actionpack 4.2.8 → 5.2.4.2

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module ActionController
+  # Override the default form builder for all views rendered by this
+  # controller and any of its descendants. Accepts a subclass of
+  # +ActionView::Helpers::FormBuilder+.
+  #
+  # For example, given a form builder:
+  #
+  #   class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #     def special_field(name)
+  #     end
+  #   end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #   class AdminAreaController < ApplicationController
+  #     default_form_builder AdminFormBuilder
+  #   end
+  #
+  # Then in the view any form using +form_for+ will be an instance of the
+  # specified form builder:
+  #
+  #   <%= form_for(@instance) do |builder| %>
+  #     <%= builder.special_field(:name) %>
+  #   <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms
+      # in the views rendered by this controller and its subclasses.
+      #
+      # ==== Parameters
+      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
@@ -24,8 +26,10 @@ module ActionController
           exception_class_name = payload[:exception].first
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-        message << " (#{additions.join(" | ")})" unless additions.blank?
+        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms".dup
+        message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
         message
       end
     end
@@ -49,16 +53,7 @@ module ActionController
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.join(", ")}"
-      end
-    end
-
-    def deep_munge(event)
-      debug do
-        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
-        "to nil, because it was one of [], [null] or [null, null, ...]. "\
-        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
-        "for more information."\
+        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}"
       end
     end
 
@@ -66,10 +61,10 @@ module ActionController
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{method}(event)
-          return unless logger.info?
-          key_or_path = event.payload[:key] || event.payload[:path]
+          return unless logger.info? && ActionController::Base.enable_fragment_cache_logging
+          key         = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
           human_name  = #{method.to_s.humanize.inspect}
-          info("\#{human_name} \#{key_or_path} (\#{event.duration.round(1)}ms)")
+          info("\#{human_name} \#{key} (\#{event.duration.round(1)}ms)")
         end
       METHOD
     end

data/lib/action_controller/metal.rb

@@ -1,5 +1,9 @@
-require 'active_support/core_ext/array/extract_options'
-require 'action_dispatch/middleware/stack'
+# frozen_string_literal: true
+
+require "active_support/core_ext/array/extract_options"
+require "action_dispatch/middleware/stack"
+require "action_dispatch/http/request"
+require "action_dispatch/http/response"
 
 module ActionController
   # Extend ActionDispatch middleware stack to make it aware of options
@@ -11,32 +15,50 @@ module ActionController
   #
   class MiddlewareStack < ActionDispatch::MiddlewareStack #:nodoc:
     class Middleware < ActionDispatch::MiddlewareStack::Middleware #:nodoc:
-      def initialize(klass, *args, &block)
-        options = args.extract_options!
-        @only   = Array(options.delete(:only)).map(&:to_s)
-        @except = Array(options.delete(:except)).map(&:to_s)
-        args << options unless options.empty?
-        super
+      def initialize(klass, args, actions, strategy, block)
+        @actions = actions
+        @strategy = strategy
+        super(klass, args, block)
       end
 
       def valid?(action)
-        if @only.present?
-          @only.include?(action)
-        elsif @except.present?
-          !@except.include?(action)
-        else
-          true
-        end
+        @strategy.call @actions, action
       end
     end
 
-    def build(action, app = Proc.new)
+    def build(action, app = nil, &block)
       action = action.to_s
 
-      middlewares.reverse.inject(app) do |a, middleware|
+      middlewares.reverse.inject(app || block) do |a, middleware|
         middleware.valid?(action) ? middleware.build(a) : a
       end
     end
+
+    private
+
+      INCLUDE = ->(list, action) { list.include? action }
+      EXCLUDE = ->(list, action) { !list.include? action }
+      NULL    = ->(list, action) { true }
+
+      def build_middleware(klass, args, block)
+        options = args.extract_options!
+        only   = Array(options.delete(:only)).map(&:to_s)
+        except = Array(options.delete(:except)).map(&:to_s)
+        args << options unless options.empty?
+
+        strategy = NULL
+        list     = nil
+
+        if only.any?
+          strategy = INCLUDE
+          list     = only
+        elsif except.any?
+          strategy = EXCLUDE
+          list     = except
+        end
+
+        Middleware.new(klass, args, list, strategy, block)
+      end
   end
 
   # <tt>ActionController::Metal</tt> is the simplest possible controller, providing a
@@ -98,12 +120,6 @@ module ActionController
   class Metal < AbstractController::Base
     abstract!
 
