actionpack 4.2.11.3 → 5.0.7.2

data/lib/action_controller/api/api_rendering.rb

@@ -0,0 +1,14 @@
+module ActionController
+  module ApiRendering
+    extend ActiveSupport::Concern
+
+    included do
+      include Rendering
+    end
+
+    def render_to_body(options = {})
+      _process_options(options)
+      super
+    end
+  end
+end

data/lib/action_controller/api.rb

@@ -0,0 +1,147 @@
+require 'action_view'
+require 'action_controller'
+require 'action_controller/log_subscriber'
+
+module ActionController
+  # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+  # created for applications that don't require all functionalities that a complete
+  # \Rails controller provides, allowing you to create controllers with just the
+  # features that you need for API only applications.
+  #
+  # An API Controller is different from a normal controller in the sense that
+  # by default it doesn't include a number of features that are usually required
+  # by browser access only: layouts and templates rendering, cookies, sessions,
+  # flash, assets, and so on. This makes the entire controller stack thinner,
+  # suitable for API applications. It doesn't mean you won't have such
+  # features if you need them: they're all available for you to include in
+  # your application, they're just not part of the default API controller stack.
+  #
+  # Normally, +ApplicationController+ is the only controller that inherits from
+  # <tt>ActionController::API</tt>. All other controllers in turn inherit from
+  # +ApplicationController+.
+  #
+  # A sample controller could look like this:
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       posts = Post.all
+  #       render json: posts
+  #     end
+  #   end
+  #
+  # Request, response, and parameters objects all work the exact same way as
+  # <tt>ActionController::Base</tt>.
+  #
+  # == Renders
+  #
+  # The default API Controller stack includes all renderers, which means you
+  # can use <tt>render :json</tt> and brothers freely in your controllers. Keep
+  # in mind that templates are not going to be rendered, so you need to ensure
+  # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
+  # all actions, otherwise it will return 204 No Content.
+  #
+  #   def show
+  #     post = Post.find(params[:id])
+  #     render json: post
+  #   end
+  #
+  # == Redirects
+  #
+  # Redirects are used to move from one action to another. You can use the
+  # <tt>redirect_to</tt> method in your controllers in the same way as in
+  # <tt>ActionController::Base</tt>. For example:
+  #
+  #   def create
+  #     redirect_to root_url and return if not_authorized?
+  #     # do stuff here
+  #   end
+  #
+  # == Adding New Behavior
+  #
+  # In some scenarios you may want to add back some functionality provided by
+  # <tt>ActionController::Base</tt> that is not present by default in
+  # <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
+  # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
+  # you just need to include the module in a specific controller or in
+  # +ApplicationController+ in case you want it available in your entire
+  # application:
+  #
+  #   class ApplicationController < ActionController::API
+  #     include ActionController::MimeResponds
+  #   end
+  #
+  #   class PostsController < ApplicationController
+  #     def index
+  #       posts = Post.all
+  #
+  #       respond_to do |format|
+  #         format.json { render json: posts }
+  #         format.xml  { render xml: posts }
+  #       end
+  #     end
+  #   end
+  #
+  # Quite straightforward. Make sure to check the modules included in
+  # <tt>ActionController::Base</tt> if you want to use any other
+  # functionality that is not provided by <tt>ActionController::API</tt>
+  # out of the box.
+  class API < Metal
+    abstract!
+
+    # Shortcut helper that returns all the ActionController::API modules except
+    # the ones passed as arguments:
+    #
+    #   class MyAPIBaseController < ActionController::Metal
+    #     ActionController::API.without_modules(:ForceSSL, :UrlFor).each do |left|
+    #       include left
+    #     end
+    #   end
+    #
+    # This gives better control over what you want to exclude and makes it easier
+    # to create an API controller class, instead of listing the modules required
+    # manually.
+    def self.without_modules(*modules)
+      modules = modules.map do |m|
+        m.is_a?(Symbol) ? ActionController.const_get(m) : m
+      end
+
+      MODULES - modules
+    end
+
+    MODULES = [
+      AbstractController::Rendering,
+
+      UrlFor,
+      Redirecting,
+      ApiRendering,
+      Renderers::All,
+      ConditionalGet,
+      BasicImplicitRender,
+      StrongParameters,
+
+      ForceSSL,
+      DataStreaming,
+
+      # Before callbacks should also be executed as early as possible, so
+      # also include them at the bottom.
+      AbstractController::Callbacks,
+
+      # Append rescue at the bottom to wrap as much as possible.
+      Rescue,
+
+      # Add instrumentations hooks at the bottom, to ensure they instrument
+      # all the methods properly.
+      Instrumentation,
+
+      # Params wrapper should come before instrumentation so they are
+      # properly showed in logs
+      ParamsWrapper
+    ]
+
+    MODULES.each do |mod|
+      include mod
+    end
+
+    ActiveSupport.run_load_hooks(:action_controller, self)
+  end
+end

