actionpack 4.2.10 → 7.2.0.rc1

data/lib/action_controller/metal/params_wrapper.rb

@@ -1,26 +1,33 @@
-require 'active_support/core_ext/hash/slice'
-require 'active_support/core_ext/hash/except'
-require 'active_support/core_ext/module/anonymous'
-require 'active_support/core_ext/struct'
-require 'action_dispatch/http/mime_type'
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/core_ext/hash/slice"
+require "active_support/core_ext/hash/except"
+require "active_support/core_ext/module/anonymous"
+require "action_dispatch/http/mime_type"
 
 module ActionController
+  # # Action Controller Params Wrapper
+  #
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
-  # This functionality is enabled in +config/initializers/wrap_parameters.rb+
-  # and can be customized. If you are upgrading to \Rails 3.1, this file will
-  # need to be created for the functionality to be enabled.
+  # This functionality is enabled by default for JSON, and can be customized by
+  # setting the format array:
   #
-  # You could also turn it on per controller by setting the format array to
-  # a non-empty array:
+  #     class ApplicationController < ActionController::Base
+  #       wrap_parameters format: [:json, :xml]
+  #     end
+  #
+  # You could also turn it on per controller:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
   #     end
   #
-  # If you enable +ParamsWrapper+ for +:json+ format, instead of having to
-  # send JSON parameters like this:
+  # If you enable `ParamsWrapper` for `:json` format, instead of having to send
+  # JSON parameters like this:
   #
   #     {"user": {"name": "Konata"}}
   #
@@ -29,55 +36,56 @@ module ActionController
   #     {"name": "Konata"}
   #
   # And it will be wrapped into a nested hash with the key name matching the
-  # controller's name. For example, if you're posting to +UsersController+,
-  # your new +params+ hash will look like this:
+  # controller's name. For example, if you're posting to `UsersController`, your
+  # new `params` hash will look like this:
   #
   #     {"name" => "Konata", "user" => {"name" => "Konata"}}
   #
-  # You can also specify the key in which the parameters should be wrapped to,
-  # and also the list of attributes it should wrap by using either +:include+ or
-  # +:exclude+ options like this:
+  # You can also specify the key in which the parameters should be wrapped to, and
+  # also the list of attributes it should wrap by using either `:include` or
+  # `:exclude` options like this:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters :person, include: [:username, :password]
   #     end
   #
-  # On ActiveRecord models with no +:include+ or +:exclude+ option set,
-  # it will only wrap the parameters returned by the class method
-  # <tt>attribute_names</tt>.
+  # On Active Record models with no `:include` or `:exclude` option set, it will
+  # only wrap the parameters returned by the class method `attribute_names`.
   #
-  # If you're going to pass the parameters to an +ActiveModel+ object (such as
-  # <tt>User.new(params[:user])</tt>), you might consider passing the model class to
-  # the method instead. The +ParamsWrapper+ will actually try to determine the
-  # list of attribute names from the model and only wrap those attributes:
+  # If you're going to pass the parameters to an `ActiveModel` object (such as
+  # `User.new(params[:user])`), you might consider passing the model class to the
+  # method instead. The `ParamsWrapper` will actually try to determine the list of
+  # attribute names from the model and only wrap those attributes:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters Person
   #     end
   #
-  # You still could pass +:include+ and +:exclude+ to set the list of attributes
+  # You still could pass `:include` and `:exclude` to set the list of attributes
   # you want to wrap.
   #
   # By default, if you don't specify the key in which the parameters would be
-  # wrapped to, +ParamsWrapper+ will actually try to determine if there's
-  # a model related to it or not. This controller, for example:
+  # wrapped to, `ParamsWrapper` will actually try to determine if there's a model
+  # related to it or not. This controller, for example:
   #
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
-  # determine the wrapper key respectively. If both models don't exist,
-  # it will then fallback to use +user+ as the key.
+  # will try to check if `Admin::User` or `User` model exists, and use it to
+  # determine the wrapper key respectively. If both models don't exist, it will
+  # then fall back to use `user` as the key.
+  #
+  # To disable this functionality for a controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters false
+  #     end
   module ParamsWrapper
     extend ActiveSupport::Concern
 
