actionpack 5.2.8.1 → 6.0.6

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -23,6 +23,7 @@ by default and Action View rendering is implicitly triggered by Action
 Controller. However, these modules are designed to function on their own and
 can be used outside of Rails.
 
+You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.
 
 == Download and installation
 
@@ -32,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/5-2-stable/actionpack
+* https://github.com/rails/rails/tree/main/actionpack
 
 
 == License
@@ -46,7 +47,7 @@ Action Pack is released under the MIT license:
 
 API documentation is at:
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports for the Ruby on Rails project can be filed here:
 
@@ -54,4 +55,4 @@ Bug reports for the Ruby on Rails project can be filed here:
 
 Feature requests should be discussed on the rails-core mailing list here:
 
-* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core
+* https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/abstract_controller/base.rb

@@ -78,7 +78,9 @@ module AbstractController
             # Except for public instance methods of Base and its ancestors
             internal_methods +
             # Be sure to include shadowed public instance methods of this class
-            public_instance_methods(false)).uniq.map(&:to_s)
+            public_instance_methods(false))
+
+          methods.map!(&:to_s)
 
           methods.to_set
         end
@@ -102,7 +104,7 @@ module AbstractController
       # ==== Returns
       # * <tt>String</tt>
       def controller_path
-        @controller_path ||= name.sub(/Controller$/, "".freeze).underscore unless anonymous?
+        @controller_path ||= name.sub(/Controller$/, "").underscore unless anonymous?
       end
 
       # Refresh the cached action_methods when a new action_method is added.
@@ -174,7 +176,6 @@ module AbstractController
     end
 
     private
-
       # Returns true if the name can be considered an action because
       # it has a method defined in the controller.
       #

data/lib/abstract_controller/caching/fragments.rb

@@ -28,7 +28,6 @@ module AbstractController
         self.fragment_cache_keys = []
 
         if respond_to?(:helper_method)
-          helper_method :fragment_cache_key
           helper_method :combined_fragment_cache_key
         end
       end
@@ -60,35 +59,20 @@ module AbstractController
         end
       end
 
-      # Given a key (as described in +expire_fragment+), returns
-      # a key suitable for use in reading, writing, or expiring a
-      # cached fragment. All keys begin with <tt>views/</tt>,
-      # followed by any controller-wide key prefix values, ending
-      # with the specified +key+ value. The key is expanded using
-      # ActiveSupport::Cache.expand_cache_key.
-      def fragment_cache_key(key)
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          Calling fragment_cache_key directly is deprecated and will be removed in Rails 6.0.
-          All fragment accessors now use the combined_fragment_cache_key method that retains the key as an array,
-          such that the caching stores can interrogate the parts for cache versions used in
-          recyclable cache keys.
-        MSG
-
-        head = self.class.fragment_cache_keys.map { |k| instance_exec(&k) }
-        tail = key.is_a?(Hash) ? url_for(key).split("://").last : key
-        ActiveSupport::Cache.expand_cache_key([*head, *tail], :views)
-      end
-
       # Given a key (as described in +expire_fragment+), returns
       # a key array suitable for use in reading, writing, or expiring a
       # cached fragment. All keys begin with <tt>:views</tt>,
-      # followed by ENV["RAILS_CACHE_ID"] or ENV["RAILS_APP_VERSION"] if set,
+      # followed by <tt>ENV["RAILS_CACHE_ID"]</tt> or <tt>ENV["RAILS_APP_VERSION"]</tt> if set,
       # followed by any controller-wide key prefix values, ending
       # with the specified +key+ value.
       def combined_fragment_cache_key(key)
         head = self.class.fragment_cache_keys.map { |k| instance_exec(&k) }
         tail = key.is_a?(Hash) ? url_for(key).split("://").last : key
-        [ :views, (ENV["RAILS_CACHE_ID"] || ENV["RAILS_APP_VERSION"]), *head, *tail ].compact
+
+        cache_key = [:views, ENV["RAILS_CACHE_ID"] || ENV["RAILS_APP_VERSION"], head, tail]
+        cache_key.flatten!(1)
+        cache_key.compact!
+        cache_key
       end
 
       # Writes +content+ to the location signified by

data/lib/abstract_controller/caching.rb

@@ -15,7 +15,7 @@ module AbstractController
       end
 
       def cache_store=(store)
-        config.cache_store = ActiveSupport::Cache.lookup_store(store)
+        config.cache_store = ActiveSupport::Cache.lookup_store(*store)
       end
 
       private

data/lib/abstract_controller/callbacks.rb

@@ -103,6 +103,10 @@ module AbstractController
       # :call-seq: before_action(names, block)
       #
       # Append a callback before actions. See _insert_callbacks for parameter details.
+      #
+      # If the callback renders or redirects, the action will not run. If there
+      # are additional callbacks scheduled to run after that callback, they are
+      # also cancelled.
 
