actionpack 4.2.11.3 → 5.0.0.beta1

data/lib/action_controller.rb

@@ -7,13 +7,15 @@ require 'action_controller/metal/strong_parameters'
 module ActionController
   extend ActiveSupport::Autoload
 
+  autoload :API
   autoload :Base
   autoload :Caching
   autoload :Metal
   autoload :Middleware
+  autoload :Renderer
+  autoload :FormBuilder
 
   autoload_under "metal" do
-    autoload :Compatibility
     autoload :ConditionalGet
     autoload :Cookies
     autoload :DataStreaming
@@ -22,13 +24,12 @@ module ActionController
     autoload :ForceSSL
     autoload :Head
     autoload :Helpers
-    autoload :HideActions
     autoload :HttpAuthentication
+    autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
     autoload :MimeResponds
     autoload :ParamsWrapper
-    autoload :RackDelegation
     autoload :Redirecting
     autoload :Renderers
     autoload :Rendering

data/lib/action_controller/api.rb

@@ -0,0 +1,146 @@
+require 'action_view'
+require 'action_controller'
+require 'action_controller/log_subscriber'
+
+module ActionController
+  # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+  # created for applications that don't require all functionalities that a complete
+  # \Rails controller provides, allowing you to create controllers with just the
+  # features that you need for API only applications.
+  #
+  # An API Controller is different from a normal controller in the sense that
+  # by default it doesn't include a number of features that are usually required
+  # by browser access only: layouts and templates rendering, cookies, sessions,
+  # flash, assets, and so on. This makes the entire controller stack thinner,
+  # suitable for API applications. It doesn't mean you won't have such
+  # features if you need them: they're all available for you to include in
+  # your application, they're just not part of the default API Controller stack.
+  #
+  # By default, only the ApplicationController in a \Rails application inherits
+  # from <tt>ActionController::API</tt>. All other controllers in turn inherit
+  # from ApplicationController.
+  #
+  # A sample controller could look like this:
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       @posts = Post.all
+  #       render json: @posts
+  #     end
+  #   end
+  #
+  # Request, response and parameters objects all work the exact same way as
+  # <tt>ActionController::Base</tt>.
+  #
+  # == Renders
+  #
+  # The default API Controller stack includes all renderers, which means you
+  # can use <tt>render :json</tt> and brothers freely in your controllers. Keep
+  # in mind that templates are not going to be rendered, so you need to ensure
+  # your controller is calling either <tt>render</tt> or <tt>redirect</tt> in
+  # all actions, otherwise it will return 204 No Content response.
+  #
+  #   def show
+  #     @post = Post.find(params[:id])
+  #     render json: @post
+  #   end
+  #
+  # == Redirects
+  #
+  # Redirects are used to move from one action to another. You can use the
+  # <tt>redirect</tt> method in your controllers in the same way as
+  # <tt>ActionController::Base</tt>. For example:
+  #
+  #   def create
+  #     redirect_to root_url and return if not_authorized?
+  #     # do stuff here
+  #   end
+  #
+  # == Adding new behavior
+  #
+  # In some scenarios you may want to add back some functionality provided by
+  # <tt>ActionController::Base</tt> that is not present by default in
+  # <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
+  # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
+  # you just need to include the module in a specific controller or in
+  # +ApplicationController+ in case you want it available in your entire
+  # application:
+  #
+  #   class ApplicationController < ActionController::API
+  #     include ActionController::MimeResponds
+  #   end
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       @posts = Post.all
+  #
+  #       respond_to do |format|
+  #         format.json { render json: @posts }
+  #         format.xml  { render xml: @posts }
+  #       end
+  #     end
+  #   end
+  #
+  # Quite straightforward. Make sure to check <tt>ActionController::Base</tt>
+  # available modules if you want to include any other functionality that is
+  # not provided by <tt>ActionController::API</tt> out of the box.
+  class API < Metal
+    abstract!
+
+    # Shortcut helper that returns all the ActionController::API modules except
+    # the ones passed as arguments:
+    #
+    #   class MyAPIBaseController < ActionController::Metal
+    #     ActionController::API.without_modules(:ForceSSL, :UrlFor).each do |left|
+    #       include left
+    #     end
+    #   end
+    #
+    # This gives better control over what you want to exclude and makes it easier
+    # to create an API controller class, instead of listing the modules required
+    # manually.
+    def self.without_modules(*modules)
+      modules = modules.map do |m|
+        m.is_a?(Symbol) ? ActionController.const_get(m) : m
+      end
+
+      MODULES - modules
+    end
+
+    MODULES = [
+      AbstractController::Rendering,
+
+      UrlFor,
+      Redirecting,
+      Rendering,
+      Renderers::All,
+      ConditionalGet,
+      BasicImplicitRender,
+      StrongParameters,
+
+      ForceSSL,
+      DataStreaming,
+
+      # Before callbacks should also be executed as early as possible, so
+      # also include them at the bottom.
+      AbstractController::Callbacks,
+
+      # Append rescue at the bottom to wrap as much as possible.
+      Rescue,
+
+      # Add instrumentations hooks at the bottom, to ensure they instrument
+      # all the methods properly.
+      Instrumentation,
+
+      # Params wrapper should come before instrumentation so they are
+      # properly showed in logs
+      ParamsWrapper
+    ]
+
+    MODULES.each do |mod|
+      include mod
+    end
+
+    ActiveSupport.run_load_hooks(:action_controller, self)
+  end
+end

