actionpack 5.0.7.2 → 5.1.0.beta1

data/lib/action_controller/metal/redirecting.rb

@@ -1,12 +1,4 @@
 module ActionController
-  class RedirectBackError < AbstractController::Error #:nodoc:
-    DEFAULT_MESSAGE = 'No HTTP_REFERER was set in the request to this action, so redirect_to :back could not be called successfully. If this is a test, make sure to specify request.env["HTTP_REFERER"].'
-
-    def initialize(message = nil)
-      super(message || DEFAULT_MESSAGE)
-    end
-  end
-
   module Redirecting
     extend ActiveSupport::Concern
 
@@ -24,10 +16,10 @@ module ActionController
     # === Examples:
     #
     #   redirect_to action: "show", id: 5
-    #   redirect_to post
+    #   redirect_to @post
     #   redirect_to "http://www.rubyonrails.org"
     #   redirect_to "/images/screenshot.jpg"
-    #   redirect_to articles_url
+    #   redirect_to posts_url
     #   redirect_to proc { edit_post_url(@post) }
     #
     # The redirection happens as a "302 Found" header unless otherwise specified using the <tt>:status</tt> option:
@@ -58,13 +50,13 @@ module ActionController
     #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
     #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
     #
-    def redirect_to(options = {}, response_status = {}) #:doc:
+    def redirect_to(options = {}, response_status = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)
       self.location      = _compute_redirect_to_location(request, options)
-      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
     # Redirects the browser to the page that issued the request (the referrer)
@@ -77,11 +69,11 @@ module ActionController
     # is missing this header, the <tt>fallback_location</tt> will be used.
     #
     #   redirect_back fallback_location: { action: "show", id: 5 }
-    #   redirect_back fallback_location: post
+    #   redirect_back fallback_location: @post
     #   redirect_back fallback_location: "http://www.rubyonrails.org"
-    #   redirect_back fallback_location:  "/images/screenshot.jpg"
-    #   redirect_back fallback_location:  articles_url
-    #   redirect_back fallback_location:  proc { edit_post_url(@post) }
+    #   redirect_back fallback_location: "/images/screenshot.jpg"
+    #   redirect_back fallback_location: posts_url
+    #   redirect_back fallback_location: proc { edit_post_url(@post) }
     #
     # All options that can be passed to <tt>redirect_to</tt> are accepted as
     # options and the behavior is identical.
@@ -104,14 +96,6 @@ module ActionController
         options
       when String
         request.protocol + request.host_with_port + options
-      when :back
-        ActiveSupport::Deprecation.warn(<<-MESSAGE.squish)
-          `redirect_to :back` is deprecated and will be removed from Rails 5.1.
-          Please use `redirect_back(fallback_location: fallback_location)` where
-          `fallback_location` represents the location to use if the request has
-          no HTTP referer information.
-        MESSAGE
-        request.headers["Referer"] or raise RedirectBackError
       when Proc
         _compute_redirect_to_location request, options.call
       else

data/lib/action_controller/metal/renderers.rb

@@ -1,4 +1,4 @@
-require 'set'
+require "set"
 
 module ActionController
   # See <tt>Renderers.add</tt>
@@ -92,7 +92,6 @@ module ActionController
     end
 
     module ClassMethods
-
       # Adds, by name, a renderer or renderers to the +_renderers+ available
       # to call within controller actions.
       #
@@ -105,7 +104,7 @@ module ActionController
       #
       # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
       # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
-      # and <tt>ActionController::Renderers</tt>, and have at lest one renderer.
+      # and <tt>ActionController::Renderers</tt>, and have at least one renderer.
       #
       # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
       # you may specify which renderers to include by passing the renderer name or names to

data/lib/action_controller/metal/rendering.rb

@@ -1,10 +1,10 @@
-require 'active_support/core_ext/string/filters'
+require "active_support/core_ext/string/filters"
 
 module ActionController
   module Rendering
     extend ActiveSupport::Concern
 
-    RENDER_FORMATS_IN_PRIORITY = [:body, :text, :plain, :html]
+    RENDER_FORMATS_IN_PRIORITY = [:body, :plain, :html]
 
     module ClassMethods
       # Documentation at ActionController::Renderer#render
@@ -32,7 +32,7 @@ module ActionController
 
     # Check for double render errors and set the content_type after rendering.
     def render(*args) #:nodoc:
-      raise ::AbstractController::DoubleRenderError if self.response_body
+      raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
@@ -49,84 +49,74 @@ module ActionController
     end
 
     def render_to_body(options = {})
-      super || _render_in_priorities(options) || ' '
+      super || _render_in_priorities(options) || " "
     end
 
     private
 
-    def _render_in_priorities(options)
-      RENDER_FORMATS_IN_PRIORITY.each do |format|
-        return options[format] if options.key?(format)
+      def _process_variant(options)
+        if defined?(request) && !request.nil? && request.variant.present?
+          options[:variant] = request.variant
+        end
       end
 
-      nil
-    end
-
-    def _set_html_content_type
-      self.content_type = Mime[:html].to_s
-    end
+      def _render_in_priorities(options)
+        RENDER_FORMATS_IN_PRIORITY.each do |format|
+          return options[format] if options.key?(format)
+        end
 