       ##
       # :method: prepend_before_action
@@ -110,6 +114,10 @@ module AbstractController
       # :call-seq: prepend_before_action(names, block)
       #
       # Prepend a callback before actions. See _insert_callbacks for parameter details.
+      #
+      # If the callback renders or redirects, the action will not run. If there
+      # are additional callbacks scheduled to run after that callback, they are
+      # also cancelled.
 
       ##
       # :method: skip_before_action
@@ -124,6 +132,10 @@ module AbstractController
       # :call-seq: append_before_action(names, block)
       #
       # Append a callback before actions. See _insert_callbacks for parameter details.
+      #
+      # If the callback renders or redirects, the action will not run. If there
+      # are additional callbacks scheduled to run after that callback, they are
+      # also cancelled.
 
       ##
       # :method: after_action

data/lib/abstract_controller/collector.rb

@@ -22,11 +22,10 @@ module AbstractController
     end
 
   private
-
     def method_missing(symbol, &block)
       unless mime_constant = Mime[symbol]
         raise NoMethodError, "To respond to a custom format, register it as a MIME type first: " \
-          "http://guides.rubyonrails.org/action_controller_overview.html#restful-downloads. " \
+          "https://guides.rubyonrails.org/action_controller_overview.html#restful-downloads. " \
           "If you meant to respond to a variant like :tablet or :phone, not a custom format, " \
           "be sure to nest your variant response within a format response: " \
           "format.html { |html| html.tablet { ... } }"

data/lib/abstract_controller/helpers.rb

@@ -17,7 +17,7 @@ module AbstractController
         @path  = "helpers/#{path}.rb"
         set_backtrace error.backtrace
 
-        if error.path =~ /^#{path}(\.rb)?$/
+        if /^#{path}(\.rb)?$/.match?(error.path)
           super("Missing helper file helpers/%s.rb" % path)
         else
           raise error
@@ -61,11 +61,12 @@ module AbstractController
         meths.flatten!
         self._helper_methods += meths
 
-        meths.each do |meth|
+        meths.each do |method|
           _helpers.class_eval <<-ruby_eval, __FILE__, __LINE__ + 1
-            def #{meth}(*args, &blk)                               # def current_user(*args, &blk)
-              controller.send(%(#{meth}), *args, &blk)             #   controller.send(:current_user, *args, &blk)
-            end                                                    # end
+            def #{method}(*args, &blk)                     # def current_user(*args, &blk)
+              controller.send(%(#{method}), *args, &blk)   #   controller.send(:current_user, *args, &blk)
+            end                                            # end
+            ruby2_keywords(%(#{method})) if respond_to?(:ruby2_keywords, true)
           ruby_eval
         end
       end
@@ -181,7 +182,7 @@ module AbstractController
         end
 
         def default_helper_module!
-          module_name = name.sub(/Controller$/, "".freeze)
+          module_name = name.sub(/Controller$/, "")
           module_path = module_name.underscore
           helper module_path
         rescue LoadError => e

data/lib/abstract_controller/railties/routes_helpers.rb

@@ -7,7 +7,7 @@ module AbstractController
         Module.new do
           define_method(:inherited) do |klass|
             super(klass)
-            if namespace = klass.parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
+            if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
               klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
             else
               klass.include(routes.url_helpers(include_path_helpers))

data/lib/abstract_controller/translation.rb

@@ -10,7 +10,7 @@ module AbstractController
     # <tt>I18n.translate("people.index.foo")</tt>. This makes it less repetitive
     # to translate many keys within the same controller / action and gives you a
     # simple framework for scoping them consistently.
-    def translate(key, options = {})
+    def translate(key, **options)
       if key.to_s.first == "."
         path = controller_path.tr("/", ".")
         defaults = [:"#{path}#{key}"]
@@ -18,13 +18,13 @@ module AbstractController
         options[:default] = defaults.flatten
         key = "#{path}.#{action_name}#{key}"
       end
-      I18n.translate(key, options)
+      I18n.translate(key, **options)
     end
     alias :t :translate
 
