actionpack 6.1.5 → 7.0.0.alpha1

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2022 David Heinemeier Hansson
+Copyright (c) 2004-2021 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
@@ -18,3 +18,4 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.rdoc

@@ -2,9 +2,8 @@
 
 Action Pack is a framework for handling and responding to web requests. It
 provides mechanisms for *routing* (mapping request URLs to actions), defining
-*controllers* that implement actions, and generating responses by rendering
-*views*, which are templates of various formats. In short, Action Pack
-provides the view and controller layers in the MVC paradigm.
+*controllers* that implement actions, and generating responses. In short, Action Pack
+provides the controller layer in the MVC paradigm.
 
 It consists of several modules:
 

data/lib/abstract_controller/asset_paths.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module AbstractController
-  module AssetPaths #:nodoc:
+  module AssetPaths # :nodoc:
     extend ActiveSupport::Concern
 
     included do

data/lib/abstract_controller/base.rb

@@ -9,35 +9,21 @@ require "active_support/core_ext/module/attr_internal"
 module AbstractController
   # Raised when a non-existing controller action is triggered.
   class ActionNotFound < StandardError
-    attr_reader :controller, :action
-    def initialize(message = nil, controller = nil, action = nil)
+    attr_reader :controller, :action # :nodoc:
+
+    def initialize(message = nil, controller = nil, action = nil) # :nodoc:
       @controller = controller
       @action = action
       super(message)
     end
 
-    class Correction
-      def initialize(error)
-        @error = error
-      end
-
-      def corrections
-        if @error.action
-          maybe_these = @error.controller.class.action_methods
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable # :nodoc:
 
-          maybe_these.sort_by { |n|
-            DidYouMean::Jaro.distance(@error.action.to_s, n)
-          }.reverse.first(4)
-        else
-          []
-        end
+      def corrections # :nodoc:
+        @corrections ||= DidYouMean::SpellChecker.new(dictionary: controller.class.action_methods).correct(action)
       end
     end
-
-    # We may not have DYM, and DYM might not let us register error handlers
-    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
-      DidYouMean.correct_error(self, Correction)
-    end
   end
 
   # AbstractController::Base is a low-level API. Nobody should be

data/lib/abstract_controller/caching/fragments.rb

@@ -142,8 +142,8 @@ module AbstractController
         end
       end
 
-      def instrument_fragment_cache(name, key) # :nodoc:
-        ActiveSupport::Notifications.instrument("#{name}.#{instrument_name}", instrument_payload(key)) { yield }
+      def instrument_fragment_cache(name, key, &block) # :nodoc:
+        ActiveSupport::Notifications.instrument("#{name}.#{instrument_name}", instrument_payload(key), &block)
       end
     end
   end

data/lib/abstract_controller/caching.rb

@@ -50,7 +50,7 @@ module AbstractController
     end
 
     def view_cache_dependencies
-      self.class._view_cache_dependencies.map { |dep| instance_exec(&dep) }.compact
+      self.class._view_cache_dependencies.filter_map { |dep| instance_exec(&dep) }
     end
 
     private

data/lib/abstract_controller/callbacks.rb

@@ -35,14 +35,6 @@ module AbstractController
                        skip_after_callbacks_if_terminated: true
     end
 
-    # Override <tt>AbstractController::Base#process_action</tt> to run the
-    # <tt>process_action</tt> callbacks around the normal behavior.
-    def process_action(*)
-      run_callbacks(:process_action) do
-        super
-      end
-    end
-
     module ClassMethods
       # If +:only+ or +:except+ are used, convert the options into the
       # +:if+ and +:unless+ options of ActiveSupport::Callbacks.
@@ -220,5 +212,14 @@ module AbstractController
         alias_method :"append_#{callback}_action", :"#{callback}_action"
       end
     end
+
+    private
+      # Override <tt>AbstractController::Base#process_action</tt> to run the
+      # <tt>process_action</tt> callbacks around the normal behavior.
+      def process_action(*)
+        run_callbacks(:process_action) do
+          super
+        end
+      end
   end
 end

data/lib/abstract_controller/collector.rb

@@ -10,7 +10,7 @@ module AbstractController
         def #{sym}(*args, &block)
           custom(Mime[:#{sym}], *args, &block)
         end
-        ruby2_keywords(:#{sym}) if respond_to?(:ruby2_keywords, true)
+        ruby2_keywords(:#{sym})
       RUBY
     end
 
