY = 'token='
       TOKEN_REGEX = /^Token /
       AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
@@ -477,13 +471,7 @@ module ActionController
       # pairs by the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
-
-        if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
-          _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
-        end
-
-        _raw_params
+        auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
       end
 
       # Encodes the given token and options into an Authorization header value.
@@ -493,7 +481,7 @@ module ActionController
       #
       # Returns String.
       def encode_credentials(token, options = {})
-        values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
+        values = ["token=#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
         end
         "Token #{values * ", "}"

data/lib/action_controller/metal/instrumentation.rb

@@ -28,13 +28,10 @@ module ActionController
       ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
 
       ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        begin
-          result = super
-          payload[:status] = response.status
-          result
-        ensure
-          append_info_to_payload(payload)
-        end
+        result = super
+        payload[:status] = response.status
+        append_info_to_payload(payload)
+        result
       end
     end
 

data/lib/action_controller/metal/live.rb

@@ -102,16 +102,30 @@ module ActionController
             end
           end
 
-          @stream.write "data: #{json}\n\n"
+          message = json.gsub("\n", "\ndata: ")
+          @stream.write "data: #{message}\n\n"
         end
     end
 
+    class ClientDisconnected < RuntimeError
+    end
+
     class Buffer < ActionDispatch::Response::Buffer #:nodoc:
       include MonitorMixin
 
+      # Ignore that the client has disconnected.
+      #
+      # If this value is `true`, calling `write` after the client
+      # disconnects will result in the written content being silently
+      # discarded. If this value is `false` (the default), a
+      # ClientDisconnected exception will be raised.
+      attr_accessor :ignore_disconnect
+
       def initialize(response)
         @error_callback = lambda { true }
         @cv = new_cond
+        @aborted = false
+        @ignore_disconnect = false
         super(response, SizedQueue.new(10))
       end
 
@@ -122,6 +136,17 @@ module ActionController
         end
 
         super
+
+        unless connected?
+          @buf.clear
+
+          unless @ignore_disconnect
+            # Raise ClientDisconnected, which is a RuntimeError (not an
+            # IOError), because that's more appropriate for something beyond
+            # the developer's control.
+            raise ClientDisconnected, "client disconnected"
+          end
+        end
       end
 
       def each
@@ -132,6 +157,10 @@ module ActionController
         @response.sent!
       end
 
+      # Write a 'close' event to the buffer; the producer/writing thread
+      # uses this to notify us that it's finished supplying content.
+      #
+      # See also #abort.
       def close
         synchronize do
           super
@@ -140,6 +169,26 @@ module ActionController
         end
       end
 
+      # Inform the producer/writing thread that the client has
+      # disconnected; the reading thread is no longer interested in
+      # anything that's being written.
+      #
+      # See also #close.
+      def abort
+        synchronize do
+          @aborted = true
+          @buf.clear
+        end
+      end
+
+      # Is the client still connected and waiting for content?
+      #
+      # The result of calling `write` when this is `false` is determined
+      # by `ignore_disconnect`.
+      def connected?
+        !@aborted
+      end
+
       def await_close
         synchronize do
           @cv.wait_until { @closed }
@@ -156,7 +205,7 @@ module ActionController
     end
 
     class Response < ActionDispatch::Response #:nodoc: all
-      class Header < DelegateClass(Hash)
+      class Header < DelegateClass(Hash) # :nodoc:
         def initialize(response, header)
           @response = response
           super(header)
@@ -254,10 +303,12 @@ module ActionController
       logger = ActionController::Base.logger
       return unless logger
 
-      message = "\n#{exception.class} (#{exception.message}):\n"
-      message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
-      message << "  " << exception.backtrace.join("\n  ")
-      logger.fatal("#{message}\n\n")
+      logger.fatal do
+        message = "\n#{exception.class} (#{exception.message}):\n"
+        message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
+        message << "  " << exception.backtrace.join("\n  ")
+        "#{message}\n\n"
+      end
     end
 
     def response_body=(body)

data/lib/action_controller/metal/mime_responds.rb

@@ -5,56 +5,22 @@ module ActionController #:nodoc:
   module MimeResponds
     extend ActiveSupport::Concern
 
