actionpack 4.2.11.3 → 5.0.0.beta1

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,11 @@
+module ActionController
+  module BasicImplicitRender
+    def send_action(method, *args)
+      super.tap { default_render unless performed? }
+    end
+
+    def default_render(*args)
+      head :no_content
+    end
+  end
+end

data/lib/action_controller/metal/conditional_get.rb

@@ -4,7 +4,6 @@ module ActionController
   module ConditionalGet
     extend ActiveSupport::Concern
 
-    include RackDelegation
     include Head
 
     included do
@@ -15,7 +14,7 @@ module ActionController
     module ClassMethods
       # Allows you to consider additional controller-wide information when generating an ETag.
       # For example, if you serve pages tailored depending on who's logged in at the moment, you
-      # may want to add the current user id to be part of the ETag to prevent authorized displaying
+      # may want to add the current user id to be part of the ETag to prevent unauthorized displaying
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
@@ -40,7 +39,7 @@ module ActionController
     # * <tt>:etag</tt>.
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -51,21 +50,31 @@ module ActionController
     #
     #   def show
     #     @article = Article.find(params[:id])
-    #     fresh_when(etag: @article, last_modified: @article.created_at, public: true)
+    #     fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
     #   end
     #
     # This will render the show template if the request isn't sending a matching ETag or
     # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(@article)
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #     fresh_when(@articles)
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -77,18 +86,16 @@ module ActionController
     #
     #   before_action { fresh_when @article, template: 'widgets/show' }
     #
-    def fresh_when(record_or_options, additional_options = {})
-      if record_or_options.is_a? Hash
-        options = record_or_options
-        options.assert_valid_keys(:etag, :last_modified, :public, :template)
-      else
-        record  = record_or_options
-        options = { etag: record, last_modified: record.try(:updated_at) }.merge!(additional_options)
+    def fresh_when(object = nil, etag: object, last_modified: nil, public: false, template: nil)
+      last_modified ||= object.try(:updated_at) || object.try(:maximum, :updated_at)
+
+      if etag || template
+        response.etag = combine_etags(etag: etag, last_modified: last_modified,
+          public: public, template: template)
       end
 
-      response.etag          = combine_etags(options)   if options[:etag] || options[:template]
-      response.last_modified = options[:last_modified]  if options[:last_modified]
-      response.cache_control[:public] = true            if options[:public]
+      response.last_modified = last_modified if last_modified
+      response.cache_control[:public] = true if public
 
       head :not_modified if request.fresh?(response)
     end
@@ -103,7 +110,7 @@ module ActionController
     # * <tt>:etag</tt>.
     # * <tt>:last_modified</tt>.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -115,7 +122,7 @@ module ActionController
     #   def show
     #     @article = Article.find(params[:id])
     #
-    #     if stale?(etag: @article, last_modified: @article.created_at)
+    #     if stale?(etag: @article, last_modified: @article.updated_at)
     #       @statistics = @article.really_expensive_call
     #       respond_to do |format|
     #         # all the supported formats
@@ -123,8 +130,8 @@ module ActionController
     #     end
     #   end
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -137,7 +144,23 @@ module ActionController
     #     end
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #
+    #     if stale?(@articles)
+    #       @statistics = @articles.really_expensive_call
+    #       respond_to do |format|
+    #         # all the supported formats
+    #       end
+    #     end
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -157,8 +180,8 @@ module ActionController
     #     super if stale? @article, template: 'widgets/show'
     #   end
     #
-    def stale?(record_or_options, additional_options = {})
-      fresh_when(record_or_options, additional_options)
+    def stale?(object = nil, etag: object, last_modified: nil, public: nil, template: nil)
+      fresh_when(object, etag: etag, last_modified: last_modified, public: public, template: template)
       !request.fresh?(response)
     end
 
@@ -191,6 +214,24 @@ module ActionController
       response.cache_control.replace(:no_cache => true)
     end
 
+    # Cache or yield the block. The cache is supposed to never expire.
+    #
+    # You can use this method when you have a HTTP response that never changes,
+    # and the browser and proxies should cache it indefinitely.
+    #
+    # * +public+: By default, HTTP responses are private, cached only on the
+    #   user's web browser. To allow proxies to cache the response, set +true+ to
+    #   indicate that they can serve the cached response to all users.
+    #
+    # * +version+: the version passed as a key for the cache.
+    def http_cache_forever(public: false, version: 'v1')
+      expires_in 100.years, public: public
+
+      yield if stale?(etag: "#{version}-#{request.fullpath}",
+                      last_modified: Time.parse('2011-01-01').utc,
+                      public: public)
+    end
+
     private
       def combine_etags(options)
         etags = etaggers.map { |etagger| instance_exec(options, &etagger) }.compact

data/lib/action_controller/metal/cookies.rb

@@ -2,8 +2,6 @@ module ActionController #:nodoc:
   module Cookies
     extend ActiveSupport::Concern
 