-    def _set_rendered_content_type(format)
-      if format && !response.content_type
-        self.content_type = format.to_s
+        nil
       end
-    end
 
-    # Normalize arguments by catching blocks and setting them on :update.
-    def _normalize_args(action=nil, options={}, &blk) #:nodoc:
-      options = super
-      options[:update] = blk if block_given?
-      options
-    end
-
-    # Normalize both text and status options.
-    def _normalize_options(options) #:nodoc:
-      _normalize_text(options)
-
-      if options[:text]
-        ActiveSupport::Deprecation.warn <<-WARNING.squish
-          `render :text` is deprecated because it does not actually render a
-          `text/plain` response. Switch to `render plain: 'plain text'` to
-          render as `text/plain`, `render html: '<strong>HTML</strong>'` to
-          render as `text/html`, or `render body: 'raw'` to match the deprecated
-          behavior and render with the default Content-Type, which is
-          `text/html`.
-        WARNING
+      def _set_html_content_type
+        self.content_type = Mime[:html].to_s
       end
 
-      if options[:html]
-        options[:html] = ERB::Util.html_escape(options[:html])
+      def _set_rendered_content_type(format)
+        if format && !response.content_type
+          self.content_type = format.to_s
+        end
       end
 
-      if options.delete(:nothing)
-        ActiveSupport::Deprecation.warn("`:nothing` option is deprecated and will be removed in Rails 5.1. Use `head` method to respond with empty response body.")
-        options[:body] = nil
+      # Normalize arguments by catching blocks and setting them on :update.
+      def _normalize_args(action = nil, options = {}, &blk)
+        options = super
+        options[:update] = blk if block_given?
+        options
       end
 
-      if options[:status]
-        options[:status] = Rack::Utils.status_code(options[:status])
-      end
+      # Normalize both text and status options.
+      def _normalize_options(options)
+        _normalize_text(options)
 
-      super
-    end
+        if options[:html]
+          options[:html] = ERB::Util.html_escape(options[:html])
+        end
 
-    def _normalize_text(options)
-      RENDER_FORMATS_IN_PRIORITY.each do |format|
-        if options.key?(format) && options[format].respond_to?(:to_text)
-          options[format] = options[format].to_text
+        if options[:status]
+          options[:status] = Rack::Utils.status_code(options[:status])
         end
+
+        super
       end
-    end
 
-    # Process controller specific options, as status, content-type and location.
-    def _process_options(options) #:nodoc:
-      status, content_type, location = options.values_at(:status, :content_type, :location)
+      def _normalize_text(options)
+        RENDER_FORMATS_IN_PRIORITY.each do |format|
+          if options.key?(format) && options[format].respond_to?(:to_text)
+            options[format] = options[format].to_text
+          end
+        end
+      end
 
-      self.status = status if status
-      self.content_type = content_type if content_type
-      self.headers["Location"] = url_for(location) if location
+      # Process controller specific options, as status, content-type and location.
+      def _process_options(options)
+        status, content_type, location = options.values_at(:status, :content_type, :location)
 
-      super
-    end
+        self.status = status if status
+        self.content_type = content_type if content_type
+        headers["Location"] = url_for(location) if location
+
+        super
+      end
   end
 end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -1,6 +1,6 @@
-require 'rack/session/abstract/id'
-require 'action_controller/metal/exceptions'
-require 'active_support/security_utils'
+require "rack/session/abstract/id"
+require "action_controller/metal/exceptions"
+require "active_support/security_utils"
 
 module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
@@ -130,11 +130,11 @@ module ActionController #:nodoc:
 
       private
 
-      def protection_method_class(name)
-        ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-      rescue NameError
-        raise ArgumentError, 'Invalid request forgery protection method, use :null_session, :exception, or :reset_session'
-      end
+        def protection_method_class(name)
+          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
+        rescue NameError
+          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+        end
     end
 
     module ProtectionMethods
@@ -152,28 +152,28 @@ module ActionController #:nodoc:
           request.cookie_jar = NullCookieJar.build(request, {})
         end
 
-        protected
+        private
 
-        class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
-          def initialize(req)
-            super(nil, req)
-            @data = {}
-            @loaded = true
-          end
+          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+            def initialize(req)
+              super(nil, req)
+              @data = {}
+              @loaded = true
+            end
 
-          # no-op
-          def destroy; end
+            # no-op
+            def destroy; end
 
-          def exists?
-            true
+            def exists?
+              true
+            end
           end
-        end
 
-        class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
-          def write(*)
-            # nothing
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+            def write(*)
+              # nothing
+            end
           end
-        end
       end
 
       class ResetSession
@@ -197,7 +197,7 @@ module ActionController #:nodoc:
       end
     end
 
-    protected
+    private
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
       # strategy instead. If you override, you'll disable same-origin
@@ -208,7 +208,7 @@ module ActionController #:nodoc:
       # enabled on an action, this before_action flags its after_action to
       # verify that JavaScript responses are for XHR requests, ensuring they
       # follow the browser's same-origin policy.
-      def verify_authenticity_token
+      def verify_authenticity_token # :doc:
         mark_for_same_origin_verification!
 