-    attr_internal_writer :env
-
-    def env
-      @_env ||= {}
-    end
-
     # Returns the last part of the controller's name, underscored, without the ending
     # <tt>Controller</tt>. For instance, PostsController returns <tt>posts</tt>.
     # Namespaces are left out, so Admin::PostsController returns <tt>posts</tt> as well.
@@ -111,26 +127,30 @@ module ActionController
     # ==== Returns
     # * <tt>string</tt>
     def self.controller_name
-      @controller_name ||= name.demodulize.sub(/Controller$/, '').underscore
+      @controller_name ||= name.demodulize.sub(/Controller$/, "").underscore
+    end
+
+    def self.make_response!(request)
+      ActionDispatch::Response.new.tap do |res|
+        res.request = request
+      end
     end
 
-    # Delegates to the class' <tt>controller_name</tt>
+    def self.binary_params_for?(action) # :nodoc:
+      false
+    end
+
+    # Delegates to the class' <tt>controller_name</tt>.
     def controller_name
       self.class.controller_name
     end
 
-    # The details below can be overridden to support a specific
-    # Request and Response object. The default ActionController::Base
-    # implementation includes RackDelegation, which makes a request
-    # and response object available. You might wish to control the
-    # environment and response manually for performance reasons.
-
-    attr_internal :headers, :response, :request
-    delegate :session, :to => "@_request"
+    attr_internal :response, :request
+    delegate :session, to: "@_request"
+    delegate :headers, :status=, :location=, :content_type=,
+             :status, :location, :content_type, to: "@_response"
 
     def initialize
-      @_headers = {"Content-Type" => "text/html"}
-      @_status = 200
       @_request = nil
       @_response = nil
       @_routes = nil
@@ -145,64 +165,52 @@ module ActionController
       @_params = val
     end
 
-    # Basic implementations for content_type=, location=, and headers are
-    # provided to reduce the dependency on the RackDelegation module
-    # in Renderer and Redirector.
-
-    def content_type=(type)
-      headers["Content-Type"] = type.to_s
-    end
-
-    def content_type
-      headers["Content-Type"]
-    end
-
-    def location
-      headers["Location"]
-    end
-
-    def location=(url)
-      headers["Location"] = url
-    end
+    alias :response_code :status # :nodoc:
 
-    # Basic url_for that can be overridden for more robust functionality
+    # Basic url_for that can be overridden for more robust functionality.
     def url_for(string)
       string
     end
 
-    def status
-      @_status
-    end
-    alias :response_code :status # :nodoc:
-
-    def status=(status)
-      @_status = Rack::Utils.status_code(status)
-    end
-
     def response_body=(body)
       body = [body] unless body.nil? || body.respond_to?(:each)
+      response.reset_body!
+      return unless body
+      response.body = body
       super
     end
 
     # Tests if render or redirect has already happened.
     def performed?
-      response_body || (response && response.committed?)
+      response_body || response.committed?
     end
 
-    def dispatch(name, request) #:nodoc:
-      @_request = request
-      @_env = request.env
-      @_env['action_controller.instance'] = self
+    def dispatch(name, request, response) #:nodoc:
+      set_request!(request)
+      set_response!(response)
       process(name)
+      request.commit_flash
       to_a
     end
 
+    def set_response!(response) # :nodoc:
+      @_response = response
+    end
+
+    def set_request!(request) #:nodoc:
+      @_request = request
+      @_request.controller_instance = self
+    end
+
     def to_a #:nodoc:
-      response ? response.to_a : [status, headers, response_body]
+      response.to_a
     end
 
-    class_attribute :middleware_stack
-    self.middleware_stack = ActionController::MiddlewareStack.new
+    def reset_session
+      @_request.reset_session
+    end
+
+    class_attribute :middleware_stack, default: ActionController::MiddlewareStack.new
 
     def self.inherited(base) # :nodoc:
       base.middleware_stack = middleware_stack.dup
@@ -220,21 +228,28 @@ module ActionController
       middleware_stack
     end
 
-    # Makes the controller a Rack endpoint that runs the action in the given
-    # +env+'s +action_dispatch.request.path_parameters+ key.
-    def self.call(env)
-      req = ActionDispatch::Request.new env
-      action(req.path_parameters[:action]).call(env)
+    # Returns a Rack endpoint for the given action name.
+    def self.action(name)
+      app = lambda { |env|
+        req = ActionDispatch::Request.new(env)
+        res = make_response! req
+        new.dispatch(name, req, res)
+      }
+
+      if middleware_stack.any?
+        middleware_stack.build(name, app)
+      else
+        app
+      end
     end
 