-    included do
-      class_attribute :responder, :mimes_for_respond_to
-      self.responder = ActionController::Responder
-      clear_respond_to
-    end
-
     module ClassMethods
-      # Defines mime types that are rendered by default when invoking
-      # <tt>respond_with</tt>.
-      #
-      #   respond_to :html, :xml, :json
-      #
-      # Specifies that all actions in the controller respond to requests
-      # for <tt>:html</tt>, <tt>:xml</tt> and <tt>:json</tt>.
-      #
-      # To specify on per-action basis, use <tt>:only</tt> and
-      # <tt>:except</tt> with an array of actions or a single action:
-      #
-      #   respond_to :html
-      #   respond_to :xml, :json, except: [ :edit ]
-      #
-      # This specifies that all actions respond to <tt>:html</tt>
-      # and all actions except <tt>:edit</tt> respond to <tt>:xml</tt> and
-      # <tt>:json</tt>.
-      #
-      #   respond_to :json, only: :create
-      #
-      # This specifies that the <tt>:create</tt> action and no other responds
-      # to <tt>:json</tt>.
-      def respond_to(*mimes)
-        options = mimes.extract_options!
-
-        only_actions   = Array(options.delete(:only)).map(&:to_s)
-        except_actions = Array(options.delete(:except)).map(&:to_s)
-
-        new = mimes_for_respond_to.dup
-        mimes.each do |mime|
-          mime = mime.to_sym
-          new[mime]          = {}
-          new[mime][:only]   = only_actions   unless only_actions.empty?
-          new[mime][:except] = except_actions unless except_actions.empty?
-        end
-        self.mimes_for_respond_to = new.freeze
+      def respond_to(*)
+        raise NoMethodError, "The controller-level `respond_to' feature has " \
+          "been extracted to the `responders` gem. Add it to your Gemfile to " \
+          "continue using this feature:\n" \
+          "  gem 'responders', '~> 2.0'\n" \
+          "Consult the Rails upgrade guide for details."
       end
+    end
 
-      # Clear all mime types in <tt>respond_to</tt>.
-      #
-      def clear_respond_to
-        self.mimes_for_respond_to = Hash.new.freeze
-      end
+    def respond_with(*)
+      raise NoMethodError, "The `respond_with' feature has been extracted " \
+        "to the `responders` gem. Add it to your Gemfile to continue using " \
+        "this feature:\n" \
+        "  gem 'responders', '~> 2.0'\n" \
+        "Consult the Rails upgrade guide for details."
     end
 
     # Without web-service support, an action which collects the data for displaying a list of people
@@ -217,7 +183,7 @@ module ActionController #:nodoc:
     #     format.html.phone { redirect_to progress_path }
     #     format.html.none  { render "trash" }
     #   end
-    # 
+    #
     # Variants also support common `any`/`all` block that formats have.
     #
     # It works for both inline:
@@ -253,189 +219,13 @@ module ActionController #:nodoc:
     def respond_to(*mimes, &block)
       raise ArgumentError, "respond_to takes either types or a block, never both" if mimes.any? && block_given?
 