-    include RackDelegation
-
     included do
       helper_method :cookies
     end

data/lib/action_controller/metal/data_streaming.rb

@@ -72,27 +72,7 @@ module ActionController #:nodoc:
 
         self.status = options[:status] || 200
         self.content_type = options[:content_type] if options.key?(:content_type)
-        self.response_body = FileBody.new(path)
-      end
-
-      # Avoid having to pass an open file handle as the response body.
-      # Rack::Sendfile will usually intercept the response and uses
-      # the path directly, so there is no reason to open the file.
-      class FileBody #:nodoc:
-        attr_reader :to_path
-
-        def initialize(path)
-          @to_path = path
-        end
-
-        # Stream the file's contents if Rack::Sendfile isn't present.
-        def each
-          File.open(to_path, 'rb') do |file|
-            while chunk = file.read(16384)
-              yield chunk
-            end
-          end
-        end
+        response.send_file path
       end
 
       # Sends the given binary data to the browser. This method is similar to
@@ -126,7 +106,7 @@ module ActionController #:nodoc:
       # See +send_file+ for more information on HTTP Content-* headers and caching.
       def send_data(data, options = {}) #:doc:
         send_file_headers! options
-        render options.slice(:status, :content_type).merge(:text => data)
+        render options.slice(:status, :content_type).merge(body: data)
       end
 
     private

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -25,7 +25,7 @@ module ActionController
       class_attribute :etag_with_template_digest
       self.etag_with_template_digest = true
 
-      ActiveSupport.on_load :action_view, yield: true do |action_view_base|
+      ActiveSupport.on_load :action_view, yield: true do
         etag do |options|
           determine_template_etag(options) if etag_with_template_digest
         end

data/lib/action_controller/metal/exceptions.rb

@@ -3,14 +3,19 @@ module ActionController
   end
 
   class BadRequest < ActionControllerError #:nodoc:
-    attr_reader :original_exception
+    def initialize(msg = nil, e = nil)
+      if e
+        ActiveSupport::Deprecation.warn("Passing #original_exception is deprecated and has no effect. " \
+                                        "Exceptions will automatically capture the original exception.", caller)
+      end
 
-    def initialize(type = nil, e = nil)
-      return super() unless type && e
+      super(msg)
+      set_backtrace $!.backtrace if $!
+    end
 
-      super("Invalid #{type} parameters: #{e.message}")
-      @original_exception = e
-      set_backtrace e.backtrace
+    def original_exception
+      ActiveSupport::Deprecation.warn("#original_exception is deprecated. Use #cause instead.", caller)
+      cause
     end
   end
 

data/lib/action_controller/metal/force_ssl.rb

@@ -55,10 +55,10 @@ module ActionController
       # You can pass any of the following options to affect the before_action callback
       # * <tt>only</tt>       - The callback should be run only for this action
       # * <tt>except</tt>     - The callback should be run for all actions except this action
-      # * <tt>if</tt>         - A symbol naming an instance method or a proc; the callback
-      #                         will be called only when it returns a true value.
-      # * <tt>unless</tt>     - A symbol naming an instance method or a proc; the callback
-      #                         will be called only when it returns a false value.
+      # * <tt>if</tt>         - A symbol naming an instance method or a proc; the
+      #   callback will be called only when it returns a true value.
+      # * <tt>unless</tt>     - A symbol naming an instance method or a proc; the
+      #   callback will be called only when it returns a false value.
       def force_ssl(options = {})
         action_options = options.slice(*ACTION_OPTIONS)
         redirect_options = options.except(*ACTION_OPTIONS)
@@ -71,8 +71,8 @@ module ActionController
     # Redirect the existing request to use the HTTPS protocol.
     #
     # ==== Parameters
-    # * <tt>host_or_options</tt> - Either a host name or any of the url & redirect options
-    #                              available to the <tt>force_ssl</tt> method.
+    # * <tt>host_or_options</tt> - Either a host name or any of the url &
+    #   redirect options available to the <tt>force_ssl</tt> method.
     def force_ssl_redirect(host_or_options = nil)
       unless request.ssl?
         options = {

data/lib/action_controller/metal/head.rb

@@ -17,8 +17,18 @@ module ActionController
     #
     # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
     def head(status, options = {})
-      options, status = status, nil if status.is_a?(Hash)
-      status ||= options.delete(:status) || :ok
+      if status.is_a?(Hash)
+        msg = status[:status] ? 'The :status option' : 'The implicit :ok status'
+        options, status = status, status.delete(:status)
+
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          #{msg} on `head` has been deprecated and will be removed in Rails 5.1.
+          Please pass the status as a separate parameter before the options, instead.
+        MSG
+      end
+
+      status ||= :ok
+
       location = options.delete(:location)
       content_type = options.delete(:content_type)
 