data/lib/action_controller/base.rb

@@ -50,9 +50,9 @@ module ActionController
   #
   # == Parameters
   #
-  # All request parameters, whether they come from a GET or POST request, or from the URL, are available through the params method
-  # which returns a hash. For example, an action that was performed through <tt>/posts?category=All&limit=5</tt> will include
-  # <tt>{ "category" => "All", "limit" => "5" }</tt> in params.
+  # All request parameters, whether they come from a query string in the URL or form data submitted through a POST request are
+  # available through the params method which returns a hash. For example, an action that was performed through
+  # <tt>/posts?category=All&limit=5</tt> will include <tt>{ "category" => "All", "limit" => "5" }</tt> in params.
   #
   # It's also possible to construct multi-dimensional parameter hashes by specifying keys using brackets, such as:
   #
@@ -206,7 +206,6 @@ module ActionController
       AbstractController::AssetPaths,
 
       Helpers,
-      HideActions,
       UrlFor,
       Redirecting,
       ActionView::Layouts,
@@ -214,7 +213,6 @@ module ActionController
       Renderers::All,
       ConditionalGet,
       EtagWithTemplateDigest,
-      RackDelegation,
       Caching,
       MimeResponds,
       ImplicitRender,
@@ -222,6 +220,7 @@ module ActionController
 
       Cookies,
       Flash,
+      FormBuilder,
       RequestForgeryProtection,
       ForceSSL,
       Streaming,
@@ -230,7 +229,7 @@ module ActionController
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
 
-      # Before callbacks should also be executed the earliest as possible, so
+      # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.
       AbstractController::Callbacks,
 
@@ -249,18 +248,22 @@ module ActionController
     MODULES.each do |mod|
       include mod
     end
+    setup_renderer!
 
     # Define some internal variables that should not be propagated to the view.
-    PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + [
-      :@_status, :@_headers, :@_params, :@_env, :@_response, :@_request,
-      :@_view_runtime, :@_stream, :@_url_options, :@_action_has_layout ]
+    PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + %i(
+      @_params @_response @_request @_config @_url_options @_action_has_layout @_view_context_class
+      @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
+    )
 
     def _protected_ivars # :nodoc:
       PROTECTED_IVARS
     end
 
-    def self.protected_instance_variables
-      PROTECTED_IVARS
+    def self.make_response!(request)
+      ActionDispatch::Response.create.tap do |res|
+        res.request = request
+      end
     end
 
     ActiveSupport.run_load_hooks(:action_controller, self)

data/lib/action_controller/caching.rb

@@ -1,14 +1,10 @@
-require 'fileutils'
-require 'uri'
-require 'set'
-
 module ActionController
   # \Caching is a cheap way of speeding up slow applications by keeping the result of
   # calculations, renderings, and database calls around for subsequent requests.
   #
   # You can read more about each approach by clicking the modules below.
   #
-  # Note: To turn off all caching, set
+  # Note: To turn off all caching provided by Action Controller, set
   #   config.action_controller.perform_caching = false
   #
   # == \Caching stores
@@ -24,66 +20,25 @@ module ActionController
   #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
   #   config.action_controller.cache_store = MyOwnStore.new('parameter')
   module Caching
-    extend ActiveSupport::Concern
     extend ActiveSupport::Autoload
-
-    eager_autoload do
-      autoload :Fragments
-    end
-
-    module ConfigMethods
-      def cache_store
-        config.cache_store
-      end
-
-      def cache_store=(store)
-        config.cache_store = ActiveSupport::Cache.lookup_store(store)
-      end
-
-      private
-        def cache_configured?
-          perform_caching && cache_store
-        end
-    end
-
-    include RackDelegation
-    include AbstractController::Callbacks
-
-    include ConfigMethods
-    include Fragments
+    extend ActiveSupport::Concern
 
     included do
-      extend ConfigMethods
-
-      config_accessor :default_static_extension
-      self.default_static_extension ||= '.html'
-
-      config_accessor :perform_caching
-      self.perform_caching = true if perform_caching.nil?
-
-      class_attribute :_view_cache_dependencies
-      self._view_cache_dependencies = []
-      helper_method :view_cache_dependencies if respond_to?(:helper_method)
+      include AbstractController::Caching
     end
 