         if !verified_request?
@@ -219,7 +219,7 @@ module ActionController #:nodoc:
         end
       end
 
-      def handle_unverified_request
+      def handle_unverified_request # :doc:
         forgery_protection_strategy.new(self).handle_unverified_request
       end
 
@@ -233,26 +233,28 @@ module ActionController #:nodoc:
       # If `verify_authenticity_token` was run (indicating that we have
       # forgery protection enabled for this request) then also verify that
       # we aren't serving an unauthorized cross-origin response.
-      def verify_same_origin_request
+      def verify_same_origin_request # :doc:
         if marked_for_same_origin_verification? && non_xhr_javascript_response?
-          logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
+          if logger && log_warning_on_csrf_failure
+            logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING
+          end
           raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
         end
       end
 
       # GET requests are checked for cross-origin JavaScript after rendering.
-      def mark_for_same_origin_verification!
+      def mark_for_same_origin_verification! # :doc:
         @marked_for_same_origin_verification = request.get?
       end
 
       # If the `verify_authenticity_token` before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
-      def marked_for_same_origin_verification?
+      def marked_for_same_origin_verification? # :doc:
         @marked_for_same_origin_verification ||= false
       end
 
       # Check for cross-origin JavaScript responses.
-      def non_xhr_javascript_response?
+      def non_xhr_javascript_response? # :doc:
         content_type =~ %r(\Atext/javascript) && !request.xhr?
       end
 
@@ -263,20 +265,20 @@ module ActionController #:nodoc:
       # * Is it a GET or HEAD request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       # * Does the X-CSRF-Token header match the form_authenticity_token
-      def verified_request?
+      def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)
       end
 
       # Checks if any of the authenticity tokens from the request are valid.
-      def any_authenticity_token_valid?
+      def any_authenticity_token_valid? # :doc:
         request_authenticity_tokens.any? do |token|
           valid_authenticity_token?(session, token)
         end
       end
 
       # Possible authenticity tokens sent in the request.
-      def request_authenticity_tokens
+      def request_authenticity_tokens # :doc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
@@ -288,7 +290,7 @@ module ActionController #:nodoc:
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {})
+      def masked_authenticity_token(session, form_options: {}) # :doc:
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
@@ -307,7 +309,7 @@ module ActionController #:nodoc:
       # Checks the client's masked token to see if it matches the
       # session token. Essentially the inverse of
       # +masked_authenticity_token+.
-      def valid_authenticity_token?(session, encoded_masked_token)
+      def valid_authenticity_token?(session, encoded_masked_token) # :doc:
         if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
           return false
         end
@@ -338,7 +340,7 @@ module ActionController #:nodoc:
         end
       end
 
-      def unmask_token(masked_token)
+      def unmask_token(masked_token) # :doc:
         # Split the token into the one-time pad and the encrypted
         # value and decrypt it
         one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
@@ -346,11 +348,11 @@ module ActionController #:nodoc:
         xor_byte_strings(one_time_pad, encrypted_csrf_token)
       end
 
-      def compare_with_real_token(token, session)
+      def compare_with_real_token(token, session) # :doc:
         ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
       end
 
-      def valid_per_form_csrf_token?(token, session)
+      def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
@@ -364,12 +366,12 @@ module ActionController #:nodoc:
         end
       end
 
-      def real_csrf_token(session)
+      def real_csrf_token(session) # :doc:
         session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         Base64.strict_decode64(session[:_csrf_token])
       end
 
-      def per_form_csrf_token(session, action_path, method)
+      def per_form_csrf_token(session, action_path, method) # :doc:
         OpenSSL::HMAC.digest(
           OpenSSL::Digest::SHA256.new,
           real_csrf_token(session),
@@ -377,25 +379,25 @@ module ActionController #:nodoc:
         )
       end
 
-      def xor_byte_strings(s1, s2)
+      def xor_byte_strings(s1, s2) # :doc:
         s2_bytes = s2.bytes
         s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
-        s2_bytes.pack('C*')
+        s2_bytes.pack("C*")
       end
 
       # The form's authenticity parameter. Override to provide your own.
-      def form_authenticity_param
+      def form_authenticity_param # :doc:
         params[request_forgery_protection_token]
       end
 
       # Checks if the controller allows forgery protection.
-      def protect_against_forgery?
+      def protect_against_forgery? # :doc:
         allow_forgery_protection
       end
 
       # Checks if the request originated from the same origin by looking at the
       # Origin header.
-      def valid_request_origin?
+      def valid_request_origin? # :doc:
         if forgery_protection_origin_check
           # We accept blank origin headers because some user agents don't send it.
           request.origin.nil? || request.origin == request.base_url
@@ -404,9 +406,9 @@ module ActionController #:nodoc:
         end
       end
 
-      def normalize_action_path(action_path)
+      def normalize_action_path(action_path) # :doc:
         uri = URI.parse(action_path)
-        uri.path.chomp('/')
+        uri.path.chomp("/")
       end
   end
 end