     # Delegates to <tt>I18n.localize</tt>. Also aliased as <tt>l</tt>.
-    def localize(*args)
-      I18n.localize(*args)
+    def localize(object, **options)
+      I18n.localize(object, **options)
     end
     alias :l :localize
   end

data/lib/action_controller/api.rb

@@ -12,7 +12,7 @@ module ActionController
   #
   # An API Controller is different from a normal controller in the sense that
   # by default it doesn't include a number of features that are usually required
-  # by browser access only: layouts and templates rendering, cookies, sessions,
+  # by browser access only: layouts and templates rendering,
   # flash, assets, and so on. This makes the entire controller stack thinner,
   # suitable for API applications. It doesn't mean you won't have such
   # features if you need them: they're all available for you to include in
@@ -122,6 +122,7 @@ module ActionController
 
       ForceSSL,
       DataStreaming,
+      DefaultHeaders,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.

data/lib/action_controller/base.rb

@@ -78,7 +78,7 @@ module ActionController
   #
   # You can retrieve it again through the same hash:
   #
-  #   Hello #{session[:person]}
+  #   "Hello #{session[:person]}"
   #
   # For removing objects from the session, you can either assign a single key to +nil+:
   #
@@ -232,6 +232,7 @@ module ActionController
       HttpAuthentication::Basic::ControllerMethods,
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
+      DefaultHeaders,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.
@@ -264,12 +265,6 @@ module ActionController
       PROTECTED_IVARS
     end
 
-    def self.make_response!(request)
-      ActionDispatch::Response.create.tap do |res|
-        res.request = request
-      end
-    end
-
     ActiveSupport.run_load_hooks(:action_controller_base, self)
     ActiveSupport.run_load_hooks(:action_controller, self)
   end

data/lib/action_controller/caching.rb

@@ -30,7 +30,6 @@ module ActionController
     end
 
     private
-
       def instrument_payload(key)
         {
           controller: controller_name,
@@ -40,7 +39,7 @@ module ActionController
       end
 
       def instrument_name
-        "action_controller".freeze
+        "action_controller"
       end
   end
 end

data/lib/action_controller/log_subscriber.rb

@@ -18,16 +18,19 @@ module ActionController
 
     def process_action(event)
       info do
-        payload   = event.payload
+        payload = event.payload
         additions = ActionController::Base.log_process_action(payload)
-
         status = payload[:status]
+
         if status.nil? && payload[:exception].present?
           exception_class_name = payload[:exception].first
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms".dup
-        message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
+
+        additions << "Allocations: #{event.allocations}"
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << " (#{additions.join(" | ")})" unless additions.empty?
         message << "\n\n" if defined?(Rails.env) && Rails.env.development?
 
         message
@@ -53,7 +56,7 @@ module ActionController
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        "Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}"
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}", RED)
       end
     end
 

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -6,7 +6,7 @@ module ActionController
       super.tap { default_render unless performed? }
     end
 
-    def default_render(*args)
+    def default_render
       head :no_content
     end
   end

data/lib/action_controller/metal/conditional_get.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/hash/keys"
-
 module ActionController
   module ConditionalGet
     extend ActiveSupport::Concern
@@ -230,12 +228,20 @@ module ActionController
     # This method will overwrite an existing Cache-Control header.
     # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
+    # HTTP Cache-Control Extensions for Stale Content. See https://tools.ietf.org/html/rfc5861
+    # It helps to cache an asset and serve it while is being revalidated and/or returning with an error.
+    #
+    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds
+    #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
+    #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(
         max_age: seconds,
         public: options.delete(:public),
-        must_revalidate: options.delete(:must_revalidate)
+        must_revalidate: options.delete(:must_revalidate),
+        stale_while_revalidate: options.delete(:stale_while_revalidate),
+        stale_if_error: options.delete(:stale_if_error),
       )
       options.delete(:private)
 

data/lib/action_controller/metal/content_security_policy.rb

@@ -36,7 +36,6 @@ module ActionController #:nodoc:
     end
 
     private
-
       def content_security_policy?
         request.content_security_policy
       end