-    module ClassMethods
-      def view_cache_dependency(&dependency)
-        self._view_cache_dependencies += [dependency]
-      end
-    end
+    private
 
-    def view_cache_dependencies
-      self.class._view_cache_dependencies.map { |dep| instance_exec(&dep) }.compact
-    end
+      def instrument_payload(key)
+        {
+          controller: controller_name,
+          action: action_name,
+          key: key
+        }
+      end
 
-    protected
-      # Convenience accessor.
-      def cache(key, options = {}, &block)
-        if cache_configured?
-          cache_store.fetch(ActiveSupport::Cache.expand_cache_key(key, :controller), options, &block)
-        else
-          yield
-        end
+      def instrument_name
+        "action_controller"
       end
   end
 end

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,48 @@
+module ActionController
+  # Override the default form builder for all views rendered by this
+  # controller and any of its descendants. Accepts a subclass of
+  # +ActionView::Helpers::FormBuilder+.
+  #
+  # For example, given a form builder:
+  #
+  #   class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #     def special_field(name)
+  #     end
+  #   end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #   class AdminAreaController < ApplicationController
+  #     default_form_builder AdminFormBuilder
+  #   end
+  #
+  # Then in the view any form using +form_for+ will be an instance of the
+  # specified form builder:
+  #
+  #   <%= form_for(@instance) do |builder| %>
+  #     <%= builder.special_field(:name) %>
+  #   <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms
+      # in the views rendered by this controller and its subclasses.
+      #
+      # ==== Parameters
+      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -25,7 +25,9 @@ module ActionController
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
         message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-        message << " (#{additions.join(" | ")})" unless additions.blank?
+        message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
         message
       end
     end
@@ -53,15 +55,6 @@ module ActionController
       end
     end
 
-    def deep_munge(event)
-      debug do
-        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
-        "to nil, because it was one of [], [null] or [null, null, ...]. "\
-        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
-        "for more information."\
-      end
-    end
-
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,11 @@
+module ActionController
+  module BasicImplicitRender # :nodoc:
+    def send_action(method, *args)
+      super.tap { default_render unless performed? }
+    end
+
+    def default_render(*args)
+      head :no_content
+    end
+  end
+end

data/lib/action_controller/metal/conditional_get.rb

@@ -4,7 +4,6 @@ module ActionController
   module ConditionalGet
     extend ActiveSupport::Concern
 
-    include RackDelegation
     include Head
 
     included do
@@ -15,7 +14,7 @@ module ActionController
     module ClassMethods
       # Allows you to consider additional controller-wide information when generating an ETag.
       # For example, if you serve pages tailored depending on who's logged in at the moment, you
-      # may want to add the current user id to be part of the ETag to prevent authorized displaying
+      # may want to add the current user id to be part of the ETag to prevent unauthorized displaying
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
@@ -37,10 +36,25 @@ module ActionController
     #
     # === Parameters:
     #
-    # * <tt>:etag</tt>.
-    # * <tt>:last_modified</tt>.
+    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
+    #   +:weak_etag+ option.
+    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A weak ETag indicates semantic
+    #   equivalence, not byte-for-byte equality, so they're good for caching
+    #   HTML pages in browser caches. They can't be used for responses that
+    #   must be byte-identical, like serving Range requests within a PDF file.
+    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A strong ETag implies exact
+    #   equality: the response must match byte for byte. This is necessary for
+    #   doing Range requests within a large video or PDF file, for example, or
+    #   for compatibility with some CDNs that don't support weak ETags.
+    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
+    #   response. Subsequent requests that set If-Modified-Since may return a
+    #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -51,21 +65,31 @@ module ActionController
     #
     #   def show
     #     @article = Article.find(params[:id])
-    #     fresh_when(etag: @article, last_modified: @article.created_at, public: true)
+    #     fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
     #   end
     #
     # This will render the show template if the request isn't sending a matching ETag or
     # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(@article)
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #     fresh_when(@articles)
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -77,18 +101,20 @@ module ActionController
     #
     #   before_action { fresh_when @article, template: 'widgets/show' }
     #
-    def fresh_when(record_or_options, additional_options = {})
-      if record_or_options.is_a? Hash
-        options = record_or_options
-        options.assert_valid_keys(:etag, :last_modified, :public, :template)
-      else
-        record  = record_or_options
-        options = { etag: record, last_modified: record.try(:updated_at) }.merge!(additional_options)
+    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, template: nil)
+      weak_etag ||= etag || object unless strong_etag
+      last_modified ||= object.try(:updated_at) || object.try(:maximum, :updated_at)
+
+      if strong_etag
+        response.strong_etag = combine_etags strong_etag,
+          last_modified: last_modified, public: public, template: template
+      elsif weak_etag || template
+        response.weak_etag = combine_etags weak_etag,
+          last_modified: last_modified, public: public, template: template
       end
 
