actionpack 6.1.7.5 → 7.1.3.1

data/lib/action_controller/metal/exceptions.rb

@@ -1,20 +1,20 @@
 # frozen_string_literal: true
 
 module ActionController
-  class ActionControllerError < StandardError #:nodoc:
+  class ActionControllerError < StandardError # :nodoc:
   end
 
-  class BadRequest < ActionControllerError #:nodoc:
+  class BadRequest < ActionControllerError # :nodoc:
     def initialize(msg = nil)
       super(msg)
       set_backtrace $!.backtrace if $!
     end
   end
 
-  class RenderError < ActionControllerError #:nodoc:
+  class RenderError < ActionControllerError # :nodoc:
   end
 
-  class RoutingError < ActionControllerError #:nodoc:
+  class RoutingError < ActionControllerError # :nodoc:
     attr_reader :failures
     def initialize(message, failures = [])
       super(message)
@@ -22,7 +22,7 @@ module ActionController
     end
   end
 
-  class UrlGenerationError < ActionControllerError #:nodoc:
+  class UrlGenerationError < ActionControllerError # :nodoc:
     attr_reader :routes, :route_name, :method_name
 
     def initialize(message, routes = nil, route_name = nil, method_name = nil)
@@ -33,44 +33,33 @@ module ActionController
       super(message)
     end
 
-    class Correction
-      def initialize(error)
-        @error = error
-      end
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable
 
       def corrections
-        if @error.method_name
-          maybe_these = @error.routes.named_routes.helper_names.grep(/#{@error.route_name}/)
-          maybe_these -= [@error.method_name.to_s] # remove exact match
-
-          maybe_these.sort_by { |n|
-            DidYouMean::Jaro.distance(@error.route_name, n)
-          }.reverse.first(4)
-        else
-          []
+        @corrections ||= begin
+          maybe_these = routes&.named_routes&.helper_names&.grep(/#{route_name}/) || []
+          maybe_these -= [method_name.to_s] # remove exact match
+
+          DidYouMean::SpellChecker.new(dictionary: maybe_these).correct(route_name)
         end
       end
     end
-
-    # We may not have DYM, and DYM might not let us register error handlers
-    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
-      DidYouMean.correct_error(self, Correction)
-    end
   end
 
-  class MethodNotAllowed < ActionControllerError #:nodoc:
+  class MethodNotAllowed < ActionControllerError # :nodoc:
     def initialize(*allowed_methods)
       super("Only #{allowed_methods.to_sentence} requests are allowed.")
     end
   end
 
-  class NotImplemented < MethodNotAllowed #:nodoc:
+  class NotImplemented < MethodNotAllowed # :nodoc:
   end
 
-  class MissingFile < ActionControllerError #:nodoc:
+  class MissingFile < ActionControllerError # :nodoc:
   end
 
-  class SessionOverflowError < ActionControllerError #:nodoc:
+  class SessionOverflowError < ActionControllerError # :nodoc:
     DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
 
     def initialize(message = nil)
@@ -78,10 +67,10 @@ module ActionController
     end
   end
 
-  class UnknownHttpMethod < ActionControllerError #:nodoc:
+  class UnknownHttpMethod < ActionControllerError # :nodoc:
   end
 
-  class UnknownFormat < ActionControllerError #:nodoc:
+  class UnknownFormat < ActionControllerError # :nodoc:
   end
 
   # Raised when a nested respond_to is triggered and the content types of each
@@ -102,6 +91,14 @@ module ActionController
     end
   end
 
-  class MissingExactTemplate < UnknownFormat #:nodoc:
+  class MissingExactTemplate < UnknownFormat # :nodoc:
+    attr_reader :controller, :action_name
+
+    def initialize(message, controller, action_name)
+      @controller  = controller
+      @action_name = action_name
+
+      super(message)
+    end
   end
 end

data/lib/action_controller/metal/flash.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Flash
     extend ActiveSupport::Concern
 