     EXCLUDE_PARAMETERS = %w(authenticity_token _method utf8)
 
-    require 'mutex_m'
-
     class Options < Struct.new(:name, :format, :include, :exclude, :klass, :model) # :nodoc:
-      include Mutex_m
-
       def self.from_hash(hash)
         name    = hash[:name]
         format  = Array(hash[:format])
@@ -86,21 +94,22 @@ module ActionController
         new name, format, include, exclude, nil, nil
       end
 
-      def initialize(name, format, include, exclude, klass, model) # nodoc
+      def initialize(name, format, include, exclude, klass, model) # :nodoc:
         super
+        @mutex = Mutex.new
         @include_set = include
         @name_set    = name
       end
 
       def model
-        super || synchronize { super || self.model = _default_wrap_model }
+        super || self.model = _default_wrap_model
       end
 
       def include
         return super if @include_set
 
         m = model
-        synchronize do
+        @mutex.synchronize do
           return super if @include_set
 
           @include_set = true
@@ -108,6 +117,22 @@ module ActionController
           unless super || exclude
             if m.respond_to?(:attribute_names) && m.attribute_names.any?
               self.include = m.attribute_names
+
+              if m.respond_to?(:stored_attributes) && !m.stored_attributes.empty?
+                self.include += m.stored_attributes.values.flatten.map(&:to_s)
+              end
+
+              if m.respond_to?(:attribute_aliases) && m.attribute_aliases.any?
+                self.include += m.attribute_aliases.keys
+              end
+
+              if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
+                self.include += m.nested_attributes_options.keys.map do |key|
+                  (+key.to_s).concat("_attributes")
+                end
+              end
+
+              self.include
             end
           end
         end
@@ -117,7 +142,7 @@ module ActionController
         return super if @name_set
 
         m = model
-        synchronize do
+        @mutex.synchronize do
           return super if @name_set
 
           @name_set = true
@@ -130,35 +155,34 @@ module ActionController
       end
 
       private
-      # Determine the wrapper model from the controller's name. By convention,
-      # this could be done by trying to find the defined model that has the
-      # same singularize name as the controller. For example, +UsersController+
-      # will try to find if the +User+ model exists.
-      #
-      # This method also does namespace lookup. Foo::Bar::UsersController will
-      # try to find Foo::Bar::User, Foo::User and finally User.
-      def _default_wrap_model #:nodoc:
-        return nil if klass.anonymous?
-        model_name = klass.name.sub(/Controller$/, '').classify
-
-        begin
-          if model_klass = model_name.safe_constantize
-            model_klass
-          else
-            namespaces = model_name.split("::")
-            namespaces.delete_at(-2)
-            break if namespaces.last == model_name
-            model_name = namespaces.join("::")
-          end
-        end until model_klass
+        # Determine the wrapper model from the controller's name. By convention, this
+        # could be done by trying to find the defined model that has the same singular
+        # name as the controller. For example, `UsersController` will try to find if the
+        # `User` model exists.
+        #
+        # This method also does namespace lookup. Foo::Bar::UsersController will try to
+        # find Foo::Bar::User, Foo::User and finally User.
+        def _default_wrap_model
+          return nil if klass.anonymous?
+          model_name = klass.name.delete_suffix("Controller").classify
+
+          begin
+            if model_klass = model_name.safe_constantize
+              model_klass
+            else
+              namespaces = model_name.split("::")
+              namespaces.delete_at(-2)
+              break if namespaces.last == model_name
+              model_name = namespaces.join("::")
+            end
+          end until model_klass
 
-        model_klass
-      end
+          model_klass
+        end
     end
 
     included do
-      class_attribute :_wrapper_options
-      self._wrapper_options = Options.from_hash(format: [])
+      class_attribute :_wrapper_options, default: Options.from_hash(format: [])
     end
 
     module ClassMethods
@@ -166,33 +190,34 @@ module ActionController
         self._wrapper_options = Options.from_hash(options)
       end
 