data/lib/action_controller/base.rb

@@ -50,9 +50,9 @@ module ActionController
   #
   # == Parameters
   #
-  # All request parameters, whether they come from a GET or POST request, or from the URL, are available through the params method
-  # which returns a hash. For example, an action that was performed through <tt>/posts?category=All&limit=5</tt> will include
-  # <tt>{ "category" => "All", "limit" => "5" }</tt> in params.
+  # All request parameters, whether they come from a query string in the URL or form data submitted through a POST request are
+  # available through the params method which returns a hash. For example, an action that was performed through
+  # <tt>/posts?category=All&limit=5</tt> will include <tt>{ "category" => "All", "limit" => "5" }</tt> in params.
   #
   # It's also possible to construct multi-dimensional parameter hashes by specifying keys using brackets, such as:
   #
@@ -206,7 +206,6 @@ module ActionController
       AbstractController::AssetPaths,
 
       Helpers,
-      HideActions,
       UrlFor,
       Redirecting,
       ActionView::Layouts,
@@ -214,7 +213,6 @@ module ActionController
       Renderers::All,
       ConditionalGet,
       EtagWithTemplateDigest,
-      RackDelegation,
       Caching,
       MimeResponds,
       ImplicitRender,
@@ -222,6 +220,7 @@ module ActionController
 
       Cookies,
       Flash,
+      FormBuilder,
       RequestForgeryProtection,
       ForceSSL,
       Streaming,
@@ -249,20 +248,17 @@ module ActionController
     MODULES.each do |mod|
       include mod
     end
+    setup_renderer!
 
     # Define some internal variables that should not be propagated to the view.
     PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + [
-      :@_status, :@_headers, :@_params, :@_env, :@_response, :@_request,
+      :@_params, :@_response, :@_request,
       :@_view_runtime, :@_stream, :@_url_options, :@_action_has_layout ]
 
     def _protected_ivars # :nodoc:
       PROTECTED_IVARS
     end
 
-    def self.protected_instance_variables
-      PROTECTED_IVARS
-    end
-
     ActiveSupport.run_load_hooks(:action_controller, self)
   end
 end

data/lib/action_controller/caching.rb

@@ -1,6 +1,5 @@
 require 'fileutils'
 require 'uri'
-require 'set'
 
 module ActionController
   # \Caching is a cheap way of speeding up slow applications by keeping the result of
@@ -8,7 +7,7 @@ module ActionController
   #
   # You can read more about each approach by clicking the modules below.
   #
-  # Note: To turn off all caching, set
+  # Note: To turn off all caching provided by Action Controller, set
   #   config.action_controller.perform_caching = false
   #
   # == \Caching stores
@@ -46,7 +45,6 @@ module ActionController
         end
     end
 