@@ -33,12 +43,9 @@ module ActionController
 
       if include_content?(self.response_code)
         self.content_type = content_type || (Mime[formats.first] if formats)
-        self.response.charset = false if self.response
-      else
-        headers.delete('Content-Type')
-        headers.delete('Content-Length')
+        self.response.charset = false
       end
-      
+
       true
     end
 

data/lib/action_controller/metal/helpers.rb

@@ -7,8 +7,8 @@ module ActionController
   # extract complicated logic or reusable functionality is strongly encouraged. By default, each controller
   # will include all helpers. These helpers are only accessible on the controller through <tt>.helpers</tt>
   #
-  # In previous versions of \Rails the controller will include a helper whose
-  # name matches that of the controller, e.g., <tt>MyController</tt> will automatically
+  # In previous versions of \Rails the controller will include a helper which
+  # matches the name of the controller, e.g., <tt>MyController</tt> will automatically
   # include <tt>MyHelper</tt>. To return old behavior set +config.action_controller.include_all_helpers+ to +false+.
   #
   # Additional helpers can be specified using the +helper+ class method in ActionController::Base or any
@@ -44,7 +44,7 @@ module ActionController
   # the output might look like this:
   #
   #   23 Aug 11:30 | Carolina Railhawks Soccer Match
-  #   N/A | Carolina Railhaws Training Workshop
+  #   N/A | Carolina Railhawks Training Workshop
   #
   module Helpers
     extend ActiveSupport::Concern
@@ -73,7 +73,7 @@ module ActionController
 
       # Provides a proxy to access helpers methods from outside the view.
       def helpers
-        @helper_proxy ||= begin 
+        @helper_proxy ||= begin
           proxy = ActionView::Base.new
           proxy.config = config.inheritable_copy
           proxy.extend(_helpers)
@@ -93,10 +93,14 @@ module ActionController
         super(args)
       end
 
+      # Returns a list of helper names in a given path.
+      #
+      #   ActionController::Base.all_helpers_from_path 'app/helpers'
+      #   # => ["application", "chart", "rubygems"]
       def all_helpers_from_path(path)
         helpers = Array(path).flat_map do |_path|
           extract = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1') }
+          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1'.freeze) }
           names.sort!
         end
         helpers.uniq!

data/lib/action_controller/metal/http_authentication.rb

@@ -1,5 +1,4 @@
 require 'base64'
-require 'active_support/security_utils'
 
 module ActionController
   # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
@@ -35,7 +34,7 @@ module ActionController
     #
     #       def authenticate
     #         case request.format
-    #         when Mime::XML, Mime::ATOM
+    #         when Mime[:xml], Mime[:atom]
     #           if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
     #             @current_user = user
     #           else
@@ -69,26 +68,22 @@ module ActionController
           def http_basic_authenticate_with(options = {})
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
-                # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                name == options[:name] && password == options[:password]
               end
             end
           end
         end
 
-        def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
-          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
+        def authenticate_or_request_with_http_basic(realm = "Application", message = nil, &login_procedure)
+          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm, message)
         end
 
         def authenticate_with_http_basic(&login_procedure)
           HttpAuthentication::Basic.authenticate(request, &login_procedure)
         end
 
-        def request_http_basic_authentication(realm = "Application")
-          HttpAuthentication::Basic.authentication_request(self, realm)
+        def request_http_basic_authentication(realm = "Application", message = nil)
+          HttpAuthentication::Basic.authentication_request(self, realm, message)
         end
       end
 
@@ -99,7 +94,7 @@ module ActionController
       end
 
       def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request) == 'Basic')
+        request.authorization.present? && (auth_scheme(request).downcase == 'basic')
       end
 
       def user_name_and_password(request)
@@ -111,21 +106,22 @@ module ActionController
       end
 
       def auth_scheme(request)
-        request.authorization.split(' ', 2).first
+        request.authorization.to_s.split(' ', 2).first
       end
 
       def auth_param(request)
-        request.authorization.split(' ', 2).second
+        request.authorization.to_s.split(' ', 2).second
       end
 
       def encode_credentials(user_name, password)
         "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
       end
 
