actionpack 6.0.3.3 → 6.1.1

data/lib/action_controller/api.rb

@@ -93,7 +93,7 @@ module ActionController
     # the ones passed as arguments:
     #
     #   class MyAPIBaseController < ActionController::Metal
-    #     ActionController::API.without_modules(:ForceSSL, :UrlFor).each do |left|
+    #     ActionController::API.without_modules(:UrlFor).each do |left|
     #       include left
     #     end
     #   end
@@ -120,9 +120,9 @@ module ActionController
       BasicImplicitRender,
       StrongParameters,
 
-      ForceSSL,
       DataStreaming,
       DefaultHeaders,
+      Logging,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.

data/lib/action_controller/base.rb

@@ -226,13 +226,14 @@ module ActionController
       FormBuilder,
       RequestForgeryProtection,
       ContentSecurityPolicy,
-      ForceSSL,
+      PermissionsPolicy,
       Streaming,
       DataStreaming,
       HttpAuthentication::Basic::ControllerMethods,
       HttpAuthentication::Digest::ControllerMethods,
       HttpAuthentication::Token::ControllerMethods,
       DefaultHeaders,
+      Logging,
 
       # Before callbacks should also be executed as early as possible, so
       # also include them at the bottom.
@@ -261,9 +262,10 @@ module ActionController
       @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
     )
 
-    def _protected_ivars # :nodoc:
+    def _protected_ivars
       PROTECTED_IVARS
     end
+    private :_protected_ivars
 
     ActiveSupport.run_load_hooks(:action_controller_base, self)
     ActiveSupport.run_load_hooks(:action_controller, self)

data/lib/action_controller/caching.rb

@@ -22,7 +22,6 @@ module ActionController
   #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
   #   config.action_controller.cache_store = MyOwnStore.new('parameter')
   module Caching
-    extend ActiveSupport::Autoload
     extend ActiveSupport::Concern
 
     included do

data/lib/action_controller/log_subscriber.rb

@@ -11,6 +11,7 @@ module ActionController
       params  = payload[:params].except(*INTERNAL_PARAMS)
       format  = payload[:format]
       format  = format.to_s.upcase if format.is_a?(Symbol)
+      format  = "*/*" if format.nil?
 
       info "Processing by #{payload[:controller]}##{payload[:action]} as #{format}"
       info "  Parameters: #{params.inspect}" unless params.empty?
@@ -22,15 +23,14 @@ module ActionController
         additions = ActionController::Base.log_process_action(payload)
         status = payload[:status]
 
-        if status.nil? && payload[:exception].present?
-          exception_class_name = payload[:exception].first
+        if status.nil? && (exception_class_name = payload[:exception].first)
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
 
         additions << "Allocations: #{event.allocations}"
 
         message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
-        message << " (#{additions.join(" | ")})" unless additions.empty?
+        message << " (#{additions.join(" | ")})"
         message << "\n\n" if defined?(Rails.env) && Rails.env.development?
 
         message

data/lib/action_controller/metal.rb

@@ -126,7 +126,7 @@ module ActionController
     # ==== Returns
     # * <tt>string</tt>
     def self.controller_name
-      @controller_name ||= name.demodulize.sub(/Controller$/, "").underscore
+      @controller_name ||= (name.demodulize.delete_suffix("Controller").underscore unless anonymous?)
     end
 
     def self.make_response!(request)
@@ -135,7 +135,7 @@ module ActionController
       end
     end
 