@@ -39,6 +39,6 @@ module AbstractController
         super
       end
     end
-    ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:method_missing)
   end
 end

data/lib/abstract_controller/error.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module AbstractController
-  class Error < StandardError #:nodoc:
+  class Error < StandardError # :nodoc:
   end
 end

data/lib/abstract_controller/helpers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/dependencies"
+require "active_support/core_ext/name_error"
 
 module AbstractController
   module Helpers
@@ -83,11 +84,11 @@ module AbstractController
         file, line = location.path, location.lineno
 
         methods.each do |method|
-          _helpers_for_modification.class_eval <<-ruby_eval, file, line
+          _helpers_for_modification.class_eval <<~ruby_eval, file, line
             def #{method}(*args, &block)                    # def current_user(*args, &block)
               controller.send(:'#{method}', *args, &block)  #   controller.send(:'current_user', *args, &block)
             end                                             # end
-            ruby2_keywords(:'#{method}') if respond_to?(:ruby2_keywords, true)
+            ruby2_keywords(:'#{method}')
           ruby_eval
         end
       end

data/lib/abstract_controller/logger.rb

@@ -3,7 +3,7 @@
 require "active_support/benchmarkable"
 
 module AbstractController
-  module Logger #:nodoc:
+  module Logger # :nodoc:
     extend ActiveSupport::Concern
 
     included do

data/lib/abstract_controller/railties/routes_helpers.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/module/introspection"
+
 module AbstractController
   module Railties
     module RoutesHelpers

data/lib/abstract_controller/translation.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/symbol/starts_ends_with"
-
 module AbstractController
   module Translation
     mattr_accessor :raise_on_missing_translations, default: false

data/lib/abstract_controller/url_for.rb

@@ -22,12 +22,10 @@ module AbstractController
       end
 
       def action_methods
-        @action_methods ||= begin
-          if _routes
-            super - _routes.named_routes.helper_names
-          else
-            super
-          end
+        @action_methods ||= if _routes
+          super - _routes.named_routes.helper_names
+        else
+          super
         end
       end
     end

data/lib/action_controller/api.rb

@@ -37,7 +37,7 @@ module ActionController
   # == Renders
   #
   # The default API Controller stack includes all renderers, which means you
-  # can use <tt>render :json</tt> and brothers freely in your controllers. Keep
+  # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
   # in mind that templates are not going to be rendered, so you need to ensure
   # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
   # all actions, otherwise it will return 204 No Content.

data/lib/action_controller/log_subscriber.rb

@@ -56,7 +56,9 @@ module ActionController
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}", RED)
+        display_unpermitted_keys = unpermitted_keys.map { |e| ":#{e}" }.join(", ")
+        context = event.payload[:context].map { |k, v| "#{k}: #{v}" }.join(", ")
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{display_unpermitted_keys}. Context: { #{context} }", RED)
       end
     end
 

data/lib/action_controller/metal/conditional_get.rb

@@ -57,6 +57,8 @@ module ActionController
     #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cacheable by other devices (proxy caches).
+    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
+    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -98,12 +100,22 @@ module ActionController
     #     fresh_when(@article, public: true)
     #   end
     #
+    # When overwriting Cache-Control header:
+    #
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     fresh_when(@article, public: true, cache_control: { no_cache: true })
+    #   end
+    #
+    # This will set in the response Cache-Control = public, no-cache.
+    #
     # When rendering a different template than the default controller/action
     # style, you can indicate which digest to include in the ETag:
     #
     #   before_action { fresh_when @article, template: 'widgets/show' }
     #
-    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, template: nil)
+    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, cache_control: {}, template: nil)
+      response.cache_control.delete(:no_store)
       weak_etag ||= etag || object unless strong_etag
       last_modified ||= object.try(:updated_at) || object.try(:maximum, :updated_at)
 
@@ -117,6 +129,7 @@ module ActionController
 
       response.last_modified = last_modified if last_modified
       response.cache_control[:public] = true if public
+      response.cache_control.merge!(cache_control)
 
       head :not_modified if request.fresh?(response)
     end
@@ -147,6 +160,8 @@ module ActionController
     #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cacheable by other devices (proxy caches).
+    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
+    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -209,6 +224,21 @@ module ActionController
     #     end
     #   end
     #
+    # When overwriting Cache-Control header:
+    #
+    #   def show
+    #     @article = Article.find(params[:id])
+    #
+    #     if stale?(@article, public: true, cache_control: { no_cache: true })
+    #       @statistics = @articles.really_expensive_call
+    #       respond_to do |format|
+    #         # all the supported formats
+    #       end
+    #     end
+    #   end
+    #
+    # This will set in the response Cache-Control = public, no-cache.
+    #
     # When rendering a different template than the default controller/action
     # style, you can indicate which digest to include in the ETag:
     #
@@ -244,6 +274,7 @@ module ActionController
     #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
+      response.cache_control.delete(:no_store)
       response.cache_control.merge!(
         max_age: seconds,
         public: options.delete(:public),
@@ -280,6 +311,12 @@ module ActionController
                       public: public)
     end
 
