actionpack 4.2.10 → 7.2.0.rc1

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  # # Action Controller Form Builder
+  #
+  # Override the default form builder for all views rendered by this controller
+  # and any of its descendants. Accepts a subclass of
+  # ActionView::Helpers::FormBuilder.
+  #
+  # For example, given a form builder:
+  #
+  #     class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #       def special_field(name)
+  #       end
+  #     end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #     class AdminAreaController < ApplicationController
+  #       default_form_builder AdminFormBuilder
+  #     end
+  #
+  # Then in the view any form using `form_for` will be an instance of the
+  # specified form builder:
+  #
+  #     <%= form_for(@instance) do |builder| %>
+  #       <%= builder.special_field(:name) %>
+  #     <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms in the views
+      # rendered by this controller and its subclasses.
+      #
+      # #### Parameters
+      # *   `builder` - Default form builder, an instance of
+      #     ActionView::Helpers::FormBuilder
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
@@ -6,71 +10,80 @@ module ActionController
       return unless logger.info?
 
       payload = event.payload
-      params  = payload[:params].except(*INTERNAL_PARAMS)
+      params = {}
+      payload[:params].each_pair do |k, v|
+        params[k] = v unless INTERNAL_PARAMS.include?(k)
+      end
       format  = payload[:format]
       format  = format.to_s.upcase if format.is_a?(Symbol)
+      format  = "*/*" if format.nil?
 
       info "Processing by #{payload[:controller]}##{payload[:action]} as #{format}"
       info "  Parameters: #{params.inspect}" unless params.empty?
     end
+    subscribe_log_level :start_processing, :info
 
     def process_action(event)
       info do
-        payload   = event.payload
+        payload = event.payload
         additions = ActionController::Base.log_process_action(payload)
-
         status = payload[:status]
-        if status.nil? && payload[:exception].present?
-          exception_class_name = payload[:exception].first
+
+        if status.nil? && (exception_class_name = payload[:exception]&.first)
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-        message << " (#{additions.join(" | ")})" unless additions.blank?
+
+        additions << "GC: #{event.gc_time.round(1)}ms"
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms" \
+                   " (#{additions.join(" | ")})"
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
         message
       end
     end
+    subscribe_log_level :process_action, :info
 
     def halted_callback(event)
       info { "Filter chain halted as #{event.payload[:filter].inspect} rendered or redirected" }
     end
+    subscribe_log_level :halted_callback, :info
 
     def send_file(event)
       info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
     end
+    subscribe_log_level :send_file, :info
 
     def redirect_to(event)
       info { "Redirected to #{event.payload[:location]}" }
     end
+    subscribe_log_level :redirect_to, :info
 
     def send_data(event)
       info { "Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)" }
     end
+    subscribe_log_level :send_data, :info
 
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.join(", ")}"
-      end
-    end
-
-    def deep_munge(event)
-      debug do
-        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
-        "to nil, because it was one of [], [null] or [null, null, ...]. "\
-        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
-        "for more information."\
+        display_unpermitted_keys = unpermitted_keys.map { |e| ":#{e}" }.join(", ")
+        context = event.payload[:context].map { |k, v| "#{k}: #{v}" }.join(", ")
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{display_unpermitted_keys}. Context: { #{context} }", RED)
       end
     end
+    subscribe_log_level :unpermitted_parameters, :debug
 
-    %w(write_fragment read_fragment exist_fragment?
-       expire_fragment expire_page write_page).each do |method|
+    %w(write_fragment read_fragment exist_fragment? expire_fragment).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        # frozen_string_literal: true
         def #{method}(event)
-          return unless logger.info?
-          key_or_path = event.payload[:key] || event.payload[:path]
+          return unless ActionController::Base.enable_fragment_cache_logging
+          key         = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
           human_name  = #{method.to_s.humanize.inspect}
-          info("\#{human_name} \#{key_or_path} (\#{event.duration.round(1)}ms)")
+          info("\#{human_name} \#{key} (\#{event.duration.round(1)}ms)")
         end
+        subscribe_log_level :#{method}, :info
       METHOD
     end
 

data/lib/action_controller/metal/allow_browser.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module AllowBrowser
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Specify the browser versions that will be allowed to access all actions (or
+      # some, as limited by `only:` or `except:`). Only browsers matched in the hash
+      # or named set passed to `versions:` will be blocked if they're below the
+      # versions specified. This means that all other browsers, as well as agents that
+      # aren't reporting a user-agent header, will be allowed access.
+      #
+      # A browser that's blocked will by default be served the file in
+      # public/406-unsupported-browser.html with a HTTP status code of "406 Not
+      # Acceptable".
+      #
+      # In addition to specifically named browser versions, you can also pass
+      # `:modern` as the set to restrict support to browsers natively supporting webp
+      # images, web push, badges, import maps, CSS nesting, and CSS :has. This
+      # includes Safari 17.2+, Chrome 120+, Firefox 121+, Opera 106+.
+      #
+      # You can use https://caniuse.com to check for browser versions supporting the
+      # features you use.
+      #
+      # You can use `ActiveSupport::Notifications` to subscribe to events of browsers
+      # being blocked using the `browser_block.action_controller` event name.
+      #
+      # Examples:
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
+      #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
+      #     end
+      #
+      #     class MessagesController < ApplicationController
+      #       # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
+      #       allow_browser versions: { opera: 104, chrome: 119 }, only: :show
+      #     end
+      def allow_browser(versions:, block: -> { render file: Rails.root.join("public/406-unsupported-browser.html"), layout: false, status: :not_acceptable }, **options)
+        before_action -> { allow_browser(versions: versions, block: block) }, **options
+      end
+    end
+
+    private
+      def allow_browser(versions:, block:)
+        require "useragent"
+
+        if BrowserBlocker.new(request, versions: versions).blocked?
+          ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
+            instance_exec(&block)
+          end
+        end
+      end
+
+      class BrowserBlocker
+        SETS = {
+          modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
+        }
+
+        attr_reader :request, :versions
+
+        def initialize(request, versions:)
+          @request, @versions = request, versions
+        end
+
+        def blocked?
+          user_agent_version_reported? && unsupported_browser?
+        end
+
+        private
+          def parsed_user_agent
+            @parsed_user_agent ||= UserAgent.parse(request.user_agent)
+          end
+
+          def user_agent_version_reported?
+            request.user_agent.present? && parsed_user_agent.version.to_s.present?
+          end
+
+          def unsupported_browser?
+            version_guarded_browser? && version_below_minimum_required?
+          end
+
+          def version_guarded_browser?
+            minimum_browser_version_for_browser != nil
+          end
+
+          def version_below_minimum_required?
+            if minimum_browser_version_for_browser
+              parsed_user_agent.version < UserAgent::Version.new(minimum_browser_version_for_browser.to_s)
+            else
+              true
+            end
+          end
+
+          def minimum_browser_version_for_browser
+            expanded_versions[normalized_browser_name]
+          end
+
+          def expanded_versions
+            @expanded_versions ||= (SETS[versions] || versions).with_indifferent_access
+          end
+
+          def normalized_browser_name
+            case name = parsed_user_agent.browser.downcase
+            when "internet explorer" then "ie"
+            else name
+            end
+          end
+      end
+  end
+end

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  module BasicImplicitRender # :nodoc:
+    def send_action(method, *args)
+      ret = super
+      default_render unless performed?
+      ret
+    end
+
+    def default_render
+      head :no_content
+    end
+  end
+end