-      def authentication_request(controller, realm)
-        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
+      def authentication_request(controller, realm, message)
+        message ||= "HTTP Basic: Access denied.\n"
+        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"'.freeze, "".freeze)}")
         controller.status = 401
-        controller.response_body = "HTTP Basic: Access denied.\n"
+        controller.response_body = message
       end
     end
 
@@ -175,8 +171,8 @@ module ActionController
       extend self
 
       module ControllerMethods
-        def authenticate_or_request_with_http_digest(realm = "Application", &password_procedure)
-          authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm)
+        def authenticate_or_request_with_http_digest(realm = "Application", message = nil, &password_procedure)
+          authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm, message)
         end
 
         # Authenticate with HTTP Digest, returns true or false
@@ -207,7 +203,7 @@ module ActionController
           password = password_procedure.call(credentials[:username])
           return false unless password
 
-          method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
+          method = request.get_header('rack.methodoverride.original_method') || request.get_header('REQUEST_METHOD')
           uri    = credentials[:uri]
 
           [true, false].any? do |trailing_question_mark|
@@ -264,8 +260,8 @@ module ActionController
       end
 
       def secret_token(request)
-        key_generator  = request.env["action_dispatch.key_generator"]
-        http_auth_salt = request.env["action_dispatch.http_auth_salt"]
+        key_generator  = request.key_generator
+        http_auth_salt = request.http_auth_salt
         key_generator.generate_key(http_auth_salt)
       end
 
@@ -319,7 +315,7 @@ module ActionController
         nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
       end
 
-      # Opaque based on random generation - but changing each request?
+      # Opaque based on digest of secret key
       def opaque(secret_key)
         ::Digest::MD5.hexdigest(secret_key)
       end
@@ -365,7 +361,7 @@ module ActionController
     #
     #       def authenticate
     #         case request.format
-    #         when Mime::XML, Mime::ATOM
+    #         when Mime[:xml], Mime[:atom]
     #           if user = authenticate_with_http_token { |t, o| @account.users.authenticate(t, o) }
     #             @current_user = user
     #           else
@@ -401,21 +397,21 @@ module ActionController
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
       TOKEN_KEY = 'token='
-      TOKEN_REGEX = /^Token /
+      TOKEN_REGEX = /^(Token|Bearer)\s+/
       AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
 
       module ControllerMethods
-        def authenticate_or_request_with_http_token(realm = "Application", &login_procedure)
-          authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm)
+        def authenticate_or_request_with_http_token(realm = "Application", message = nil, &login_procedure)
+          authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
 
-        def request_http_token_authentication(realm = "Application")
-          Token.authentication_request(self, realm)
+        def request_http_token_authentication(realm = "Application", message = nil)
+          Token.authentication_request(self, realm, message)
         end
       end
 
@@ -440,15 +436,17 @@ module ActionController
         end
       end
 
-      # Parses the token and options out of the token authorization header. If
-      # the header looks like this:
+      # Parses the token and options out of the token authorization header.
+      # The value for the Authorization header is expected to have the prefix
+      # <tt>"Token"</tt> or <tt>"Bearer"</tt>. If the header looks like this:
       #   Authorization: Token token="abc", nonce="def"
-      # Then the returned token is "abc", and the options is {nonce: "def"}
+      # Then the returned token is <tt>"abc"</tt>, and the options are
+      # <tt>{nonce: "def"}</tt>
       #
       # request - ActionDispatch::Request instance with the current headers.
       #
-      # Returns an Array of [String, Hash] if a token is present.
-      # Returns nil if no token is found.
+      # Returns an +Array+ of <tt>[String, Hash]</tt> if a token is present.
+      # Returns +nil+ if no token is found.
       def token_and_options(request)
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
@@ -497,15 +495,16 @@ module ActionController
         "Token #{values * ", "}"
       end
 
-      # Sets a WWW-Authenticate to let the client know a token is desired.
+      # Sets a WWW-Authenticate header to let the client know a token is desired.
       #
       # controller - ActionController::Base instance for the outgoing response.
       # realm      - String realm to use in the header.
       #
       # Returns nothing.
-      def authentication_request(controller, realm)
-        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
-        controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
+      def authentication_request(controller, realm, message = nil)
+        message ||= "HTTP Token: Access denied.\n"
+        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"'.freeze, "".freeze)}")
+        controller.__send__ :render, plain: message, status: :unauthorized
       end
     end
   end