-    # Returns a Rack endpoint for the given action name.
-    def self.action(name, klass = ActionDispatch::Request)
+    # Direct dispatch to the controller. Instantiates the controller, then
+    # executes the action named +name+.
+    def self.dispatch(name, req, res)
       if middleware_stack.any?
-        middleware_stack.build(name) do |env|
-          new.dispatch(name, klass.new(env))
-        end
+        middleware_stack.build(name) { |env| new.dispatch(name, req, res) }.call req.env
       else
-        lambda { |env| new.dispatch(name, klass.new(env)) }
+        new.dispatch(name, req, res)
       end
     end
   end

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ActionController
+  module BasicImplicitRender # :nodoc:
+    def send_action(method, *args)
+      super.tap { default_render unless performed? }
+    end
+
+    def default_render(*args)
+      head :no_content
+    end
+  end
+end

data/lib/action_controller/metal/conditional_get.rb

@@ -1,21 +1,21 @@
-require 'active_support/core_ext/hash/keys'
+# frozen_string_literal: true
+
+require "active_support/core_ext/hash/keys"
 
 module ActionController
   module ConditionalGet
     extend ActiveSupport::Concern
 
-    include RackDelegation
     include Head
 
     included do
-      class_attribute :etaggers
-      self.etaggers = []
+      class_attribute :etaggers, default: []
     end
 
     module ClassMethods
       # Allows you to consider additional controller-wide information when generating an ETag.
       # For example, if you serve pages tailored depending on who's logged in at the moment, you
-      # may want to add the current user id to be part of the ETag to prevent authorized displaying
+      # may want to add the current user id to be part of the ETag to prevent unauthorized displaying
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
@@ -37,10 +37,25 @@ module ActionController
     #
     # === Parameters:
     #
-    # * <tt>:etag</tt>.
-    # * <tt>:last_modified</tt>.
+    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
+    #   +:weak_etag+ option.
+    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A weak ETag indicates semantic
+    #   equivalence, not byte-for-byte equality, so they're good for caching
+    #   HTML pages in browser caches. They can't be used for responses that
+    #   must be byte-identical, like serving Range requests within a PDF file.
+    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A strong ETag implies exact
+    #   equality: the response must match byte for byte. This is necessary for
+    #   doing Range requests within a large video or PDF file, for example, or
+    #   for compatibility with some CDNs that don't support weak ETags.
+    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
+    #   response. Subsequent requests that set If-Modified-Since may return a
+    #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -51,21 +66,31 @@ module ActionController
     #
     #   def show
     #     @article = Article.find(params[:id])
-    #     fresh_when(etag: @article, last_modified: @article.created_at, public: true)
+    #     fresh_when(etag: @article, last_modified: @article.updated_at, public: true)
     #   end
     #
     # This will render the show template if the request isn't sending a matching ETag or
     # If-Modified-Since header and just a <tt>304 Not Modified</tt> response if there's a match.
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
     #     fresh_when(@article)
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #     fresh_when(@articles)
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -77,18 +102,20 @@ module ActionController
     #
     #   before_action { fresh_when @article, template: 'widgets/show' }
     #
-    def fresh_when(record_or_options, additional_options = {})
-      if record_or_options.is_a? Hash
-        options = record_or_options
-        options.assert_valid_keys(:etag, :last_modified, :public, :template)
-      else
-        record  = record_or_options
-        options = { etag: record, last_modified: record.try(:updated_at) }.merge!(additional_options)
+    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, template: nil)
+      weak_etag ||= etag || object unless strong_etag
+      last_modified ||= object.try(:updated_at) || object.try(:maximum, :updated_at)
+
+      if strong_etag
+        response.strong_etag = combine_etags strong_etag,
+          last_modified: last_modified, public: public, template: template
+      elsif weak_etag || template
+        response.weak_etag = combine_etags weak_etag,
+          last_modified: last_modified, public: public, template: template
       end
 
-      response.etag          = combine_etags(options)   if options[:etag] || options[:template]
-      response.last_modified = options[:last_modified]  if options[:last_modified]
-      response.cache_control[:public] = true            if options[:public]
+      response.last_modified = last_modified if last_modified
+      response.cache_control[:public] = true if public
 