data/lib/action_controller/metal/data_streaming.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "action_controller/metal/exceptions"
+require "action_dispatch/http/content_disposition"
 
 module ActionController #:nodoc:
   # Methods for sending arbitrary data and for streaming files to the browser,
@@ -10,8 +11,8 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream".freeze #:nodoc:
-    DEFAULT_SEND_FILE_DISPOSITION = "attachment".freeze #:nodoc:
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" #:nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment" #:nodoc:
 
     private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
@@ -132,10 +133,8 @@ module ActionController #:nodoc:
         end
 
         disposition = options.fetch(:disposition, DEFAULT_SEND_FILE_DISPOSITION)
-        unless disposition.nil?
-          disposition  = disposition.to_s
-          disposition += %(; filename="#{options[:filename]}") if options[:filename]
-          headers["Content-Disposition"] = disposition
+        if disposition
+          headers["Content-Disposition"] = ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: options[:filename])
         end
 
         headers["Content-Transfer-Encoding"] = "binary"

data/lib/action_controller/metal/default_headers.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ActionController
+  # Allows configuring default headers that will be automatically merged into
+  # each response.
+  module DefaultHeaders
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def make_response!(request)
+        ActionDispatch::Response.create.tap do |res|
+          res.request = request
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -51,7 +51,7 @@ module ActionController
       end
 
       def lookup_and_digest_template(template)
-        ActionView::Digestor.digest name: template, finder: lookup_context
+        ActionView::Digestor.digest name: template, format: nil, finder: lookup_context
       end
   end
 end

data/lib/action_controller/metal/exceptions.rb

@@ -22,12 +22,12 @@ module ActionController
     end
   end
 
-  class ActionController::UrlGenerationError < ActionControllerError #:nodoc:
+  class UrlGenerationError < ActionControllerError #:nodoc:
   end
 
   class MethodNotAllowed < ActionControllerError #:nodoc:
     def initialize(*allowed_methods)
-      super("Only #{allowed_methods.to_sentence(locale: :en)} requests are allowed.")
+      super("Only #{allowed_methods.to_sentence} requests are allowed.")
     end
   end
 
@@ -50,4 +50,25 @@ module ActionController
 
   class UnknownFormat < ActionControllerError #:nodoc:
   end
+
+  # Raised when a nested respond_to is triggered and the content types of each
+  # are incompatible. For example:
+  #
+  #  respond_to do |outer_type|
+  #    outer_type.js do
+  #      respond_to do |inner_type|
+  #        inner_type.html { render body: "HTML" }
+  #      end
+  #    end
+  #  end
+  class RespondToMismatchError < ActionControllerError
+    DEFAULT_MESSAGE = "respond_to was called multiple times and matched with conflicting formats in this action. Please note that you may only call respond_to and match on a single format per action."
+
+    def initialize(message = nil)
+      super(message || DEFAULT_MESSAGE)
+    end
+  end
+
+  class MissingExactTemplate < UnknownFormat #:nodoc:
+  end
 end

data/lib/action_controller/metal/flash.rb

@@ -36,7 +36,7 @@ module ActionController #:nodoc:
           define_method(type) do
             request.flash[type]
           end
-          helper_method type
+          helper_method(type) if respond_to?(:helper_method)
 
           self._flash_types += [type]
         end
@@ -44,18 +44,18 @@ module ActionController #:nodoc:
     end
 
     private
-      def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
         self.class._flash_types.each do |flash_type|
-          if type = response_status_and_flash.delete(flash_type)
+          if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type
           end
         end
 
-        if other_flashes = response_status_and_flash.delete(:flash)
+        if other_flashes = response_options_and_flash.delete(:flash)
           flash.update(other_flashes)
         end
 