-      if collector = retrieve_collector_from_mimes(mimes, &block)
-        response = collector.response
-        response ? response.call : render({})
-      end
-    end
-
-    # For a given controller action, respond_with generates an appropriate
-    # response based on the mime-type requested by the client.
-    #
-    # If the method is called with just a resource, as in this example -
-    #
-    #   class PeopleController < ApplicationController
-    #     respond_to :html, :xml, :json
-    #
-    #     def index
-    #       @people = Person.all
-    #       respond_with @people
-    #     end
-    #   end
-    #
-    # then the mime-type of the response is typically selected based on the
-    # request's Accept header and the set of available formats declared
-    # by previous calls to the controller's class method +respond_to+. Alternatively
-    # the mime-type can be selected by explicitly setting <tt>request.format</tt> in
-    # the controller.
-    #
-    # If an acceptable format is not identified, the application returns a
-    # '406 - not acceptable' status. Otherwise, the default response is to render
-    # a template named after the current action and the selected format,
-    # e.g. <tt>index.html.erb</tt>. If no template is available, the behavior
-    # depends on the selected format:
-    #
-    # * for an html response - if the request method is +get+, an exception
-    #   is raised but for other requests such as +post+ the response
-    #   depends on whether the resource has any validation errors (i.e.
-    #   assuming that an attempt has been made to save the resource,
-    #   e.g. by a +create+ action) -
-    #   1. If there are no errors, i.e. the resource
-    #      was saved successfully, the response +redirect+'s to the resource
-    #      i.e. its +show+ action.
-    #   2. If there are validation errors, the response
-    #      renders a default action, which is <tt>:new</tt> for a
-    #      +post+ request or <tt>:edit</tt> for +patch+ or +put+.
-    #   Thus an example like this -
-    #
-    #     respond_to :html, :xml
-    #
-    #     def create
-    #       @user = User.new(params[:user])
-    #       flash[:notice] = 'User was successfully created.' if @user.save
-    #       respond_with(@user)
-    #     end
-    #
-    #   is equivalent, in the absence of <tt>create.html.erb</tt>, to -
-    #
-    #     def create
-    #       @user = User.new(params[:user])
-    #       respond_to do |format|
-    #         if @user.save
-    #           flash[:notice] = 'User was successfully created.'
-    #           format.html { redirect_to(@user) }
-    #           format.xml { render xml: @user }
-    #         else
-    #           format.html { render action: "new" }
-    #           format.xml { render xml: @user }
-    #         end
-    #       end
-    #     end
-    #
-    # * for a javascript request - if the template isn't found, an exception is
-    #   raised.
-    # * for other requests - i.e. data formats such as xml, json, csv etc, if
-    #   the resource passed to +respond_with+ responds to <code>to_<format></code>,
-    #   the method attempts to render the resource in the requested format
-    #   directly, e.g. for an xml request, the response is equivalent to calling
-    #   <code>render xml: resource</code>.
-    #
-    # === Nested resources
-    #
-    # As outlined above, the +resources+ argument passed to +respond_with+
-    # can play two roles. It can be used to generate the redirect url
-    # for successful html requests (e.g. for +create+ actions when
-    # no template exists), while for formats other than html and javascript
-    # it is the object that gets rendered, by being converted directly to the
-    # required format (again assuming no template exists).
-    #
-    # For redirecting successful html requests, +respond_with+ also supports
-    # the use of nested resources, which are supplied in the same way as
-    # in <code>form_for</code> and <code>polymorphic_url</code>. For example -
-    #
-    #   def create
-    #     @project = Project.find(params[:project_id])
-    #     @task = @project.comments.build(params[:task])
-    #     flash[:notice] = 'Task was successfully created.' if @task.save
-    #     respond_with(@project, @task)
-    #   end
-    #
-    # This would cause +respond_with+ to redirect to <code>project_task_url</code>
-    # instead of <code>task_url</code>. For request formats other than html or
-    # javascript, if multiple resources are passed in this way, it is the last
-    # one specified that is rendered.
-    #
-    # === Customizing response behavior
-    #
-    # Like +respond_to+, +respond_with+ may also be called with a block that
-    # can be used to overwrite any of the default responses, e.g. -
-    #
-    #   def create
-    #     @user = User.new(params[:user])
-    #     flash[:notice] = "User was successfully created." if @user.save
-    #
-    #     respond_with(@user) do |format|
-    #       format.html { render }
-    #     end
-    #   end
-    #
-    # The argument passed to the block is an ActionController::MimeResponds::Collector
-    # object which stores the responses for the formats defined within the
-    # block. Note that formats with responses defined explicitly in this way
-    # do not have to first be declared using the class method +respond_to+.
-    #
-    # Also, a hash passed to +respond_with+ immediately after the specified
-    # resource(s) is interpreted as a set of options relevant to all
-    # formats. Any option accepted by +render+ can be used, e.g.
-    #   respond_with @people, status: 200
-    # However, note that these options are ignored after an unsuccessful attempt
-    # to save a resource, e.g. when automatically rendering <tt>:new</tt>
-    # after a post request.
-    #
-    # Two additional options are relevant specifically to +respond_with+ -
-    # 1. <tt>:location</tt> - overwrites the default redirect location used after
-    #    a successful html +post+ request.
-    # 2. <tt>:action</tt> - overwrites the default render action used after an
-    #    unsuccessful html +post+ request.
-    def respond_with(*resources, &block)
-      if self.class.mimes_for_respond_to.empty?
-        raise "In order to use respond_with, first you need to declare the " \
-          "formats your controller responds to in the class level."
-      end
-
-      if collector = retrieve_collector_from_mimes(&block)
-        options = resources.size == 1 ? {} : resources.extract_options!
-        options = options.clone
-        options[:default_response] = collector.response
-        (options.delete(:responder) || self.class.responder).call(self, resources, options)
-      end
-    end
-
-  protected
-
-    # Collect mimes declared in the class method respond_to valid for the
-    # current action.
-    def collect_mimes_from_class_level #:nodoc:
-      action = action_name.to_s
-
-      self.class.mimes_for_respond_to.keys.select do |mime|
-        config = self.class.mimes_for_respond_to[mime]
-
-        if config[:except]
-          !config[:except].include?(action)
-        elsif config[:only]
-          config[:only].include?(action)
-        else
-          true
-        end
-      end
-    end
-
-    # Returns a Collector object containing the appropriate mime-type response
-    # for the current request, based on the available responses defined by a block.
-    # In typical usage this is the block passed to +respond_with+ or +respond_to+.
-    #
-    # Sends :not_acceptable to the client and returns nil if no suitable format
-    # is available.
-    def retrieve_collector_from_mimes(mimes=nil, &block) #:nodoc:
-      mimes ||= collect_mimes_from_class_level
       collector = Collector.new(mimes, request.variant)
       block.call(collector) if block_given?
-      format = collector.negotiate_format(request)
 
-      if format
+      if format = collector.negotiate_format(request)
         _process_format(format)
-        collector
+        response = collector.response
+        response ? response.call : render({})
       else
         raise ActionController::UnknownFormat
       end