-      # Sets the name of the wrapper key, or the model which +ParamsWrapper+
-      # would use to determine the attribute names from.
+      # Sets the name of the wrapper key, or the model which `ParamsWrapper` would use
+      # to determine the attribute names from.
+      #
+      # #### Examples
+      #     wrap_parameters format: :xml
+      #       # enables the parameter wrapper for XML format
       #
-      # ==== Examples
-      #   wrap_parameters format: :xml
-      #     # enables the parameter wrapper for XML format
+      #     wrap_parameters :person
+      #       # wraps parameters into +params[:person]+ hash
       #
-      #   wrap_parameters :person
-      #     # wraps parameters into +params[:person]+ hash
+      #     wrap_parameters Person
+      #       # wraps parameters by determining the wrapper key from Person class
+      #       # (+person+, in this case) and the list of attribute names
       #
-      #   wrap_parameters Person
-      #     # wraps parameters by determining the wrapper key from Person class
-      #     (+person+, in this case) and the list of attribute names
+      #     wrap_parameters include: [:username, :title]
+      #       # wraps only +:username+ and +:title+ attributes from parameters.
       #
-      #   wrap_parameters include: [:username, :title]
-      #     # wraps only +:username+ and +:title+ attributes from parameters.
+      #     wrap_parameters false
+      #       # disables parameters wrapping for this controller altogether.
       #
-      #   wrap_parameters false
-      #     # disables parameters wrapping for this controller altogether.
+      # #### Options
+      # *   `:format` - The list of formats in which the parameters wrapper will be
+      #     enabled.
+      # *   `:include` - The list of attribute names which parameters wrapper will
+      #     wrap into a nested hash.
+      # *   `:exclude` - The list of attribute names which parameters wrapper will
+      #     exclude from a nested hash.
       #
-      # ==== Options
-      # * <tt>:format</tt> - The list of formats in which the parameters wrapper
-      #   will be enabled.
-      # * <tt>:include</tt> - The list of attribute names which parameters wrapper
-      #   will wrap into a nested hash.
-      # * <tt>:exclude</tt> - The list of attribute names which parameters wrapper
-      #   will exclude from a nested hash.
       def wrap_parameters(name_or_model_or_options, options = {})
         model = nil
 
@@ -200,23 +225,22 @@ module ActionController
         when Hash
           options = name_or_model_or_options
         when false
-          options = options.merge(:format => [])
+          options = options.merge(format: [])
         when Symbol, String
-          options = options.merge(:name => name_or_model_or_options)
+          options = options.merge(name: name_or_model_or_options)
         else
           model = name_or_model_or_options
         end
 
-        opts   = Options.from_hash _wrapper_options.to_h.slice(:format).merge(options)
+        opts = Options.from_hash _wrapper_options.to_h.slice(:format).merge(options)
         opts.model = model
         opts.klass = self
 
         self._wrapper_options = opts
       end
 
-      # Sets the default wrapper key or model which will be used to determine
-      # wrapper key and attribute names. Will be called automatically when the
-      # module is inherited.
+      # Sets the default wrapper key or model which will be used to determine wrapper
+      # key and attribute names. Called automatically when the module is inherited.
       def inherited(klass)
         if klass._wrapper_options.format.any?
           params = klass._wrapper_options.dup
@@ -227,32 +251,15 @@ module ActionController
       end
     end
 
-    # Performs parameters wrapping upon the request. Will be called automatically
-    # by the metal call stack.
-    def process_action(*args)
-      if _wrapper_enabled?
-        if request.parameters[_wrapper_key].present?
-          wrapped_hash = _extract_parameters(request.parameters)
-        else
-          wrapped_hash = _wrap_parameters request.request_parameters
-        end
-
-        wrapped_keys = request.request_parameters.keys
-        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
-
-        # This will make the wrapped hash accessible from controller and view
-        request.parameters.merge! wrapped_hash
-        request.request_parameters.merge! wrapped_hash
-
-        # This will display the wrapped hash in the log file
-        request.filtered_parameters.merge! wrapped_filtered_hash
-      end
-      super
-    end
-
     private
+      # Performs parameters wrapping upon the request. Called automatically by the
+      # metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
 