@@ -41,10 +41,14 @@ module ActionController #:nodoc:
           self._flash_types += [type]
         end
       end
+
+      def action_methods # :nodoc:
+        @action_methods ||= super - _flash_types.map(&:to_s).to_set
+      end
     end
 
     private
-      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) # :doc:
         self.class._flash_types.each do |flash_type|
           if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type

data/lib/action_controller/metal/head.rb

@@ -17,19 +17,21 @@ module ActionController
     #   return head(:bad_request) unless valid_request?
     #   render
     #
-    # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
-    def head(status, options = {})
+    # See +Rack::Utils::SYMBOL_TO_STATUS_CODE+ for a full list of valid +status+ symbols.
+    def head(status, options = nil)
       if status.is_a?(Hash)
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."
       end
 
       status ||= :ok
 
-      location = options.delete(:location)
-      content_type = options.delete(:content_type)
+      if options
+        location = options.delete(:location)
+        content_type = options.delete(:content_type)
 
-      options.each do |key, value|
-        headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        options.each do |key, value|
+          headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        end
       end
 
       self.status = status
@@ -37,7 +39,7 @@ module ActionController
 
       if include_content?(response_code)
         unless self.media_type
-          self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+          self.content_type = content_type || ((f = formats) && Mime[f.first]) || Mime[:html]
         end
 
         response.charset = false

data/lib/action_controller/metal/helpers.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller \Helpers
+  #
   # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
   # numbers and model objects, to name a few. These helpers are available to all templates
   # by default.
@@ -26,7 +28,7 @@ module ActionController
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message=" ")
-  #       time.blank? ? blank_message : time.to_s(format)
+  #       time.blank? ? blank_message : time.to_fs(format)
   #     end
   #   end
   #
@@ -80,7 +82,7 @@ module ActionController
       # Provides a proxy to access helper methods from outside the view.
       #
       # Note that the proxy is rendered under a different view context.
-      # This may cause incorrect behaviour with capture methods. Consider
+      # This may cause incorrect behavior with capture methods. Consider
       # using {helper}[rdoc-ref:AbstractController::Helpers::ClassMethods#helper]
       # instead when using +capture+.
       def helpers
@@ -91,7 +93,7 @@ module ActionController
         end
       end
 
-      # Overwrite modules_for_helpers to accept :all as argument, which loads
+      # Override modules_for_helpers to accept +:all+ as argument, which loads
       # all helpers in helpers_path.
       #
       # ==== Parameters
@@ -104,19 +106,6 @@ module ActionController
         super(args)
       end
 
-      # Returns a list of helper names in a given path.
-      #
-      #   ActionController::Base.all_helpers_from_path 'app/helpers'
-      #   # => ["application", "chart", "rubygems"]
-      def all_helpers_from_path(path)
-        helpers = Array(path).flat_map do |_path|
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file[_path.to_s.size + 1..-"_helper.rb".size - 1] }
-          names.sort!
-        end
-        helpers.uniq!
-        helpers
-      end
-
       private
         # Extract helper names from files in <tt>app/helpers/**/*_helper.rb</tt>
         def all_application_helpers

data/lib/action_controller/metal/http_authentication.rb

@@ -5,9 +5,9 @@ require "active_support/security_utils"
 require "active_support/core_ext/array/access"
 
 module ActionController
-  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest, and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic authentication.
+    # = HTTP \Basic authentication
     #
     # === Simple \Basic example
     #
@@ -21,12 +21,12 @@ module ActionController
     #     def edit
     #       render plain: "I'm only accessible if you know the password"
     #     end
-    #  end
+    #   end
     #
     # === Advanced \Basic example
     #
-    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API are protected by HTTP authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -70,7 +70,12 @@ module ActionController
         extend ActiveSupport::Concern
 
         module ClassMethods
+          # Enables HTTP \Basic authentication.
+          #
+          # See ActionController::HttpAuthentication::Basic for example usage.
           def http_basic_authenticate_with(name:, password:, realm: nil, **options)
+            raise ArgumentError, "Expected name: to be a String, got #{name.class}" unless name.is_a?(String)
+            raise ArgumentError, "Expected password: to be a String, got #{password.class}" unless password.is_a?(String)
             before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
           end
         end
@@ -79,8 +84,8 @@ module ActionController
           authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
             # This comparison uses & so that it doesn't short circuit and
             # uses `secure_compare` so that length information isn't leaked.
-            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
-              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
+            ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name) &
+              ActiveSupport::SecurityUtils.secure_compare(given_password.to_s, password)
           end
         end
 
