actionpack 5.2.4.4 → 6.1.1

data/lib/abstract_controller/railties/routes_helpers.rb

@@ -7,7 +7,7 @@ module AbstractController
         Module.new do
           define_method(:inherited) do |klass|
             super(klass)
-            if namespace = klass.parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
+            if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
               klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
             else
               klass.include(routes.url_helpers(include_path_helpers))

data/lib/abstract_controller/rendering.rb

@@ -28,6 +28,7 @@ module AbstractController
       else
         _set_rendered_content_type rendered_format
       end
+      _set_vary_header
       self.response_body = rendered_body
     end
 
@@ -55,20 +56,16 @@ module AbstractController
       Mime[:text]
     end
 
-    DEFAULT_PROTECTED_INSTANCE_VARIABLES = Set.new %i(
-      @_action_name @_response_body @_formats @_prefixes
-    )
+    DEFAULT_PROTECTED_INSTANCE_VARIABLES = %i(@_action_name @_response_body @_formats @_prefixes)
 
     # This method should return a hash with assigns.
     # You can overwrite this configuration per controller.
     def view_assigns
-      protected_vars = _protected_ivars
-      variables      = instance_variables
+      variables = instance_variables - _protected_ivars
 
-      variables.reject! { |s| protected_vars.include? s }
-      variables.each_with_object({}) { |name, hash|
+      variables.each_with_object({}) do |name, hash|
         hash[name.slice(1, name.length)] = instance_variable_get(name)
-      }
+      end
     end
 
   private
@@ -109,6 +106,9 @@ module AbstractController
     def _set_html_content_type # :nodoc:
     end
 
+    def _set_vary_header # :nodoc:
+    end
+
     def _set_rendered_content_type(format) # :nodoc:
     end
 
@@ -120,7 +120,7 @@ module AbstractController
       options
     end
 
-    def _protected_ivars # :nodoc:
+    def _protected_ivars
       DEFAULT_PROTECTED_INSTANCE_VARIABLES
     end
   end

data/lib/abstract_controller/translation.rb

@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/symbol/starts_ends_with"
+
 module AbstractController
   module Translation
+    mattr_accessor :raise_on_missing_translations, default: false
+
     # Delegates to <tt>I18n.translate</tt>. Also aliased as <tt>t</tt>.
     #
     # When the given key starts with a period, it will be scoped by the current
@@ -10,21 +14,23 @@ module AbstractController
     # <tt>I18n.translate("people.index.foo")</tt>. This makes it less repetitive
     # to translate many keys within the same controller / action and gives you a
     # simple framework for scoping them consistently.
-    def translate(key, options = {})
-      if key.to_s.first == "."
+    def translate(key, **options)
+      if key&.start_with?(".")
         path = controller_path.tr("/", ".")
         defaults = [:"#{path}#{key}"]
         defaults << options[:default] if options[:default]
         options[:default] = defaults.flatten
         key = "#{path}.#{action_name}#{key}"
       end
-      I18n.translate(key, options)
+
+      i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
+      I18n.translate(key, **options, raise: i18n_raise)
     end
     alias :t :translate
 
     # Delegates to <tt>I18n.localize</tt>. Also aliased as <tt>l</tt>.
-    def localize(*args)
-      I18n.localize(*args)
+    def localize(object, **options)
+      I18n.localize(object, **options)
     end
     alias :l :localize
   end

data/lib/action_controller.rb

@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
-require "active_support/rails"
 require "abstract_controller"
 require "action_dispatch"
-require "action_controller/metal/live"
 require "action_controller/metal/strong_parameters"
 
 module ActionController
@@ -12,7 +10,6 @@ module ActionController
   autoload :API
   autoload :Base
   autoload :Metal
-  autoload :Middleware
   autoload :Renderer
   autoload :FormBuilder
 
@@ -21,20 +18,26 @@ module ActionController
   end
 
   autoload_under "metal" do
+    eager_autoload do
+      autoload :Live
+    end
+
     autoload :ConditionalGet
     autoload :ContentSecurityPolicy
     autoload :Cookies
     autoload :DataStreaming
+    autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
+    autoload :PermissionsPolicy
     autoload :Flash
-    autoload :ForceSSL
     autoload :Head
     autoload :Helpers
     autoload :HttpAuthentication
     autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
+    autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
     autoload :Redirecting

data/lib/action_controller/api.rb

@@ -12,7 +12,7 @@ module ActionController
   #
   # An API Controller is different from a normal controller in the sense that
   # by default it doesn't include a number of features that are usually required
-  # by browser access only: layouts and templates rendering, cookies, sessions,
+  # by browser access only: layouts and templates rendering,
   # flash, assets, and so on. This makes the entire controller stack thinner,
   # suitable for API applications. It doesn't mean you won't have such
   # features if you need them: they're all available for you to include in
@@ -93,7 +93,7 @@ module ActionController
     # the ones passed as arguments:
     #
     #   class MyAPIBaseController < ActionController::Metal
-    #     ActionController::API.without_modules(:ForceSSL, :UrlFor).each do |left|
+    #     ActionController::API.without_modules(:UrlFor).each do |left|
     #       include left
     #     end
     #   end
@@ -120,8 +120,9 @@ module ActionController
       BasicImplicitRender,
       StrongParameters,
 
