actionpack 5.2.1 → 7.0.2.4

data/lib/action_controller/metal/exceptions.rb

@@ -1,20 +1,20 @@
 # frozen_string_literal: true
 
 module ActionController
-  class ActionControllerError < StandardError #:nodoc:
+  class ActionControllerError < StandardError # :nodoc:
   end
 
-  class BadRequest < ActionControllerError #:nodoc:
+  class BadRequest < ActionControllerError # :nodoc:
     def initialize(msg = nil)
       super(msg)
       set_backtrace $!.backtrace if $!
     end
   end
 
-  class RenderError < ActionControllerError #:nodoc:
+  class RenderError < ActionControllerError # :nodoc:
   end
 
-  class RoutingError < ActionControllerError #:nodoc:
+  class RoutingError < ActionControllerError # :nodoc:
     attr_reader :failures
     def initialize(message, failures = [])
       super(message)
@@ -22,22 +22,44 @@ module ActionController
     end
   end
 
-  class ActionController::UrlGenerationError < ActionControllerError #:nodoc:
+  class UrlGenerationError < ActionControllerError # :nodoc:
+    attr_reader :routes, :route_name, :method_name
+
+    def initialize(message, routes = nil, route_name = nil, method_name = nil)
+      @routes      = routes
+      @route_name  = route_name
+      @method_name = method_name
+
+      super(message)
+    end
+
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable
+
+      def corrections
+        @corrections ||= begin
+          maybe_these = routes&.named_routes&.helper_names&.grep(/#{route_name}/) || []
+          maybe_these -= [method_name.to_s] # remove exact match
+
+          DidYouMean::SpellChecker.new(dictionary: maybe_these).correct(route_name)
+        end
+      end
+    end
   end
 
-  class MethodNotAllowed < ActionControllerError #:nodoc:
+  class MethodNotAllowed < ActionControllerError # :nodoc:
     def initialize(*allowed_methods)
-      super("Only #{allowed_methods.to_sentence(locale: :en)} requests are allowed.")
+      super("Only #{allowed_methods.to_sentence} requests are allowed.")
     end
   end
 
-  class NotImplemented < MethodNotAllowed #:nodoc:
+  class NotImplemented < MethodNotAllowed # :nodoc:
   end
 
-  class MissingFile < ActionControllerError #:nodoc:
+  class MissingFile < ActionControllerError # :nodoc:
   end
 
-  class SessionOverflowError < ActionControllerError #:nodoc:
+  class SessionOverflowError < ActionControllerError # :nodoc:
     DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
 
     def initialize(message = nil)
@@ -45,9 +67,30 @@ module ActionController
     end
   end
 
-  class UnknownHttpMethod < ActionControllerError #:nodoc:
+  class UnknownHttpMethod < ActionControllerError # :nodoc:
+  end
+
+  class UnknownFormat < ActionControllerError # :nodoc:
+  end
+
+  # Raised when a nested respond_to is triggered and the content types of each
+  # are incompatible. For example:
+  #
+  #  respond_to do |outer_type|
+  #    outer_type.js do
+  #      respond_to do |inner_type|
+  #        inner_type.html { render body: "HTML" }
+  #      end
+  #    end
+  #  end
+  class RespondToMismatchError < ActionControllerError
+    DEFAULT_MESSAGE = "respond_to was called multiple times and matched with conflicting formats in this action. Please note that you may only call respond_to and match on a single format per action."
+
+    def initialize(message = nil)
+      super(message || DEFAULT_MESSAGE)
+    end
   end
 
-  class UnknownFormat < ActionControllerError #:nodoc:
+  class MissingExactTemplate < UnknownFormat # :nodoc:
   end
 end

data/lib/action_controller/metal/flash.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Flash
     extend ActiveSupport::Concern
 
@@ -36,26 +36,30 @@ module ActionController #:nodoc:
           define_method(type) do
             request.flash[type]
           end
-          helper_method type
+          helper_method(type) if respond_to?(:helper_method)
 
           self._flash_types += [type]
         end
       end
+
+      def action_methods # :nodoc:
+        @action_methods ||= super - _flash_types.map(&:to_s).to_set
+      end
     end
 
     private
-      def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) # :doc:
         self.class._flash_types.each do |flash_type|
-          if type = response_status_and_flash.delete(flash_type)
+          if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type
           end
         end
 
-        if other_flashes = response_status_and_flash.delete(:flash)
+        if other_flashes = response_options_and_flash.delete(:flash)
           flash.update(other_flashes)
         end
 