-      # Returns the wrapper key which will be used to stored wrapped parameters.
+      # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name
       end
@@ -270,16 +277,36 @@ module ActionController
       def _extract_parameters(parameters)
         if include_only = _wrapper_options.include
           parameters.slice(*include_only)
+        elsif _wrapper_options.exclude
+          exclude = _wrapper_options.exclude + EXCLUDE_PARAMETERS
+          parameters.except(*exclude)
         else
-          exclude = _wrapper_options.exclude || []
-          parameters.except(*(exclude + EXCLUDE_PARAMETERS))
+          parameters.except(*EXCLUDE_PARAMETERS)
         end
       end
 
       # Checks if we should perform parameters wrapping.
       def _wrapper_enabled?
-        ref = request.content_mime_type.try(:ref)
-        _wrapper_formats.include?(ref) && _wrapper_key && !request.request_parameters[_wrapper_key]
+        return false unless request.has_content_type?
+
+        ref = request.content_mime_type.ref
+
+        _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
+      end
+
+      def _perform_parameter_wrapping
+        wrapped_hash = _wrap_parameters request.request_parameters
+        wrapped_keys = request.request_parameters.keys
+        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
+
+        # This will make the wrapped hash accessible from controller and view.
+        request.parameters.merge! wrapped_hash
+        request.request_parameters.merge! wrapped_hash
+
+        # This will display the wrapped hash in the log file.
+        request.filtered_parameters.merge! wrapped_filtered_hash
       end
   end
 end

data/lib/action_controller/metal/permissions_policy.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module PermissionsPolicy
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Overrides parts of the globally configured `Feature-Policy` header:
+      #
+      #     class PagesController < ApplicationController
+      #       permissions_policy do |policy|
+      #         policy.geolocation "https://example.com"
+      #       end
+      #     end
+      #
+      # Options can be passed similar to `before_action`. For example, pass `only:
+      # :index` to override the header on the index action only:
+      #
+      #     class PagesController < ApplicationController
+      #       permissions_policy(only: :index) do |policy|
+      #         policy.camera :self
+      #       end
+      #     end
+      #
+      def permissions_policy(**options, &block)
+        before_action(options) do
+          if block_given?
+            policy = request.permissions_policy.clone
+            instance_exec(policy, &block)
+            request.permissions_policy = policy
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/metal/rate_limiting.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module RateLimiting
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Applies a rate limit to all actions or those specified by the normal
+      # `before_action` filters with `only:` and `except:`.
+      #
+      # The maximum number of requests allowed is specified `to:` and constrained to
+      # the window of time given by `within:`.
+      #
+      # Rate limits are by default unique to the ip address making the request, but
+      # you can provide your own identity function by passing a callable in the `by:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Requests that exceed the rate limit are refused with a `429 Too Many Requests`
+      # response. You can specialize this by passing a callable in the `with:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Rate limiting relies on a backing `ActiveSupport::Cache` store and defaults to
+      # `config.action_controller.cache_store`, which itself defaults to the global
+      # `config.cache_store`. If you don't want to store rate limits in the same
+      # datastore as your general caches, you can pass a custom store in the `store`
+      # parameter.
+      #
+      # Examples:
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 10, within: 3.minutes, only: :create
+      #     end
+      #
+      #     class SignupsController < ApplicationController
+      #       rate_limit to: 1000, within: 10.seconds,
+      #         by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
+      #     end
+      #
+      #     class APIController < ApplicationController
+      #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
+      #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      end
+    end
+
+    private
+      def rate_limiting(to:, within:, by:, with:, store:)
+        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+        if count && count > to
+          ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
+            instance_exec(&with)
+          end
+        end
+      end
+  end
+end