-      response.etag          = combine_etags(options)   if options[:etag] || options[:template]
-      response.last_modified = options[:last_modified]  if options[:last_modified]
-      response.cache_control[:public] = true            if options[:public]
+      response.last_modified = last_modified if last_modified
+      response.cache_control[:public] = true if public
 
       head :not_modified if request.fresh?(response)
     end
@@ -100,10 +126,25 @@ module ActionController
     #
     # === Parameters:
     #
-    # * <tt>:etag</tt>.
-    # * <tt>:last_modified</tt>.
+    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
+    #   +:weak_etag+ option.
+    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
+    #   requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A weak ETag indicates semantic
+    #   equivalence, not byte-for-byte equality, so they're good for caching
+    #   HTML pages in browser caches. They can't be used for responses that
+    #   must be byte-identical, like serving Range requests within a PDF file.
+    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A strong ETag implies exact
+    #   equality: the response must match byte for byte. This is necessary for
+    #   doing Range requests within a large video or PDF file, for example, or
+    #   for compatibility with some CDNs that don't support weak ETags.
+    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
+    #   response. Subsequent requests that set If-Modified-Since may return a
+    #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -115,7 +156,7 @@ module ActionController
     #   def show
     #     @article = Article.find(params[:id])
     #
-    #     if stale?(etag: @article, last_modified: @article.created_at)
+    #     if stale?(etag: @article, last_modified: @article.updated_at)
     #       @statistics = @article.really_expensive_call
     #       respond_to do |format|
     #         # all the supported formats
@@ -123,8 +164,8 @@ module ActionController
     #     end
     #   end
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -137,7 +178,23 @@ module ActionController
     #     end
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #
+    #     if stale?(@articles)
+    #       @statistics = @articles.really_expensive_call
+    #       respond_to do |format|
+    #         # all the supported formats
+    #       end
+    #     end
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -157,12 +214,12 @@ module ActionController
     #     super if stale? @article, template: 'widgets/show'
     #   end
     #
-    def stale?(record_or_options, additional_options = {})
-      fresh_when(record_or_options, additional_options)
+    def stale?(object = nil, **freshness_kwargs)
+      fresh_when(object, **freshness_kwargs)
       !request.fresh?(response)
     end
 
-    # Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
+    # Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
     # instruction, so that intermediate caches must not cache the response.
     #
     #   expires_in 20.minutes
@@ -172,7 +229,7 @@ module ActionController
     # This method will overwrite an existing Cache-Control header.
     # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
-    # The method will also ensure a HTTP Date header for client compatibility.
+    # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(
         :max_age         => seconds,
@@ -185,16 +242,31 @@ module ActionController
       response.date = Time.now unless response.date?
     end
 
-    # Sets a HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
+    # Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
     # occur by the browser or intermediate caches (like caching proxy servers).
     def expires_now
       response.cache_control.replace(:no_cache => true)
     end
 
+    # Cache or yield the block. The cache is supposed to never expire.
+    #
+    # You can use this method when you have an HTTP response that never changes,
+    # and the browser and proxies should cache it indefinitely.
+    #
+    # * +public+: By default, HTTP responses are private, cached only on the
+    #   user's web browser. To allow proxies to cache the response, set +true+ to
+    #   indicate that they can serve the cached response to all users.
+    def http_cache_forever(public: false)
+      expires_in 100.years, public: public
+
+      yield if stale?(etag: request.fullpath,
+                      last_modified: Time.new(2011, 1, 1).utc,
+                      public: public)
+    end
+
     private
-      def combine_etags(options)
-        etags = etaggers.map { |etagger| instance_exec(options, &etagger) }.compact
-        etags.unshift options[:etag]
+      def combine_etags(validator, options)
+        [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact
       end
   end
 end

data/lib/action_controller/metal/cookies.rb

@@ -2,10 +2,8 @@ module ActionController #:nodoc:
   module Cookies
     extend ActiveSupport::Concern
 
-    include RackDelegation
-
     included do
-      helper_method :cookies
+      helper_method :cookies if defined?(helper_method)
     end
 
     private