-    include RackDelegation
     include AbstractController::Callbacks
 
     include ConfigMethods

data/lib/action_controller/caching/fragments.rb

@@ -14,12 +14,57 @@ module ActionController
     #
     #   expire_fragment('name_of_cache')
     module Fragments
+      extend ActiveSupport::Concern
+
+      included do
+        if respond_to?(:class_attribute)
+          class_attribute :fragment_cache_keys
+        else
+          mattr_writer :fragment_cache_keys
+        end
+
+        self.fragment_cache_keys = []
+
+        helper_method :fragment_cache_key if respond_to?(:helper_method)
+      end
+
+      module ClassMethods
+        # Allows you to specify controller-wide key prefixes for
+        # cache fragments. Pass either a constant +value+, or a block
+        # which computes a value each time a cache key is generated.
+        #
+        # For example, you may want to prefix all fragment cache keys
+        # with a global version identifier, so you can easily
+        # invalidate all caches.
+        #
+        #   class ApplicationController
+        #     fragment_cache_key "v1"
+        #   end
+        #
+        # When it's time to invalidate all fragments, simply change
+        # the string constant. Or, progressively roll out the cache
+        # invalidation using a computed value:
+        #
+        #   class ApplicationController
+        #     fragment_cache_key do
+        #       @account.id.odd? ? "v1" : "v2"
+        #     end
+        #   end
+        def fragment_cache_key(value = nil, &key)
+          self.fragment_cache_keys += [key || ->{ value }]
+        end
+      end
+
       # Given a key (as described in +expire_fragment+), returns
       # a key suitable for use in reading, writing, or expiring a
-      # cached fragment. All keys are prefixed with <tt>views/</tt> and uses
-      # ActiveSupport::Cache.expand_cache_key for the expansion.
+      # cached fragment. All keys begin with <tt>views/</tt>,
+      # followed by any controller-wide key prefix values, ending
+      # with the specified +key+ value. The key is expanded using
+      # ActiveSupport::Cache.expand_cache_key.
       def fragment_cache_key(key)
-        ActiveSupport::Cache.expand_cache_key(key.is_a?(Hash) ? url_for(key).split("://").last : key, :views)
+        head = self.class.fragment_cache_keys.map { |k| instance_exec(&k) }
+        tail = key.is_a?(Hash) ? url_for(key).split("://").last : key
+        ActiveSupport::Cache.expand_cache_key([*head, *tail], :views)
       end
 
       # Writes +content+ to the location signified by

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,48 @@
+module ActionController
+  # Override the default form builder for all views rendered by this
+  # controller and any of its descendants. Accepts a subclass of
+  # +ActionView::Helpers::FormBuilder+.
+  #
+  # For example, given a form builder:
+  #
+  #   class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #     def special_field(name)
+  #     end
+  #   end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #   class AdminAreaController < ApplicationController
+  #     default_form_builder AdminFormBuilder
+  #   end
+  #
+  # Then in the view any form using +form_for+ will be an instance of the
+  # specified form builder:
+  #
+  #   <%= form_for(@instance) do |builder| %>
+  #     <%= builder.special_field(:name) %>
+  #   <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms
+      # in the views rendered by this controller and its subclasses.
+      #
+      # ==== Parameters
+      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -25,7 +25,7 @@ module ActionController
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
         message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-        message << " (#{additions.join(" | ")})" unless additions.blank?
+        message << " (#{additions.join(" | ".freeze)})" unless additions.blank?
         message
       end
     end
@@ -53,15 +53,6 @@ module ActionController
       end
     end
 
-    def deep_munge(event)
-      debug do
-        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
-        "to nil, because it was one of [], [null] or [null, null, ...]. "\
-        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
-        "for more information."\
-      end
-    end
-
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1

data/lib/action_controller/metal.rb

@@ -1,5 +1,7 @@
 require 'active_support/core_ext/array/extract_options'
 require 'action_dispatch/middleware/stack'
+require 'action_dispatch/http/request'
+require 'action_dispatch/http/response'
 
 module ActionController
   # Extend ActionDispatch middleware stack to make it aware of options
@@ -11,22 +13,14 @@ module ActionController
   #
   class MiddlewareStack < ActionDispatch::MiddlewareStack #:nodoc:
     class Middleware < ActionDispatch::MiddlewareStack::Middleware #:nodoc:
-      def initialize(klass, *args, &block)
-        options = args.extract_options!
-        @only   = Array(options.delete(:only)).map(&:to_s)
-        @except = Array(options.delete(:except)).map(&:to_s)
-        args << options unless options.empty?
-        super
+      def initialize(klass, args, actions, strategy, block)
+        @actions = actions
+        @strategy = strategy
+        super(klass, args, block)
       end
 
       def valid?(action)
-        if @only.present?
-          @only.include?(action)
-        elsif @except.present?
-          !@except.include?(action)
-        else
-          true
-        end
+        @strategy.call @actions, action
       end
     end
 
@@ -37,6 +31,32 @@ module ActionController
         middleware.valid?(action) ? middleware.build(a) : a
       end
     end
+
+    private
+
+    INCLUDE = ->(list, action) { list.include? action }
+    EXCLUDE = ->(list, action) { !list.include? action }
+    NULL    = ->(list, action) { true }
+
+    def build_middleware(klass, args, block)
+      options = args.extract_options!
+      only   = Array(options.delete(:only)).map(&:to_s)
+      except = Array(options.delete(:except)).map(&:to_s)
+      args << options unless options.empty?
+
+      strategy = NULL
+      list     = nil
+
+      if only.any?
+        strategy = INCLUDE
+        list     = only
+      elsif except.any?
+        strategy = EXCLUDE
+        list     = except
+      end
+
+      Middleware.new(get_class(klass), args, list, strategy, block)
+    end
   end
 
   # <tt>ActionController::Metal</tt> is the simplest possible controller, providing a
@@ -98,11 +118,10 @@ module ActionController
   class Metal < AbstractController::Base
     abstract!
 