-      ForceSSL,
       DataStreaming,
+      DefaultHeaders,
+      Logging,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.

data/lib/action_controller/base.rb

@@ -78,7 +78,7 @@ module ActionController
   #
   # You can retrieve it again through the same hash:
   #
-  #   Hello #{session[:person]}
+  #   "Hello #{session[:person]}"
   #
   # For removing objects from the session, you can either assign a single key to +nil+:
   #
@@ -226,12 +226,14 @@ module ActionController
       FormBuilder,
       RequestForgeryProtection,
       ContentSecurityPolicy,
-      ForceSSL,
+      PermissionsPolicy,
       Streaming,
       DataStreaming,
       HttpAuthentication::Basic::ControllerMethods,
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
+      DefaultHeaders,
+      Logging,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.
@@ -260,15 +262,10 @@ module ActionController
       @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
     )
 
-    def _protected_ivars # :nodoc:
+    def _protected_ivars
       PROTECTED_IVARS
     end
-
-    def self.make_response!(request)
-      ActionDispatch::Response.create.tap do |res|
-        res.request = request
-      end
-    end
+    private :_protected_ivars
 
     ActiveSupport.run_load_hooks(:action_controller_base, self)
     ActiveSupport.run_load_hooks(:action_controller, self)

data/lib/action_controller/caching.rb

@@ -22,7 +22,6 @@ module ActionController
   #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
   #   config.action_controller.cache_store = MyOwnStore.new('parameter')
   module Caching
-    extend ActiveSupport::Autoload
     extend ActiveSupport::Concern
 
     included do
@@ -30,7 +29,6 @@ module ActionController
     end
 
     private
-
       def instrument_payload(key)
         {
           controller: controller_name,
@@ -40,7 +38,7 @@ module ActionController
       end
 
       def instrument_name
-        "action_controller".freeze
+        "action_controller"
       end
   end
 end

data/lib/action_controller/log_subscriber.rb

@@ -11,6 +11,7 @@ module ActionController
       params  = payload[:params].except(*INTERNAL_PARAMS)
       format  = payload[:format]
       format  = format.to_s.upcase if format.is_a?(Symbol)
+      format  = "*/*" if format.nil?
 
       info "Processing by #{payload[:controller]}##{payload[:action]} as #{format}"
       info "  Parameters: #{params.inspect}" unless params.empty?
@@ -18,16 +19,18 @@ module ActionController
 
     def process_action(event)
       info do
-        payload   = event.payload
+        payload = event.payload
         additions = ActionController::Base.log_process_action(payload)
-
         status = payload[:status]
-        if status.nil? && payload[:exception].present?
-          exception_class_name = payload[:exception].first
+
+        if status.nil? && (exception_class_name = payload[:exception].first)
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms".dup
-        message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
+
+        additions << "Allocations: #{event.allocations}"
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << " (#{additions.join(" | ")})"
         message << "\n\n" if defined?(Rails.env) && Rails.env.development?
 
         message
@@ -53,7 +56,7 @@ module ActionController
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}"
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}", RED)
       end
     end
 

data/lib/action_controller/metal.rb

@@ -35,7 +35,6 @@ module ActionController
     end
 
     private
-
       INCLUDE = ->(list, action) { list.include? action }
       EXCLUDE = ->(list, action) { !list.include? action }
       NULL    = ->(list, action) { true }
@@ -127,7 +126,7 @@ module ActionController
     # ==== Returns
     # * <tt>string</tt>
     def self.controller_name
-      @controller_name ||= name.demodulize.sub(/Controller$/, "").underscore
+      @controller_name ||= (name.demodulize.delete_suffix("Controller").underscore unless anonymous?)
     end
 
     def self.make_response!(request)
@@ -136,7 +135,7 @@ module ActionController
       end
     end
 
-    def self.binary_params_for?(action) # :nodoc:
+    def self.action_encoding_template(action) # :nodoc:
       false
     end
 