@@ -135,15 +140,15 @@ module ActionController
       end
     end
 
-    # Makes it dead easy to do HTTP \Digest authentication.
+    # = HTTP \Digest authentication
     #
     # === Simple \Digest example
     #
-    #   require "digest/md5"
+    #   require "openssl"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #              "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
     #
     #     before_action :authenticate, except: [:index]
     #
@@ -181,22 +186,28 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP \Digest, or otherwise render an HTTP header
+        # requesting the client to send a \Digest.
+        #
+        # See ActionController::HttpAuthentication::Digest for example usage.
         def authenticate_or_request_with_http_digest(realm = "Application", message = nil, &password_procedure)
           authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm, message)
         end
 
-        # Authenticate with HTTP Digest, returns true or false
+        # Authenticate using an HTTP \Digest. Returns true if authentication is
+        # successful, false otherwise.
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
           HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
         end
 
-        # Render output including the HTTP Digest authentication header
+        # Render an HTTP header requesting the client to send a \Digest for
+        # authentication.
         def request_http_digest_authentication(realm = "Application", message = nil)
           HttpAuthentication::Digest.authentication_request(self, realm, message)
         end
       end
 
-      # Returns false on a valid response, true otherwise
+      # Returns false on a valid response, true otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -231,12 +242,12 @@ module ActionController
       # of a plain-text password.
       def expected_response(http_method, uri, credentials, password, password_is_ha1 = true)
         ha1 = password_is_ha1 ? password : ha1(credentials, password)
-        ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
-        ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
+        ha2 = OpenSSL::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
       end
 
       def ha1(credentials, password)
-        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
       end
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
@@ -301,16 +312,16 @@ module ActionController
       #
       # An implementation might choose not to accept a previously used nonce or a previously used digest, in order to
       # protect against a replay attack. Or, an implementation might choose to use one-time nonces or digests for
-      # POST, PUT, or PATCH requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
+      # POST, PUT, or PATCH requests, and a time-stamp for GET requests. For more details on the issues involved see Section 4
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
-      # key from the Rails session secret generated upon creation of project. Ensures
+      # key from the \Rails session secret generated upon creation of project. Ensures
       # the time cannot be modified by client.
       def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
-        digest = ::Digest::MD5.hexdigest(hashed.join(":"))
+        digest = OpenSSL::Digest::MD5.hexdigest(hashed.join(":"))
         ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
@@ -327,13 +338,13 @@ module ActionController
 
       # Opaque based on digest of secret key
       def opaque(secret_key)
-        ::Digest::MD5.hexdigest(secret_key)
+        OpenSSL::Digest::MD5.hexdigest(secret_key)
       end
     end
 
-    # Makes it dead easy to do HTTP Token authentication.
+    # = HTTP \Token authentication
     #
-    # Simple Token example:
+    # === Simple \Token example
     #
     #   class PostsController < ApplicationController
     #     TOKEN = "secret"
@@ -359,8 +370,8 @@ module ActionController
     #   end
     #
     #
-    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced Token example where only Atom feeds and the XML API are protected by HTTP token authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -412,14 +423,27 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
+        # header requesting the client to send a Bearer token. For the authentication
+        # to be considered successful, +login_procedure+ should return a non-nil
+        # value. Typically, the authenticated user is returned.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_or_request_with_http_token(realm = "Application", message = nil, &login_procedure)
           authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
+        # Authenticate using an HTTP Bearer token.
+        # Returns the return value of +login_procedure+ if a
+        # token is found. Returns +nil+ if no token is found.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
 