+    # Sets an HTTP 1.1 Cache-Control header of <tt>no-store</tt>. This means the
+    # resource may not be stored in any cache.
+    def no_store
+      response.cache_control.replace(no_store: true)
+    end
+
     private
       def combine_etags(validator, options)
         [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact

data/lib/action_controller/metal/content_security_policy.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module ContentSecurityPolicy
     # TODO: Documentation
     extend ActiveSupport::Concern

data/lib/action_controller/metal/cookies.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Cookies
     extend ActiveSupport::Concern
 

data/lib/action_controller/metal/data_streaming.rb

@@ -3,7 +3,7 @@
 require "action_controller/metal/exceptions"
 require "action_dispatch/http/content_disposition"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # Methods for sending arbitrary data and for streaming files to the browser,
   # instead of rendering.
   module DataStreaming
@@ -11,8 +11,8 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" #:nodoc:
-    DEFAULT_SEND_FILE_DISPOSITION = "attachment" #:nodoc:
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" # :nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment" # :nodoc:
 
     private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
@@ -66,7 +66,7 @@ module ActionController #:nodoc:
       # https://www.mnot.net/cache_docs/ for an overview of web caching and
       # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
       # for the Cache-Control header spec.
-      def send_file(path, options = {}) #:doc:
+      def send_file(path, options = {}) # :doc:
         raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
 
         options[:filename] ||= File.basename(path) unless options[:url_based_filename]
@@ -106,7 +106,7 @@ module ActionController #:nodoc:
       #   send_data image.data, type: image.content_type, disposition: 'inline'
       #
       # See +send_file+ for more information on HTTP Content-* headers and caching.
-      def send_data(data, options = {}) #:doc:
+      def send_data(data, options = {}) # :doc:
         send_file_headers! options
         render options.slice(:status, :content_type).merge(body: data)
       end
@@ -138,14 +138,6 @@ module ActionController #:nodoc:
         end
 
         headers["Content-Transfer-Encoding"] = "binary"
-
-        # Fix a problem with IE 6.0 on opening downloaded files:
-        # If Cache-Control: no-cache is set (which Rails does by default),
-        # IE removes the file it just downloaded from its cache immediately
-        # after it displays the "open/save" dialog, which means that if you
-        # hit "open" the file isn't there anymore when the application that
-        # is called for handling the download is run, so let's workaround that
-        response.cache_control[:public] ||= false
       end
   end
 end

data/lib/action_controller/metal/exceptions.rb

@@ -1,20 +1,20 @@
 # frozen_string_literal: true
 
 module ActionController
-  class ActionControllerError < StandardError #:nodoc:
+  class ActionControllerError < StandardError # :nodoc:
   end
 
-  class BadRequest < ActionControllerError #:nodoc:
+  class BadRequest < ActionControllerError # :nodoc:
     def initialize(msg = nil)
       super(msg)
       set_backtrace $!.backtrace if $!
     end
   end
 
-  class RenderError < ActionControllerError #:nodoc:
+  class RenderError < ActionControllerError # :nodoc:
   end
 
-  class RoutingError < ActionControllerError #:nodoc:
+  class RoutingError < ActionControllerError # :nodoc:
     attr_reader :failures
     def initialize(message, failures = [])
       super(message)
@@ -22,7 +22,7 @@ module ActionController
     end
   end
 
-  class UrlGenerationError < ActionControllerError #:nodoc:
+  class UrlGenerationError < ActionControllerError # :nodoc:
     attr_reader :routes, :route_name, :method_name
 
     def initialize(message, routes = nil, route_name = nil, method_name = nil)
@@ -33,44 +33,33 @@ module ActionController
       super(message)
     end
 