-        super(options, response_status_and_flash)
+        super(options, response_options_and_flash)
       end
   end
 end

data/lib/action_controller/metal/force_ssl.rb

@@ -4,18 +4,10 @@ require "active_support/core_ext/hash/except"
 require "active_support/core_ext/hash/slice"
 
 module ActionController
-  # This module provides a method which will redirect the browser to use the secured HTTPS
-  # protocol. This will ensure that users' sensitive information will be
-  # transferred safely over the internet. You _should_ always force the browser
-  # to use HTTPS when you're transferring sensitive information such as
-  # user authentication, account information, or credit card information.
-  #
-  # Note that if you are really concerned about your application security,
-  # you might consider using +config.force_ssl+ in your config file instead.
-  # That will ensure all the data is transferred via HTTPS, and will
-  # prevent the user from getting their session hijacked when accessing the
-  # site over unsecured HTTP protocol.
-  module ForceSSL
+  # This module is deprecated in favor of +config.force_ssl+ in your environment
+  # config file. This will ensure all endpoints not explicitly marked otherwise
+  # will have all communication served over HTTPS.
+  module ForceSSL # :nodoc:
     extend ActiveSupport::Concern
     include AbstractController::Callbacks
 
@@ -23,45 +15,17 @@ module ActionController
     URL_OPTIONS = [:protocol, :host, :domain, :subdomain, :port, :path]
     REDIRECT_OPTIONS = [:status, :flash, :alert, :notice]
 
-    module ClassMethods
-      # Force the request to this particular controller or specified actions to be
-      # through the HTTPS protocol.
-      #
-      # If you need to disable this for any reason (e.g. development) then you can use
-      # an +:if+ or +:unless+ condition.
-      #
-      #     class AccountsController < ApplicationController
-      #       force_ssl if: :ssl_configured?
-      #
-      #       def ssl_configured?
-      #         !Rails.env.development?
-      #       end
-      #     end
-      #
-      # ==== URL Options
-      # You can pass any of the following options to affect the redirect URL
-      # * <tt>host</tt>       - Redirect to a different host name
-      # * <tt>subdomain</tt>  - Redirect to a different subdomain
-      # * <tt>domain</tt>     - Redirect to a different domain
-      # * <tt>port</tt>       - Redirect to a non-standard port
-      # * <tt>path</tt>       - Redirect to a different path
-      #
-      # ==== Redirect Options
-      # You can pass any of the following options to affect the redirect status and response
-      # * <tt>status</tt>     - Redirect with a custom status (default is 301 Moved Permanently)
-      # * <tt>flash</tt>      - Set a flash message when redirecting
-      # * <tt>alert</tt>      - Set an alert message when redirecting
-      # * <tt>notice</tt>     - Set a notice message when redirecting
-      #
-      # ==== Action Options
-      # You can pass any of the following options to affect the before_action callback
-      # * <tt>only</tt>       - The callback should be run only for this action
-      # * <tt>except</tt>     - The callback should be run for all actions except this action
-      # * <tt>if</tt>         - A symbol naming an instance method or a proc; the
-      #   callback will be called only when it returns a true value.
-      # * <tt>unless</tt>     - A symbol naming an instance method or a proc; the
-      #   callback will be called only when it returns a false value.
+    module ClassMethods # :nodoc:
       def force_ssl(options = {})
+        ActiveSupport::Deprecation.warn(<<-MESSAGE.squish)
+          Controller-level `force_ssl` is deprecated and will be removed from
+          Rails 6.1. Please enable `config.force_ssl` in your environment
+          configuration to enable the ActionDispatch::SSL middleware to more
+          fully enforce that your application communicate over HTTPS. If needed,
+          you can use `config.ssl_options` to exempt matching endpoints from
+          being redirected to HTTPS.
+        MESSAGE
+
         action_options = options.slice(*ACTION_OPTIONS)
         redirect_options = options.except(*ACTION_OPTIONS)
         before_action(action_options) do
@@ -70,18 +34,13 @@ module ActionController
       end
     end
 
-    # Redirect the existing request to use the HTTPS protocol.
-    #
-    # ==== Parameters
-    # * <tt>host_or_options</tt> - Either a host name or any of the URL and
-    #   redirect options available to the <tt>force_ssl</tt> method.
     def force_ssl_redirect(host_or_options = nil)
       unless request.ssl?
         options = {
           protocol: "https://",
           host: request.host,
           path: request.fullpath,
-          status: :moved_permanently
+          status: :moved_permanently,
         }
 
         if host_or_options.is_a?(Hash)

data/lib/action_controller/metal/head.rb

@@ -38,7 +38,7 @@ module ActionController
       self.response_body = ""
 
       if include_content?(response_code)
-        self.content_type = content_type || (Mime[formats.first] if formats)
+        self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
         response.charset = false
       end