+        # Render an HTTP header requesting the client to send a Bearer token for
+        # authentication.
         def request_http_token_authentication(realm = "Application", message = nil)
           Token.authentication_request(self, realm, message)
         end
@@ -428,17 +452,17 @@ module ActionController
       # If token Authorization header is present, call the login
       # procedure with the present token and options.
       #
-      # [controller]
-      #   ActionController::Base instance for the current request.
+      # Returns the return value of +login_procedure+ if a
+      # token is found. Returns +nil+ if no token is found.
+      #
+      # ==== Parameters
       #
-      # [login_procedure]
-      #   Proc to call if a token is present. The Proc should take two arguments:
+      # * +controller+ - ActionController::Base instance for the current request.
+      # * +login_procedure+ - Proc to call if a token is present. The Proc
+      #   should take two arguments:
       #
       #     authenticate(controller) { |token, options| ... }
       #
-      # Returns the return value of <tt>login_procedure</tt> if a
-      # token is found. Returns <tt>nil</tt> if no token is found.
-
       def authenticate(controller, &login_procedure)
         token, options = token_and_options(controller.request)
         unless token.blank?
@@ -449,14 +473,18 @@ module ActionController
       # Parses the token and options out of the token Authorization header.
       # The value for the Authorization header is expected to have the prefix
       # <tt>"Token"</tt> or <tt>"Bearer"</tt>. If the header looks like this:
+      #
       #   Authorization: Token token="abc", nonce="def"
-      # Then the returned token is <tt>"abc"</tt>, and the options are
-      # <tt>{nonce: "def"}</tt>
       #
-      # request - ActionDispatch::Request instance with the current headers.
+      # Then the returned token is <tt>"abc"</tt>, and the options are
+      # <tt>{nonce: "def"}</tt>.
       #
       # Returns an +Array+ of <tt>[String, Hash]</tt> if a token is present.
       # Returns +nil+ if no token is found.
+      #
+      # ==== Parameters
+      #
+      # * +request+ - ActionDispatch::Request instance with the current headers.
       def token_and_options(request)
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
@@ -469,7 +497,7 @@ module ActionController
         rewrite_param_values params_array_from raw_params auth
       end
 
-      # Takes raw_params and turns it into an array of parameters
+      # Takes +raw_params+ and turns it into an array of parameters.
       def params_array_from(raw_params)
         raw_params.map { |param| param.split %r/=(.+)?/ }
       end
@@ -479,11 +507,15 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
+      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
+      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
+
       # This method takes an authorization body and splits up the key-value
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
@@ -494,10 +526,12 @@ module ActionController
 
       # Encodes the given token and options into an Authorization header value.
       #
-      # token   - String token.
-      # options - optional Hash of the options.
-      #
       # Returns String.
+      #
+      # ==== Parameters
+      #
+      # * +token+ - String token.
+      # * +options+ - Optional Hash of the options.
       def encode_credentials(token, options = {})
         values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
@@ -507,10 +541,12 @@ module ActionController
 
       # Sets a WWW-Authenticate header to let the client know a token is desired.
       #
-      # controller - ActionController::Base instance for the outgoing response.
-      # realm      - String realm to use in the header.
-      #
       # Returns nothing.
+      #
+      # ==== Parameters
+      #
+      # * +controller+ - ActionController::Base instance for the outgoing response.
+      # * +realm+ - String realm to use in the header.
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Token: Access denied.\n"
         controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"', "")}")

data/lib/action_controller/metal/implicit_render.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller Implicit Render
+  #
   # Handles implicit rendering for a controller action that does not
   # explicitly respond with +render+, +respond_to+, +redirect+, or +head+.
   #
@@ -17,12 +19,12 @@ module ActionController
   # Second, if we DON'T find a template but the controller action does have
   # templates for other formats, variants, etc., then we trust that you meant
   # to provide a template for this response, too, and we raise
-  # <tt>ActionController::UnknownFormat</tt> with an explanation.
+  # ActionController::UnknownFormat with an explanation.
   #
   # Third, if we DON'T find a template AND the request is a page load in a web
   # browser (technically, a non-XHR GET request for an HTML response) where
   # you reasonably expect to have rendered a template, then we raise
-  # <tt>ActionController::MissingExactTemplate</tt> with an explanation.
+  # ActionController::MissingExactTemplate with an explanation.
   #
   # Finally, if we DON'T find a template AND the request isn't a browser page
   # load, then we implicitly respond with <tt>204 No Content</tt>.
@@ -42,7 +44,7 @@ module ActionController
         raise ActionController::UnknownFormat, message
       elsif interactive_browser_request?
         message = "#{self.class.name}\##{action_name} is missing a template for request formats: #{request.formats.map(&:to_s).join(',')}"
-        raise ActionController::MissingExactTemplate, message
+        raise ActionController::MissingExactTemplate.new(message, self.class, action_name)
       else
         logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
         super