-    def self.binary_params_for?(action) # :nodoc:
+    def self.action_encoding_template(action) # :nodoc:
       false
     end
 

data/lib/action_controller/metal/conditional_get.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/object/try"
+require "active_support/core_ext/integer/time"
+
 module ActionController
   module ConditionalGet
     extend ActiveSupport::Concern
@@ -17,12 +20,12 @@ module ActionController
       # of cached pages.
       #
       #   class InvoicesController < ApplicationController
-      #     etag { current_user.try :id }
+      #     etag { current_user&.id }
       #
       #     def show
       #       # Etag will differ even for the same invoice when it's viewed by a different current_user
       #       @invoice = Invoice.find(params[:id])
-      #       fresh_when(@invoice)
+      #       fresh_when etag: @invoice
       #     end
       #   end
       def etag(&etagger)
@@ -179,7 +182,7 @@ module ActionController
     #
     # You can also pass an object that responds to +maximum+, such as a
     # collection of active records. In this case +last_modified+ will be set by
-    # calling +maximum(:updated_at)+ on the collection (the timestamp of the
+    # calling <tt>maximum(:updated_at)</tt> on the collection (the timestamp of the
     # most recently updated record) and the +etag+ by passing the object itself.
     #
     #   def index
@@ -234,6 +237,11 @@ module ActionController
     #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds
     #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
     #
+    # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+    # Any additional key-value pairs are concatenated onto the `Cache-Control` header in the response:
+    #
+    #   expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
+    #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(

data/lib/action_controller/metal/content_security_policy.rb

@@ -45,7 +45,7 @@ module ActionController #:nodoc:
       end
 
       def current_content_security_policy
-        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+        request.content_security_policy&.clone || ActionDispatch::ContentSecurityPolicy.new
       end
   end
 end

data/lib/action_controller/metal/cookies.rb

@@ -9,7 +9,9 @@ module ActionController #:nodoc:
     end
 
     private
-      def cookies
+      # The cookies for the current request. See ActionDispatch::Cookies for
+      # more information.
+      def cookies # :doc:
         request.cookie_jar
       end
   end

data/lib/action_controller/metal/data_streaming.rb

@@ -53,7 +53,7 @@ module ActionController #:nodoc:
       #
       # Show a 404 page in the browser:
       #
-      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', status: 404
+      #   send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description) in

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -26,10 +26,8 @@ module ActionController
     included do
       class_attribute :etag_with_template_digest, default: true
 
-      ActiveSupport.on_load :action_view, yield: true do
-        etag do |options|
-          determine_template_etag(options) if etag_with_template_digest
-        end
+      etag do |options|
+        determine_template_etag(options) if etag_with_template_digest
       end
     end
 

data/lib/action_controller/metal/exceptions.rb

@@ -23,6 +23,39 @@ module ActionController
   end
 
   class UrlGenerationError < ActionControllerError #:nodoc:
+    attr_reader :routes, :route_name, :method_name
+
+    def initialize(message, routes = nil, route_name = nil, method_name = nil)
+      @routes      = routes
+      @route_name  = route_name
+      @method_name = method_name
+
+      super(message)
+    end
+
+    class Correction
+      def initialize(error)
+        @error = error
+      end
+
+      def corrections
+        if @error.method_name
+          maybe_these = @error.routes.named_routes.helper_names.grep(/#{@error.route_name}/)
+          maybe_these -= [@error.method_name.to_s] # remove exact match
+
+          maybe_these.sort_by { |n|
+            DidYouMean::Jaro.distance(@error.route_name, n)
+          }.reverse.first(4)
+        else
+          []
+        end
+      end
+    end
+
+    # We may not have DYM, and DYM might not let us register error handlers
+    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
+      DidYouMean.correct_error(self, Correction)
+    end
   end
 
   class MethodNotAllowed < ActionControllerError #:nodoc:

data/lib/action_controller/metal/head.rb

@@ -29,19 +29,22 @@ module ActionController
       content_type = options.delete(:content_type)
 
       options.each do |key, value|
-        headers[key.to_s.dasherize.split("-").each { |v| v[0] = v[0].chr.upcase }.join("-")] = value.to_s
+        headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
       end
 
       self.status = status
       self.location = url_for(location) if location
 
-      self.response_body = ""
-
       if include_content?(response_code)
-        self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+        unless self.media_type
+          self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+        end
+
         response.charset = false
       end
 
+      self.response_body = ""
+
       true
     end
 

data/lib/action_controller/metal/helpers.rb

@@ -11,7 +11,12 @@ module ActionController
   #
   # In previous versions of \Rails the controller will include a helper which
   # matches the name of the controller, e.g., <tt>MyController</tt> will automatically
-  # include <tt>MyHelper</tt>. To return old behavior set +config.action_controller.include_all_helpers+ to +false+.
+  # include <tt>MyHelper</tt>. You can revert to the old behavior with the following:
+  #
+  #    # config/application.rb
+  #    class Application < Rails::Application
+  #      config.action_controller.include_all_helpers = false
+  #    end
   #
   # Additional helpers can be specified using the +helper+ class method in ActionController::Base or any
   # controller which inherits from it.
@@ -73,6 +78,11 @@ module ActionController
       end
 
       # Provides a proxy to access helper methods from outside the view.
+      #
+      # Note that the proxy is rendered under a different view context.
+      # This may cause incorrect behaviour with capture methods. Consider
+      # using {helper}[rdoc-ref:AbstractController::Helpers::ClassMethods#helper]
+      # instead when using +capture+.
       def helpers
         @helper_proxy ||= begin
           proxy = ActionView::Base.empty

data/lib/action_controller/metal/http_authentication.rb

@@ -76,6 +76,8 @@ module ActionController
 
         def http_basic_authenticate_or_request_with(name:, password:, realm: nil, message: nil)
           authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
+            # This comparison uses & so that it doesn't short circuit and
+            # uses `secure_compare` so that length information isn't leaked.
             ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
               ActiveSupport::SecurityUtils.secure_compare(given_password, password)
           end
@@ -136,7 +138,7 @@ module ActionController
     #
     # === Simple \Digest example
     #
-    #   require 'digest/md5'
+    #   require "digest/md5"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
@@ -482,7 +484,7 @@ module ActionController
       def raw_params(auth)
         _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
 
-        if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+        if !_raw_params.first.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
         end
 

data/lib/action_controller/metal/implicit_render.rb

@@ -22,7 +22,7 @@ module ActionController
   # Third, if we DON'T find a template AND the request is a page load in a web
   # browser (technically, a non-XHR GET request for an HTML response) where
   # you reasonably expect to have rendered a template, then we raise
-  # <tt>ActionView::UnknownFormat</tt> with an explanation.
+  # <tt>ActionController::MissingExactTemplate</tt> with an explanation.
   #
   # Finally, if we DON'T find a template AND the request isn't a browser page
   # load, then we implicitly respond with <tt>204 No Content</tt>.

data/lib/action_controller/metal/instrumentation.rb

@@ -16,10 +16,11 @@ module ActionController
 
     attr_internal :view_runtime
 
-    def process_action(*args)
+    def process_action(*)
       raw_payload = {
         controller: self.class.name,
         action: action_name,
+        request: request,
         params: request.filtered_parameters,
         headers: request.headers,
         format: request.format.ref,
@@ -27,18 +28,19 @@ module ActionController
         path: request.fullpath
       }
 
-      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
+      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
 
       ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        super.tap do
-          payload[:status] = response.status
-        end
+        result = super
+        payload[:response] = response
+        payload[:status]   = response.status
+        result
       ensure
         append_info_to_payload(payload)
       end
     end
 
-    def render(*args)
+    def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
         Benchmark.ms { render_output = super }
@@ -59,8 +61,8 @@ module ActionController
       end
     end
 
-    def redirect_to(*args)
-      ActiveSupport::Notifications.instrument("redirect_to.action_controller") do |payload|
+    def redirect_to(*)
+      ActiveSupport::Notifications.instrument("redirect_to.action_controller", request: request) do |payload|
         result = super
         payload[:status]   = response.status
         payload[:location] = response.filtered_location
@@ -70,7 +72,7 @@ module ActionController
 
   private
     # A hook invoked every time a before callback is halted.
-    def halted_callback_hook(filter)
+    def halted_callback_hook(filter, _)
       ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
     end
 

data/lib/action_controller/metal/live.rb

@@ -136,11 +136,11 @@ module ActionController
       attr_accessor :ignore_disconnect
 
