actionpack 6.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b8db1d871d96c2bc367142553c0904b94c3d97016dabf79b4a6b8937bca18936
+  data.tar.gz: 667375200f2d159a53b70dbf607d35c37422e4289dbede8ff83da7cebad95f47
+SHA512:
+  metadata.gz: e19317e121515e9866836182682c94f5d71f9d70236c710a41680ae9caa4b2376f888e975ff287a6cbb1f187547c59e9f7583ab410a2f437a01b2a57abf725c1
+  data.tar.gz: 21557eab0cd33607cbbd3e020d2dae220df079be98ccdeca0e93340824801f695a01fb882de686d9eddddeb2eaf5d165eec64d2eaa40981537baa8379bb98cc3

data/CHANGELOG.md

@@ -0,0 +1,311 @@
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   No changes.
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   Add the ability to set the CSP nonce only to the specified directives.
+
+    Fixes #35137.
+
+    *Yuji Yaginuma*
+
+*   Keep part when scope option has value.
+
+    When a route was defined within an optional scope, if that route didn't
+    take parameters the scope was lost when using path helpers. This commit
+    ensures scope is kept both when the route takes parameters or when it
+    doesn't.
+
+    Fixes #33219
+
+    *Alberto Almagro*
+
+*   Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
+
+    Previously, `ActionDispatch::Response#content_type` returned value does NOT
+    contain charset part. This behavior changed to returned Content-Type header
+    containing charset part as it is.
+
+    If you want just MIME type, please use `ActionDispatch::Response#media_type`
+    instead.
+
+    Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
+    If not enabled, `ActionDispatch::Response#content_type` returns the same
+    value as before version, but its behavior is deprecate.
+
+    *Yuji Yaginuma*
+
+*   Calling `ActionController::Parameters#transform_keys/!` without a block now returns
+    an enumerator for the parameters instead of the underlying hash.
+
+    *Eugene Kenny*
+
+*   Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
+
+    *Yuki Nishijima*, *Stan Lo*
+
+
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Make system tests take a failed screenshot in a `before_teardown` hook
+    rather than an `after_teardown` hook.
+
+    This helps minimize the time gap between when an assertion fails and when
+    the screenshot is taken (reducing the time in which the page could have
+    been dynamically updated after the assertion failed).
+
+    *Richard Macklin*
+
+*   Introduce `ActionDispatch::ActionableExceptions`.
+
+    The `ActionDispatch::ActionableExceptions` middleware dispatches actions
+    from `ActiveSupport::ActionableError` descendants.
+
+    Actionable errors let's you dispatch actions from Rails' error pages.
+
+    *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
+
+*   Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
+
+    After this change it's not possible anymore to configure routes like this:
+
+    ```
+    routes.draw do
+      resources :users, param: 'name/:sneaky'
+    end
+    ```
+
+    Fixes #30467.
+
+    *Josua Schmid*
+
+
+## Rails 6.0.0.beta3 (March 11, 2019) ##
+
+*   No changes.
+
+
+## Rails 6.0.0.beta2 (February 25, 2019) ##
+
+*   Make debug exceptions works in an environment where ActiveStorage is not loaded.
+
+    *Tomoyuki Kurosawa*
+
+*   `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
+    to define specific browser capabilities.
+
+    *Edouard Chin*
+
+
+## Rails 6.0.0.beta1 (January 18, 2019) ##
+
+*   Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated methods in `ActionDispatch::TestResponse`.
+
+    `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
+    `#successful?`, `not_found?` and `server_error?`.
+
+    *Rafael Mendonça França*
+
+*   Introduce `ActionDispatch::HostAuthorization`.
+
+    This is a new middleware that guards against DNS rebinding attacks by
+    explicitly permitting the hosts a request can be made to.
+
+    Each host is checked with the case operator (`#===`) to support `Regexp`,
+    `Proc`, `IPAddr` and custom objects as host allowances.
+
+    *Genadi Samokovarov*
+
+*   Allow using `parsed_body` in `ActionController::TestCase`.
+
+    In addition to `ActionDispatch::IntegrationTest`, allow using
+    `parsed_body` in `ActionController::TestCase`:
+
+    ```
+    class SomeControllerTest < ActionController::TestCase
+      def test_some_action
+        post :action, body: { foo: 'bar' }
+        assert_equal({ "foo" => "bar" }, response.parsed_body)
+      end
+    end
+    ```
+
+    Fixes #34676.
+
+    *Tobias Bühlmann*
+
+*   Raise an error on root route naming conflicts.
+
+    Raises an `ArgumentError` when multiple root routes are defined in the
+    same context instead of assigning nil names to subsequent roots.
+
+    *Gannon McGibbon*
+
+*   Allow rescue from parameter parse errors:
+
+    ```
+    rescue_from ActionDispatch::Http::Parameters::ParseError do
+      head :unauthorized
+    end
+    ```
+
+    *Gannon McGibbon*, *Josh Cheek*
+
+*   Reset Capybara sessions if failed system test screenshot raising an exception.
+
+    Reset Capybara sessions if `take_failed_screenshot` raise exception
+    in system test `after_teardown`.
+
+    *Maxim Perepelitsa*
+
+*   Use request object for context if there's no controller
+
+    There is no controller instance when using a redirect route or a
+    mounted rack application so pass the request object as the context
+    when resolving dynamic CSP sources in this scenario.
+
+    Fixes #34200.
+
+    *Andrew White*
+
+*   Apply mapping to symbols returned from dynamic CSP sources
+
+    Previously if a dynamic source returned a symbol such as :self it
+    would be converted to a string implicitly, e.g:
+
+        policy.default_src -> { :self }
+
+    would generate the header:
+
+        Content-Security-Policy: default-src self
+
+    and now it generates:
+
+        Content-Security-Policy: default-src 'self'
+
+    *Andrew White*
+
+*   Add `ActionController::Parameters#each_value`.
+
+    *Lukáš Zapletal*
+
+*   Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
+
+    *Yoshiyuki Kinjo*
+
+*   Encode Content-Disposition filenames on `send_data` and `send_file`.
+    Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
+    `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
+    garbled.
+    Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
+    [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
+    `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
+    Most browsers can find filename correctly and old browsers fallback to ASCII
+    converted name.
+
+    *Fumiaki Matsushima*
+
+*   Expose `ActionController::Parameters#each_key` which allows iterating over
+    keys without allocating an array.
+
+    *Richard Schneeman*
+
+*   Purpose metadata for signed/encrypted cookies.
+
+    Rails can now thwart attacks that attempt to copy signed/encrypted value
+    of a cookie and use it as the value of another cookie.
+
+    It does so by stashing the cookie-name in the purpose field which is
+    then signed/encrypted along with the cookie value. Then, on a server-side
+    read, we verify the cookie-names and discard any attacked cookies.
+
+    Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
+    writes cookies with the new purpose and expiry metadata embedded.
+
+    *Assain Jaleel*
+
+*   Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
+
+    `respond_to` can match multiple types and lead to undefined behavior when
+    multiple invocations are made and the types do not match:
+
+        respond_to do |outer_type|
+          outer_type.js do
+            respond_to do |inner_type|
+              inner_type.html { render body: "HTML" }
+            end
+          end
+        end
+
+    *Patrick Toomey*
+
+*   `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
+
+    This allows uploaded file objects to be passed directly to `File.read`
+    without raising a `TypeError`:
+
+        uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
+        File.read(uploaded_file)
+
+    *Aaron Kromer*
+
+*   Pass along arguments to underlying `get` method in `follow_redirect!`
+
+    Now all arguments passed to `follow_redirect!` are passed to the underlying
+    `get` method. This for example allows to set custom headers for the
+    redirection request to the server.
+
+        follow_redirect!(params: { foo: :bar })
+
+    *Remo Fritzsche*
+
+*   Introduce a new error page to when the implicit render page is accessed in the browser.
+
+    Now instead of showing an error page that with exception and backtraces we now show only
+    one informative page.
+
+    *Vinicius Stock*
+
+*   Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
+
+    Exception aware plugin authors can use the newly introduced
+    `.register_interceptor` method to get the processed exception, instead of
+    monkey patching DebugExceptions.
+
+        ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
+          HypoteticalPlugin.capture_exception(request, exception)
+        end
+
+    *Genadi Samokovarov*
+
+*   Output only one Content-Security-Policy nonce header value per request.
+
+    Fixes #32597.
+
+    *Andrey Novikov*, *Andrew White*
+
+*   Move default headers configuration into their own module that can be included in controllers.
+
+    *Kevin Deisz*
+
+*   Add method `dig` to `session`.
+
+    *claudiob*, *Takumi Shotoku*
+
+*   Controller level `force_ssl` has been deprecated in favor of
+    `config.force_ssl`.
+
+    *Derek Prior*
+
+*   Rails 6 requires Ruby 2.5.0 or newer.
+
+    *Jeremy Daer*, *Kasper Timm Hansen*
+
+
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2004-2019 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.rdoc

@@ -0,0 +1,58 @@
+= Action Pack -- From request to response
+
+Action Pack is a framework for handling and responding to web requests. It
+provides mechanisms for *routing* (mapping request URLs to actions), defining
+*controllers* that implement actions, and generating responses by rendering
+*views*, which are templates of various formats. In short, Action Pack
+provides the view and controller layers in the MVC paradigm.
+
+It consists of several modules:
+
+* Action Dispatch, which parses information about the web request, handles
+  routing as defined by the user, and does advanced processing related to HTTP
+  such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies,
+  handling HTTP caching logic, cookies and sessions.
+
+* Action Controller, which provides a base controller class that can be
+  subclassed to implement filters and actions to handle requests. The result
+  of an action is typically content generated from views.
+
+With the Ruby on Rails framework, users only directly interface with the
+Action Controller module. Necessary Action Dispatch functionality is activated
+by default and Action View rendering is implicitly triggered by Action
+Controller. However, these modules are designed to function on their own and
+can be used outside of Rails.
+
+You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.
+
+== Download and installation
+
+The latest version of Action Pack can be installed with RubyGems:
+
+  $ gem install actionpack
+
+Source code can be downloaded as part of the Rails project on GitHub:
+
+* https://github.com/rails/rails/tree/master/actionpack
+
+
+== License
+
+Action Pack is released under the MIT license:
+
+* https://opensource.org/licenses/MIT
+
+
+== Support
+
+API documentation is at:
+
+* https://api.rubyonrails.org
+
+Bug reports for the Ruby on Rails project can be filed here:
+
+* https://github.com/rails/rails/issues
+
+Feature requests should be discussed on the rails-core mailing list here:
+
+* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core

data/lib/abstract_controller.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "action_pack"
+require "active_support/rails"
+require "active_support/i18n"
+
+module AbstractController
+  extend ActiveSupport::Autoload
+
+  autoload :ActionNotFound, "abstract_controller/base"
+  autoload :Base
+  autoload :Caching
+  autoload :Callbacks
+  autoload :Collector
+  autoload :DoubleRenderError, "abstract_controller/rendering"
+  autoload :Helpers
+  autoload :Logger
+  autoload :Rendering
+  autoload :Translation
+  autoload :AssetPaths
+  autoload :UrlFor
+
+  def self.eager_load!
+    super
+    AbstractController::Caching.eager_load!
+  end
+end

data/lib/abstract_controller/asset_paths.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module AbstractController
+  module AssetPaths #:nodoc:
+    extend ActiveSupport::Concern
+
+    included do
+      config_accessor :asset_host, :assets_dir, :javascripts_dir,
+        :stylesheets_dir, :default_asset_host_protocol, :relative_url_root
+    end
+  end
+end

data/lib/abstract_controller/base.rb

@@ -0,0 +1,267 @@
+# frozen_string_literal: true
+
+require "abstract_controller/error"
+require "active_support/configurable"
+require "active_support/descendants_tracker"
+require "active_support/core_ext/module/anonymous"
+require "active_support/core_ext/module/attr_internal"
+
+module AbstractController
+  # Raised when a non-existing controller action is triggered.
+  class ActionNotFound < StandardError
+  end
+
+  # AbstractController::Base is a low-level API. Nobody should be
+  # using it directly, and subclasses (like ActionController::Base) are
+  # expected to provide their own +render+ method, since rendering means
+  # different things depending on the context.
+  class Base
+    ##
+    # Returns the body of the HTTP response sent by the controller.
+    attr_internal :response_body
+
+    ##
+    # Returns the name of the action this controller is processing.
+    attr_internal :action_name
+
+    ##
+    # Returns the formats that can be processed by the controller.
+    attr_internal :formats
+
+    include ActiveSupport::Configurable
+    extend ActiveSupport::DescendantsTracker
+
+    class << self
+      attr_reader :abstract
+      alias_method :abstract?, :abstract
+
+      # Define a controller as abstract. See internal_methods for more
+      # details.
+      def abstract!
+        @abstract = true
+      end
+
+      def inherited(klass) # :nodoc:
+        # Define the abstract ivar on subclasses so that we don't get
+        # uninitialized ivar warnings
+        unless klass.instance_variable_defined?(:@abstract)
+          klass.instance_variable_set(:@abstract, false)
+        end
+        super
+      end
+
+      # A list of all internal methods for a controller. This finds the first
+      # abstract superclass of a controller, and gets a list of all public
+      # instance methods on that abstract class. Public instance methods of
+      # a controller would normally be considered action methods, so methods
+      # declared on abstract classes are being removed.
+      # (<tt>ActionController::Metal</tt> and ActionController::Base are defined as abstract)
+      def internal_methods
+        controller = self
+
+        controller = controller.superclass until controller.abstract?
+        controller.public_instance_methods(true)
+      end
+
+      # A list of method names that should be considered actions. This
+      # includes all public instance methods on a controller, less
+      # any internal methods (see internal_methods), adding back in
+      # any methods that are internal, but still exist on the class
+      # itself.
+      #
+      # ==== Returns
+      # * <tt>Set</tt> - A set of all methods that should be considered actions.
+      def action_methods
+        @action_methods ||= begin
+          # All public instance methods of this class, including ancestors
+          methods = (public_instance_methods(true) -
+            # Except for public instance methods of Base and its ancestors
+            internal_methods +
+            # Be sure to include shadowed public instance methods of this class
+            public_instance_methods(false))
+
+          methods.map!(&:to_s)
+
+          methods.to_set
+        end
+      end
+
+      # action_methods are cached and there is sometimes a need to refresh
+      # them. ::clear_action_methods! allows you to do that, so next time
+      # you run action_methods, they will be recalculated.
+      def clear_action_methods!
+        @action_methods = nil
+      end
+
+      # Returns the full controller name, underscored, without the ending Controller.
+      #
+      #   class MyApp::MyPostsController < AbstractController::Base
+      #
+      #   end
+      #
+      #   MyApp::MyPostsController.controller_path # => "my_app/my_posts"
+      #
+      # ==== Returns
+      # * <tt>String</tt>
+      def controller_path
+        @controller_path ||= name.sub(/Controller$/, "").underscore unless anonymous?
+      end
+
+      # Refresh the cached action_methods when a new action_method is added.
+      def method_added(name)
+        super
+        clear_action_methods!
+      end
+    end
+
+    abstract!
+
+    # Calls the action going through the entire action dispatch stack.
+    #
+    # The actual method that is called is determined by calling
+    # #method_for_action. If no method can handle the action, then an
+    # AbstractController::ActionNotFound error is raised.
+    #
+    # ==== Returns
+    # * <tt>self</tt>
+    def process(action, *args)
+      @_action_name = action.to_s
+
+      unless action_name = _find_action_name(@_action_name)
+        raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
+      end
+
+      @_response_body = nil
+
+      process_action(action_name, *args)
+    end
+
+    # Delegates to the class' ::controller_path
+    def controller_path
+      self.class.controller_path
+    end
+
+    # Delegates to the class' ::action_methods
+    def action_methods
+      self.class.action_methods
+    end
+
+    # Returns true if a method for the action is available and
+    # can be dispatched, false otherwise.
+    #
+    # Notice that <tt>action_methods.include?("foo")</tt> may return
+    # false and <tt>available_action?("foo")</tt> returns true because
+    # this method considers actions that are also available
+    # through other means, for example, implicit render ones.
+    #
+    # ==== Parameters
+    # * <tt>action_name</tt> - The name of an action to be tested
+    def available_action?(action_name)
+      _find_action_name(action_name)
+    end
+
+    # Tests if a response body is set. Used to determine if the
+    # +process_action+ callback needs to be terminated in
+    # +AbstractController::Callbacks+.
+    def performed?
+      response_body
+    end
+
+    # Returns true if the given controller is capable of rendering
+    # a path. A subclass of +AbstractController::Base+
+    # may return false. An Email controller for example does not
+    # support paths, only full URLs.
+    def self.supports_path?
+      true
+    end
+
+    private
+
+      # Returns true if the name can be considered an action because
+      # it has a method defined in the controller.
+      #
+      # ==== Parameters
+      # * <tt>name</tt> - The name of an action to be tested
+      def action_method?(name)
+        self.class.action_methods.include?(name)
+      end
+
+      # Call the action. Override this in a subclass to modify the
+      # behavior around processing an action. This, and not #process,
+      # is the intended way to override action dispatching.
+      #
+      # Notice that the first argument is the method to be dispatched
+      # which is *not* necessarily the same as the action name.
+      def process_action(method_name, *args)
+        send_action(method_name, *args)
+      end
+
+      # Actually call the method associated with the action. Override
+      # this method if you wish to change how action methods are called,
+      # not to add additional behavior around it. For example, you would
+      # override #send_action if you want to inject arguments into the
+      # method.
+      alias send_action send
+
+      # If the action name was not found, but a method called "action_missing"
+      # was found, #method_for_action will return "_handle_action_missing".
+      # This method calls #action_missing with the current action name.
+      def _handle_action_missing(*args)
+        action_missing(@_action_name, *args)
+      end
+
+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found.
+      # Raise +AbstractController::ActionNotFound+.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
+      # Takes an action name and returns the name of the method that will
+      # handle the action. In normal cases, this method returns the same
+      # name as it receives. By default, if #method_for_action receives
+      # a name that is not an action, it will look for an #action_missing
+      # method and return "_handle_action_missing" if one is found.
+      #
+      # Subclasses may override this method to add additional conditions
+      # that should be considered an action. For instance, an HTTP controller
+      # with a template matching the action name is considered to exist.
+      #
+      # If you override this method to handle additional cases, you may
+      # also provide a method (like +_handle_method_missing+) to handle
+      # the case.
+      #
+      # If none of these conditions are true, and +method_for_action+
+      # returns +nil+, an +AbstractController::ActionNotFound+ exception will be raised.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * <tt>nil</tt>    - No method name could be found.
+      def method_for_action(action_name)
+        if action_method?(action_name)
+          action_name
+        elsif respond_to?(:action_missing, true)
+          "_handle_action_missing"
+        end
+      end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        !action_name.to_s.include? File::SEPARATOR
+      end
+  end
+end