       head :not_modified if request.fresh?(response)
     end
@@ -100,10 +127,25 @@ module ActionController
     #
     # === Parameters:
     #
-    # * <tt>:etag</tt>.
-    # * <tt>:last_modified</tt>.
+    # * <tt>:etag</tt> Sets a "weak" ETag validator on the response. See the
+    #   +:weak_etag+ option.
+    # * <tt>:weak_etag</tt> Sets a "weak" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A weak ETag indicates semantic
+    #   equivalence, not byte-for-byte equality, so they're good for caching
+    #   HTML pages in browser caches. They can't be used for responses that
+    #   must be byte-identical, like serving Range requests within a PDF file.
+    # * <tt>:strong_etag</tt> Sets a "strong" ETag validator on the response.
+    #   Requests that set If-None-Match header may return a 304 Not Modified
+    #   response if it matches the ETag exactly. A strong ETag implies exact
+    #   equality: the response must match byte for byte. This is necessary for
+    #   doing Range requests within a large video or PDF file, for example, or
+    #   for compatibility with some CDNs that don't support weak ETags.
+    # * <tt>:last_modified</tt> Sets a "weak" last-update validator on the
+    #   response. Subsequent requests that set If-Modified-Since may return a
+    #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
-    #   +true+ if you want your application to be cachable by other devices (proxy caches).
+    #   +true+ if you want your application to be cacheable by other devices (proxy caches).
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -115,7 +157,7 @@ module ActionController
     #   def show
     #     @article = Article.find(params[:id])
     #
-    #     if stale?(etag: @article, last_modified: @article.created_at)
+    #     if stale?(etag: @article, last_modified: @article.updated_at)
     #       @statistics = @article.really_expensive_call
     #       respond_to do |format|
     #         # all the supported formats
@@ -123,8 +165,8 @@ module ActionController
     #     end
     #   end
     #
-    # You can also just pass a record where +last_modified+ will be set by calling
-    # +updated_at+ and the +etag+ by passing the object itself.
+    # You can also just pass a record. In this case +last_modified+ will be set
+    # by calling +updated_at+ and +etag+ by passing the object itself.
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -137,7 +179,23 @@ module ActionController
     #     end
     #   end
     #
-    # When passing a record, you can still set whether the public header:
+    # You can also pass an object that responds to +maximum+, such as a
+    # collection of active records. In this case +last_modified+ will be set by
+    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # most recently updated record) and the +etag+ by passing the object itself.
+    #
+    #   def index
+    #     @articles = Article.all
+    #
+    #     if stale?(@articles)
+    #       @statistics = @articles.really_expensive_call
+    #       respond_to do |format|
+    #         # all the supported formats
+    #       end
+    #     end
+    #   end
+    #
+    # When passing a record or a collection, you can still set the public header:
     #
     #   def show
     #     @article = Article.find(params[:id])
@@ -157,12 +215,12 @@ module ActionController
     #     super if stale? @article, template: 'widgets/show'
     #   end
     #
-    def stale?(record_or_options, additional_options = {})
-      fresh_when(record_or_options, additional_options)
+    def stale?(object = nil, **freshness_kwargs)
+      fresh_when(object, **freshness_kwargs)
       !request.fresh?(response)
     end
 
-    # Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
+    # Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
     # instruction, so that intermediate caches must not cache the response.
     #
     #   expires_in 20.minutes
@@ -170,31 +228,47 @@ module ActionController
     #   expires_in 3.hours, public: true, must_revalidate: true
     #
     # This method will overwrite an existing Cache-Control header.
-    # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
+    # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
-    # The method will also ensure a HTTP Date header for client compatibility.
+    # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(
-        :max_age         => seconds,
-        :public          => options.delete(:public),
-        :must_revalidate => options.delete(:must_revalidate)
+        max_age: seconds,
+        public: options.delete(:public),
+        must_revalidate: options.delete(:must_revalidate)
       )
       options.delete(:private)
 
-      response.cache_control[:extras] = options.map {|k,v| "#{k}=#{v}"}
+      response.cache_control[:extras] = options.map { |k, v| "#{k}=#{v}" }
       response.date = Time.now unless response.date?
     end
 
-    # Sets a HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
-    # occur by the browser or intermediate caches (like caching proxy servers).
+    # Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt>. This means the
+    # resource will be marked as stale, so clients must always revalidate.
+    # Intermediate/browser caches may still store the asset.
     def expires_now
-      response.cache_control.replace(:no_cache => true)
+      response.cache_control.replace(no_cache: true)
+    end
+
+    # Cache or yield the block. The cache is supposed to never expire.
+    #
+    # You can use this method when you have an HTTP response that never changes,
+    # and the browser and proxies should cache it indefinitely.
+    #
+    # * +public+: By default, HTTP responses are private, cached only on the
+    #   user's web browser. To allow proxies to cache the response, set +true+ to
+    #   indicate that they can serve the cached response to all users.
+    def http_cache_forever(public: false)
+      expires_in 100.years, public: public
+
+      yield if stale?(etag: request.fullpath,
+                      last_modified: Time.new(2011, 1, 1).utc,
+                      public: public)
     end
 
     private
-      def combine_etags(options)
-        etags = etaggers.map { |etagger| instance_exec(options, &etagger) }.compact
-        etags.unshift options[:etag]
+      def combine_etags(validator, options)
+        [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact
       end
   end
 end