       def initialize(response)
+        super(response, SizedQueue.new(10))
         @error_callback = lambda { true }
         @cv = new_cond
         @aborted = false
         @ignore_disconnect = false
-        super(response, SizedQueue.new(10))
       end
 
       def write(string)

data/lib/action_controller/metal/logging.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ActionController
+  module Logging
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Set a different log level per request.
+      #
+      #   # Use the debug log level if a particular cookie is set.
+      #   class ApplicationController < ActionController::Base
+      #     log_at :debug, if: -> { cookies[:debug] }
+      #   end
+      #
+      def log_at(level, **options)
+        around_action ->(_, action) { logger.log_at(level, &action) }, **options
+      end
+    end
+  end
+end

data/lib/action_controller/metal/mime_responds.rb

@@ -142,7 +142,7 @@ module ActionController #:nodoc:
     #
     # You can set the variant in a +before_action+:
     #
-    #   request.variant = :tablet if request.user_agent =~ /iPad/
+    #   request.variant = :tablet if /iPad/.match?(request.user_agent)
     #
     # Respond to variants in the action just like you respond to formats:
     #
@@ -209,7 +209,7 @@ module ActionController #:nodoc:
           raise ActionController::RespondToMismatchError
         end
         _process_format(format)
-        _set_rendered_content_type format
+        _set_rendered_content_type(format) unless collector.any_response?
         response = collector.response
         response.call if response
       else
@@ -268,6 +268,10 @@ module ActionController #:nodoc:
         end
       end
 
+      def any_response?
+        !@responses.fetch(format, false) && @responses[Mime::ALL]
+      end
+
       def response
         response = @responses.fetch(format, @responses[Mime::ALL])
         if response.is_a?(VariantCollector) # `format.html.phone` - variant inline syntax

data/lib/action_controller/metal/parameter_encoding.rb

@@ -12,11 +12,13 @@ module ActionController
       end
 
       def setup_param_encode # :nodoc:
-        @_parameter_encodings = {}
+        @_parameter_encodings = Hash.new { |h, k| h[k] = {} }
       end
 
-      def binary_params_for?(action) # :nodoc:
-        @_parameter_encodings[action.to_s]
+      def action_encoding_template(action) # :nodoc:
+        if @_parameter_encodings.has_key?(action.to_s)
+          @_parameter_encodings[action.to_s]
+        end
       end
 
       # Specify that a given action's parameters should all be encoded as
@@ -44,7 +46,36 @@ module ActionController
       # encoded as ASCII-8BIT. This is useful in the case where an application
       # must handle data but encoding of the data is unknown, like file system data.
       def skip_parameter_encoding(action)
-        @_parameter_encodings[action.to_s] = true
+        @_parameter_encodings[action.to_s] = Hash.new { Encoding::ASCII_8BIT }
+      end
+
+      # Specify the encoding for a parameter on an action.
+      # If not specified the default is UTF-8.
+      #
+      # You can specify a binary (ASCII_8BIT) parameter with:
+      #
+      #   class RepositoryController < ActionController::Base
+      #     # This specifies that file_path is not UTF-8 and is instead ASCII_8BIT
+      #     param_encoding :show, :file_path, Encoding::ASCII_8BIT
+      #
+      #     def show
+      #       @repo = Repository.find_by_filesystem_path params[:file_path]
+      #
+      #       # params[:repo_name] remains UTF-8 encoded
+      #       @repo_name = params[:repo_name]
+      #     end
+      #
+      #     def index
+      #       @repositories = Repository.all
+      #     end
+      #   end
+      #
+      # The file_path parameter on the show action would be encoded as ASCII-8BIT,
+      # but all other arguments will remain UTF-8 encoded.
+      # This is useful in the case where an application must handle data
+      # but encoding of the data is unknown, like file system data.
+      def param_encoding(action, param, encoding)
+        @_parameter_encodings[action.to_s][param.to_s] = encoding
       end
     end
   end