-    attr_internal_writer :env
-
     def env
-      @_env ||= {}
+      @_request.env
     end
+    deprecate :env
 
     # Returns the last part of the controller's name, underscored, without the ending
     # <tt>Controller</tt>. For instance, PostsController returns <tt>posts</tt>.
@@ -114,23 +133,23 @@ module ActionController
       @controller_name ||= name.demodulize.sub(/Controller$/, '').underscore
     end
 
+    def self.make_response!(request)
+      ActionDispatch::Response.create.tap do |res|
+        res.request = request
+      end
+    end
+
     # Delegates to the class' <tt>controller_name</tt>
     def controller_name
       self.class.controller_name
     end
 
-    # The details below can be overridden to support a specific
-    # Request and Response object. The default ActionController::Base
-    # implementation includes RackDelegation, which makes a request
-    # and response object available. You might wish to control the
-    # environment and response manually for performance reasons.
-
-    attr_internal :headers, :response, :request
+    attr_internal :response, :request
     delegate :session, :to => "@_request"
+    delegate :headers, :status=, :location=, :content_type=,
+             :status, :location, :content_type, :to => "@_response"
 
     def initialize
-      @_headers = {"Content-Type" => "text/html"}
-      @_status = 200
       @_request = nil
       @_response = nil
       @_routes = nil
@@ -145,60 +164,51 @@ module ActionController
       @_params = val
     end
 
-    # Basic implementations for content_type=, location=, and headers are
-    # provided to reduce the dependency on the RackDelegation module
-    # in Renderer and Redirector.
-
-    def content_type=(type)
-      headers["Content-Type"] = type.to_s
-    end
-
-    def content_type
-      headers["Content-Type"]
-    end
-
-    def location
-      headers["Location"]
-    end
-
-    def location=(url)
-      headers["Location"] = url
-    end
+    alias :response_code :status # :nodoc:
 
     # Basic url_for that can be overridden for more robust functionality
     def url_for(string)
       string
     end
 
-    def status
-      @_status
-    end
-    alias :response_code :status # :nodoc:
-
-    def status=(status)
-      @_status = Rack::Utils.status_code(status)
-    end
-
     def response_body=(body)
       body = [body] unless body.nil? || body.respond_to?(:each)
+      response.reset_body!
+      body.each { |part|
+        next if part.empty?
+        response.write part
+      }
       super
     end
 
     # Tests if render or redirect has already happened.
     def performed?
-      response_body || (response && response.committed?)
+      response_body || response.committed?
     end
 
-    def dispatch(name, request) #:nodoc:
-      @_request = request
-      @_env = request.env
-      @_env['action_controller.instance'] = self
+    def dispatch(name, request, response) #:nodoc:
+      set_request!(request)
+      set_response!(response)
       process(name)
+      request.commit_flash
       to_a
     end
 
+    def set_response!(response) # :nodoc:
+      @_response = response
+    end
+
+    def set_request!(request) #:nodoc:
+      @_request = request
+      @_request.controller_instance = self
+    end
+
     def to_a #:nodoc:
-      response ? response.to_a : [status, headers, response_body]
+      response.to_a
+    end
+
+    def reset_session
+      @_request.reset_session
     end
 
     class_attribute :middleware_stack
@@ -226,15 +236,32 @@ module ActionController
       req = ActionDispatch::Request.new env
       action(req.path_parameters[:action]).call(env)
     end
+    class << self; deprecate :call; end
 
     # Returns a Rack endpoint for the given action name.
-    def self.action(name, klass = ActionDispatch::Request)
+    def self.action(name)
       if middleware_stack.any?
         middleware_stack.build(name) do |env|
-          new.dispatch(name, klass.new(env))
+          req = ActionDispatch::Request.new(env)
+          res = make_response! req
+          new.dispatch(name, req, res)
         end
       else
-        lambda { |env| new.dispatch(name, klass.new(env)) }
+        lambda { |env|
+          req = ActionDispatch::Request.new(env)
+          res = make_response! req
+          new.dispatch(name, req, res)
+        }
+      end
+    end
+
+    # Direct dispatch to the controller.  Instantiates the controller, then
+    # executes the action named +name+.
+    def self.dispatch(name, req, res)
+      if middleware_stack.any?
+        middleware_stack.build(name) { |env| new.dispatch(name, req, res) }.call req.env
+      else
+        new.dispatch(name, req, res)
       end
     end
   end