-        super(options, response_status_and_flash)
+        super(options, response_options_and_flash)
       end
   end
 end

data/lib/action_controller/metal/head.rb

@@ -29,19 +29,22 @@ module ActionController
       content_type = options.delete(:content_type)
 
       options.each do |key, value|
-        headers[key.to_s.dasherize.split("-").each { |v| v[0] = v[0].chr.upcase }.join("-")] = value.to_s
+        headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
       end
 
       self.status = status
       self.location = url_for(location) if location
 
-      self.response_body = ""
-
       if include_content?(response_code)
-        self.content_type = content_type || (Mime[formats.first] if formats)
+        unless self.media_type
+          self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+        end
+
         response.charset = false
       end
 
+      self.response_body = ""
+
       true
     end
 

data/lib/action_controller/metal/helpers.rb

@@ -11,7 +11,12 @@ module ActionController
   #
   # In previous versions of \Rails the controller will include a helper which
   # matches the name of the controller, e.g., <tt>MyController</tt> will automatically
-  # include <tt>MyHelper</tt>. To return old behavior set +config.action_controller.include_all_helpers+ to +false+.
+  # include <tt>MyHelper</tt>. You can revert to the old behavior with the following:
+  #
+  #    # config/application.rb
+  #    class Application < Rails::Application
+  #      config.action_controller.include_all_helpers = false
+  #    end
   #
   # Additional helpers can be specified using the +helper+ class method in ActionController::Base or any
   # controller which inherits from it.
@@ -21,7 +26,7 @@ module ActionController
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message="&nbsp;")
-  #       time.blank? ? blank_message : time.to_s(format)
+  #       time.blank? ? blank_message : time.to_fs(format)
   #     end
   #   end
   #
@@ -34,7 +39,7 @@ module ActionController
   #     end
   #   end
   #
-  # Then, in any view rendered by <tt>EventController</tt>, the <tt>format_time</tt> method can be called:
+  # Then, in any view rendered by <tt>EventsController</tt>, the <tt>format_time</tt> method can be called:
   #
   #   <% @events.each do |event| -%>
   #     <p>
@@ -73,9 +78,14 @@ module ActionController
       end
 
       # Provides a proxy to access helper methods from outside the view.
+      #
+      # Note that the proxy is rendered under a different view context.
+      # This may cause incorrect behaviour with capture methods. Consider
+      # using {helper}[rdoc-ref:AbstractController::Helpers::ClassMethods#helper]
+      # instead when using +capture+.
       def helpers
         @helper_proxy ||= begin
-          proxy = ActionView::Base.new
+          proxy = ActionView::Base.empty
           proxy.config = config.inheritable_copy
           proxy.extend(_helpers)
         end
@@ -100,8 +110,7 @@ module ActionController
       #   # => ["application", "chart", "rubygems"]
       def all_helpers_from_path(path)
         helpers = Array(path).flat_map do |_path|
-          extract = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1'.freeze) }
+          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file[_path.to_s.size + 1..-"_helper.rb".size - 1] }
           names.sort!
         end
         helpers.uniq!

data/lib/action_controller/metal/http_authentication.rb

@@ -2,11 +2,12 @@
 
 require "base64"
 require "active_support/security_utils"
+require "active_support/core_ext/array/access"
 
 module ActionController
-  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic authentication.
+    # HTTP \Basic authentication.
     #
     # === Simple \Basic example
     #
@@ -24,8 +25,8 @@ module ActionController
     #
     # === Advanced \Basic example
     #
-    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API are protected by HTTP authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -56,8 +57,9 @@ module ActionController
     # In your integration tests, you can do something like this:
     #
     #   def test_access_granted_from_xml
-    #     @request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
-    #     get "/notes/1.xml"
+    #     authorization = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
+    #
+    #     get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
     #
     #     assert_equal 200, status
     #   end
@@ -68,21 +70,22 @@ module ActionController
         extend ActiveSupport::Concern
 
         module ClassMethods
-          def http_basic_authenticate_with(options = {})
-            before_action(options.except(:name, :password, :realm)) do
-              authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                # This comparison uses & so that it doesn't short circuit and
-                # uses `secure_compare` so that length information
-                # isn't leaked.
-                ActiveSupport::SecurityUtils.secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.secure_compare(password, options[:password])
-              end
-            end
+          def http_basic_authenticate_with(name:, password:, realm: nil, **options)
+            before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
+          end
+        end
+
+        def http_basic_authenticate_or_request_with(name:, password:, realm: nil, message: nil)
+          authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
+            # This comparison uses & so that it doesn't short circuit and
+            # uses `secure_compare` so that length information isn't leaked.
+            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
+              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
           end
         end
 
-        def authenticate_or_request_with_http_basic(realm = "Application", message = nil, &login_procedure)
-          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm, message)
+        def authenticate_or_request_with_http_basic(realm = nil, message = nil, &login_procedure)
+          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm || "Application", message)
         end
 
         def authenticate_with_http_basic(&login_procedure)
@@ -101,7 +104,7 @@ module ActionController
       end
 
       def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request).downcase == "basic")
+        request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
       end
 
       def user_name_and_password(request)
@@ -126,21 +129,21 @@ module ActionController
 
       def authentication_request(controller, realm, message)
         message ||= "HTTP Basic: Access denied.\n"
-        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"'.freeze, "".freeze)}")
+        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"', "")}")
         controller.status = 401
         controller.response_body = message
       end
     end
 
-    # Makes it dead easy to do HTTP \Digest authentication.
+    # HTTP \Digest authentication.
     #
     # === Simple \Digest example
     #
-    #   require 'digest/md5'
+    #   require "openssl"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #              "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
     #
     #     before_action :authenticate, except: [:index]
     #
@@ -228,12 +231,12 @@ module ActionController
       # of a plain-text password.
       def expected_response(http_method, uri, credentials, password, password_is_ha1 = true)
         ha1 = password_is_ha1 ? password : ha1(credentials, password)
-        ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
-        ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
+        ha2 = OpenSSL::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
       end
 
       def ha1(credentials, password)
-        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
       end
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
@@ -307,7 +310,7 @@ module ActionController
       def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
-        digest = ::Digest::MD5.hexdigest(hashed.join(":"))
+        digest = OpenSSL::Digest::MD5.hexdigest(hashed.join(":"))
         ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
@@ -324,11 +327,11 @@ module ActionController
 
       # Opaque based on digest of secret key
       def opaque(secret_key)
-        ::Digest::MD5.hexdigest(secret_key)
+        OpenSSL::Digest::MD5.hexdigest(secret_key)
       end
     end
 
-    # Makes it dead easy to do HTTP Token authentication.
+    # HTTP Token authentication.
     #
     # Simple Token example:
     #
@@ -356,8 +359,8 @@ module ActionController
     #   end
     #
     #
-    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced Token example where only Atom feeds and the XML API are protected by HTTP token authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -389,10 +392,9 @@ module ActionController
     # In your integration tests, you can do something like this:
     #
     #   def test_access_granted_from_xml
-    #     get(
-    #       "/notes/1.xml", nil,
-    #       'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
-    #     )
+    #     authorization = ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
+    #
+    #     get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
     #
     #     assert_equal 200, status
     #   end
@@ -406,7 +408,7 @@ module ActionController
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods
@@ -474,7 +476,7 @@ module ActionController
 
       # This removes the <tt>"</tt> characters wrapping the value.
       def rewrite_param_values(array_params)
-        array_params.each { |param| (param[1] || "".dup).gsub! %r/^"|"$/, "" }
+        array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
       # This method takes an authorization body and splits up the key-value
@@ -483,7 +485,7 @@ module ActionController
       def raw_params(auth)
         _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
 
-        if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+        if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
         end
 
@@ -511,7 +513,7 @@ module ActionController
       # Returns nothing.
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Token: Access denied.\n"
-        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"'.freeze, "".freeze)}")
+        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"', "")}")
         controller.__send__ :render, plain: message, status: :unauthorized
       end
     end

data/lib/action_controller/metal/implicit_render.rb

@@ -22,7 +22,7 @@ module ActionController
   # Third, if we DON'T find a template AND the request is a page load in a web
   # browser (technically, a non-XHR GET request for an HTML response) where
   # you reasonably expect to have rendered a template, then we raise
-  # <tt>ActionView::UnknownFormat</tt> with an explanation.
+  # <tt>ActionController::MissingExactTemplate</tt> with an explanation.
   #
   # Finally, if we DON'T find a template AND the request isn't a browser page
   # load, then we implicitly respond with <tt>204 No Content</tt>.
@@ -30,9 +30,9 @@ module ActionController
     # :stopdoc:
     include BasicImplicitRender
 
-    def default_render(*args)
+    def default_render
       if template_exists?(action_name.to_s, _prefixes, variants: request.variant)
-        render(*args)
+        render
       elsif any_templates?(action_name.to_s, _prefixes)
         message = "#{self.class.name}\##{action_name} is missing a template " \
           "for this request format and variant.\n" \
@@ -41,18 +41,8 @@ module ActionController
 
         raise ActionController::UnknownFormat, message
       elsif interactive_browser_request?
-        message = "#{self.class.name}\##{action_name} is missing a template " \
-          "for this request format and variant.\n\n" \
-          "request.formats: #{request.formats.map(&:to_s).inspect}\n" \
-          "request.variant: #{request.variant.inspect}\n\n" \
-          "NOTE! For XHR/Ajax or API requests, this action would normally " \
-          "respond with 204 No Content: an empty white screen. Since you're " \
-          "loading it in a web browser, we assume that you expected to " \
-          "actually render a template, not nothing, so we're showing an " \
-          "error to be extra-clear. If you expect 204 No Content, carry on. " \
-          "That's what you'll get from an XHR or API request. Give it a shot."
-
-        raise ActionController::UnknownFormat, message
+        message = "#{self.class.name}\##{action_name} is missing a template for request formats: #{request.formats.map(&:to_s).join(',')}"
+        raise ActionController::MissingExactTemplate, message
       else
         logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
         super

data/lib/action_controller/metal/instrumentation.rb

@@ -16,31 +16,7 @@ module ActionController
 
     attr_internal :view_runtime
 
-    def process_action(*args)
-      raw_payload = {
-        controller: self.class.name,
-        action: action_name,
-        params: request.filtered_parameters,
-        headers: request.headers,
-        format: request.format.ref,
-        method: request.request_method,
-        path: request.fullpath
-      }
-
-      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
-
-      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        begin
-          result = super
-          payload[:status] = response.status
-          result
-        ensure
-          append_info_to_payload(payload)
-        end
-      end
-    end
-
-    def render(*args)
+    def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
         Benchmark.ms { render_output = super }
@@ -61,8 +37,8 @@ module ActionController
       end
     end
 
-    def redirect_to(*args)
-      ActiveSupport::Notifications.instrument("redirect_to.action_controller") do |payload|
+    def redirect_to(*)
+      ActiveSupport::Notifications.instrument("redirect_to.action_controller", request: request) do |payload|
         result = super
         payload[:status]   = response.status
         payload[:location] = response.filtered_location
@@ -70,38 +46,66 @@ module ActionController
       end
     end
 
-  private
+    private
+      def process_action(*)
+        ActiveSupport::ExecutionContext[:controller] = self
 
-    # A hook invoked every time a before callback is halted.
-    def halted_callback_hook(filter)
-      ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
-    end
+        raw_payload = {
+          controller: self.class.name,
+          action: action_name,
+          request: request,
+          params: request.filtered_parameters,
+          headers: request.headers,
+          format: request.format.ref,
+          method: request.request_method,
+          path: request.fullpath
+        }
 
-    # A hook which allows you to clean up any time, wrongly taken into account in
-    # views, like database querying time.
-    #
-    #   def cleanup_view_runtime
-    #     super - time_taken_in_something_expensive
-    #   end
-    def cleanup_view_runtime # :doc:
-      yield
-    end
+        ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
 
-    # Every time after an action is processed, this method is invoked
-    # with the payload, so you can add more information.
-    def append_info_to_payload(payload) # :doc:
-      payload[:view_runtime] = view_runtime
-    end
+        ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
+          result = super
+          payload[:response] = response
+          payload[:status]   = response.status
+          result
+        rescue => error
+          payload[:status] = ActionDispatch::ExceptionWrapper.status_code_for_exception(error.class.name)
+          raise
+        ensure
+          append_info_to_payload(payload)
+        end
+      end
 
-    module ClassMethods
-      # A hook which allows other frameworks to log what happened during
-      # controller process action. This method should return an array
-      # with the messages to be added.
-      def log_process_action(payload) #:nodoc:
-        messages, view_runtime = [], payload[:view_runtime]
-        messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
-        messages
+      # A hook invoked every time a before callback is halted.
+      def halted_callback_hook(filter, _)
+        ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
+      end
+
+      # A hook which allows you to clean up any time, wrongly taken into account in
+      # views, like database querying time.
+      #
+      #   def cleanup_view_runtime
+      #     super - time_taken_in_something_expensive
+      #   end
+      def cleanup_view_runtime # :doc:
+        yield
+      end
+
+      # Every time after an action is processed, this method is invoked
+      # with the payload, so you can add more information.
+      def append_info_to_payload(payload) # :doc:
+        payload[:view_runtime] = view_runtime
+      end
+
+      module ClassMethods
+        # A hook which allows other frameworks to log what happened during
+        # controller process action. This method should return an array
+        # with the messages to be added.
+        def log_process_action(payload) # :nodoc:
+          messages, view_runtime = [], payload[:view_runtime]
+          messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
+          messages
+        end
       end
-    end
   end
 end