@@ -148,7 +147,7 @@ module ActionController
     attr_internal :response, :request
     delegate :session, to: "@_request"
     delegate :headers, :status=, :location=, :content_type=,
-             :status, :location, :content_type, to: "@_response"
+             :status, :location, :content_type, :media_type, to: "@_response"
 
     def initialize
       @_request = nil
@@ -217,10 +216,13 @@ module ActionController
       super
     end
 
-    # Pushes the given Rack middleware and its arguments to the bottom of the
-    # middleware stack.
-    def self.use(*args, &block)
-      middleware_stack.use(*args, &block)
+    class << self
+      # Pushes the given Rack middleware and its arguments to the bottom of the
+      # middleware stack.
+      def use(*args, &block)
+        middleware_stack.use(*args, &block)
+      end
+      ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
     end
 
     # Alias for +middleware_stack+.

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -6,7 +6,7 @@ module ActionController
       super.tap { default_render unless performed? }
     end
 
-    def default_render(*args)
+    def default_render
       head :no_content
     end
   end

data/lib/action_controller/metal/conditional_get.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/object/try"
+require "active_support/core_ext/integer/time"
 
 module ActionController
   module ConditionalGet
@@ -19,12 +20,12 @@ module ActionController
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
-      #     etag { current_user.try :id }
+      #     etag { current_user&.id }
       #
       #     def show
       #       # Etag will differ even for the same invoice when it's viewed by a different current_user
       #       @invoice = Invoice.find(params[:id])
-      #       fresh_when(@invoice)
+      #       fresh_when etag: @invoice
       #     end
       #   end
       def etag(&etagger)
@@ -181,7 +182,7 @@ module ActionController
     #
     # You can also pass an object that responds to +maximum+, such as a
     # collection of active records. In this case +last_modified+ will be set by
-    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
     # most recently updated record) and the +etag+ by passing the object itself.
     #
     #   def index
@@ -230,12 +231,25 @@ module ActionController
     # This method will overwrite an existing Cache-Control header.
     # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
+    # HTTP Cache-Control Extensions for Stale Content. See https://tools.ietf.org/html/rfc5861
+    # It helps to cache an asset and serve it while is being revalidated and/or returning with an error.
+    #
+    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds
+    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
+    #
+    # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+    # Any additional key-value pairs are concatenated onto the `Cache-Control` header in the response:
+    #
+    #   expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
+    #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(
         max_age: seconds,
         public: options.delete(:public),
-        must_revalidate: options.delete(:must_revalidate)
+        must_revalidate: options.delete(:must_revalidate),
+        stale_while_revalidate: options.delete(:stale_while_revalidate),
+        stale_if_error: options.delete(:stale_if_error),
       )
       options.delete(:private)
 

data/lib/action_controller/metal/content_security_policy.rb

@@ -36,7 +36,6 @@ module ActionController #:nodoc:
     end
 
     private
-
       def content_security_policy?
         request.content_security_policy
       end
@@ -46,7 +45,7 @@ module ActionController #:nodoc:
       end
 
       def current_content_security_policy
-        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+        request.content_security_policy&.clone || ActionDispatch::ContentSecurityPolicy.new
       end
   end
 end

data/lib/action_controller/metal/cookies.rb

@@ -9,7 +9,9 @@ module ActionController #:nodoc:
     end
 
     private
-      def cookies
+      # The cookies for the current request. See ActionDispatch::Cookies for
+      # more information.
+      def cookies # :doc:
         request.cookie_jar
       end
   end

data/lib/action_controller/metal/data_streaming.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "action_controller/metal/exceptions"
+require "action_dispatch/http/content_disposition"
 
 module ActionController #:nodoc:
   # Methods for sending arbitrary data and for streaming files to the browser,
@@ -10,8 +11,8 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream".freeze #:nodoc:
-    DEFAULT_SEND_FILE_DISPOSITION = "attachment".freeze #:nodoc:
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" #:nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment" #:nodoc:
 
     private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
@@ -52,7 +53,7 @@ module ActionController #:nodoc:
       #
       # Show a 404 page in the browser:
       #
-      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', status: 404
+      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description) in
@@ -132,10 +133,8 @@ module ActionController #:nodoc:
         end
 
         disposition = options.fetch(:disposition, DEFAULT_SEND_FILE_DISPOSITION)
-        unless disposition.nil?
-          disposition  = disposition.to_s
-          disposition += %(; filename="#{options[:filename]}") if options[:filename]
-          headers["Content-Disposition"] = disposition
+        if disposition
+          headers["Content-Disposition"] = ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: options[:filename])
         end
 
         headers["Content-Transfer-Encoding"] = "binary"