-    class Correction
-      def initialize(error)
-        @error = error
-      end
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable
 
       def corrections
-        if @error.method_name
-          maybe_these = @error.routes.named_routes.helper_names.grep(/#{@error.route_name}/)
-          maybe_these -= [@error.method_name.to_s] # remove exact match
-
-          maybe_these.sort_by { |n|
-            DidYouMean::Jaro.distance(@error.route_name, n)
-          }.reverse.first(4)
-        else
-          []
+        @corrections ||= begin
+          maybe_these = routes&.named_routes&.helper_names&.grep(/#{route_name}/) || []
+          maybe_these -= [method_name.to_s] # remove exact match
+
+          DidYouMean::SpellChecker.new(dictionary: maybe_these).correct(route_name)
         end
       end
     end
-
-    # We may not have DYM, and DYM might not let us register error handlers
-    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
-      DidYouMean.correct_error(self, Correction)
-    end
   end
 
-  class MethodNotAllowed < ActionControllerError #:nodoc:
+  class MethodNotAllowed < ActionControllerError # :nodoc:
     def initialize(*allowed_methods)
       super("Only #{allowed_methods.to_sentence} requests are allowed.")
     end
   end
 
-  class NotImplemented < MethodNotAllowed #:nodoc:
+  class NotImplemented < MethodNotAllowed # :nodoc:
   end
 
-  class MissingFile < ActionControllerError #:nodoc:
+  class MissingFile < ActionControllerError # :nodoc:
   end
 
-  class SessionOverflowError < ActionControllerError #:nodoc:
+  class SessionOverflowError < ActionControllerError # :nodoc:
     DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
 
     def initialize(message = nil)
@@ -78,10 +67,10 @@ module ActionController
     end
   end
 
-  class UnknownHttpMethod < ActionControllerError #:nodoc:
+  class UnknownHttpMethod < ActionControllerError # :nodoc:
   end
 
-  class UnknownFormat < ActionControllerError #:nodoc:
+  class UnknownFormat < ActionControllerError # :nodoc:
   end
 
   # Raised when a nested respond_to is triggered and the content types of each
@@ -102,6 +91,6 @@ module ActionController
     end
   end
 
-  class MissingExactTemplate < UnknownFormat #:nodoc:
+  class MissingExactTemplate < UnknownFormat # :nodoc:
   end
 end

data/lib/action_controller/metal/flash.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Flash
     extend ActiveSupport::Concern
 
@@ -41,10 +41,14 @@ module ActionController #:nodoc:
           self._flash_types += [type]
         end
       end
+
+      def action_methods # :nodoc:
+        @action_methods ||= super - _flash_types.map(&:to_s).to_set
+      end
     end
 
     private
-      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) # :doc:
         self.class._flash_types.each do |flash_type|
           if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type

data/lib/action_controller/metal/http_authentication.rb

@@ -2,12 +2,11 @@
 
 require "base64"
 require "active_support/security_utils"
-require "active_support/core_ext/array/access"
 
 module ActionController
-  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic authentication.
+    # HTTP \Basic authentication.
     #
     # === Simple \Basic example
     #
@@ -25,8 +24,8 @@ module ActionController
     #
     # === Advanced \Basic example
     #
-    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API are protected by HTTP authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -135,15 +134,15 @@ module ActionController
       end
     end
 
-    # Makes it dead easy to do HTTP \Digest authentication.
+    # HTTP \Digest authentication.
     #
     # === Simple \Digest example
     #
-    #   require "digest/md5"
+    #   require "openssl"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #              "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
     #
     #     before_action :authenticate, except: [:index]
     #
@@ -231,12 +230,12 @@ module ActionController
       # of a plain-text password.
       def expected_response(http_method, uri, credentials, password, password_is_ha1 = true)
         ha1 = password_is_ha1 ? password : ha1(credentials, password)
-        ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
-        ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
+        ha2 = OpenSSL::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
       end
 
       def ha1(credentials, password)
-        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
       end
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
@@ -310,7 +309,7 @@ module ActionController
       def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
-        digest = ::Digest::MD5.hexdigest(hashed.join(":"))
+        digest = OpenSSL::Digest::MD5.hexdigest(hashed.join(":"))
         ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
@@ -327,11 +326,11 @@ module ActionController
 
       # Opaque based on digest of secret key
       def opaque(secret_key)
-        ::Digest::MD5.hexdigest(secret_key)
+        OpenSSL::Digest::MD5.hexdigest(secret_key)
       end
     end
 
-    # Makes it dead easy to do HTTP Token authentication.
+    # HTTP Token authentication.
     #
     # Simple Token example:
     #
@@ -359,8 +358,8 @@ module ActionController
     #   end
     #
     #
-    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced Token example where only Atom feeds and the XML API are protected by HTTP token authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate