actionpack 6.1.7 → 7.0.4.1

data/MIT-LICENSE

@@ -18,3 +18,4 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.rdoc

@@ -2,9 +2,8 @@
 
 Action Pack is a framework for handling and responding to web requests. It
 provides mechanisms for *routing* (mapping request URLs to actions), defining
-*controllers* that implement actions, and generating responses by rendering
-*views*, which are templates of various formats. In short, Action Pack
-provides the view and controller layers in the MVC paradigm.
+*controllers* that implement actions, and generating responses. In short, Action Pack
+provides the controller layer in the MVC paradigm.
 
 It consists of several modules:
 

data/lib/abstract_controller/asset_paths.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module AbstractController
-  module AssetPaths #:nodoc:
+  module AssetPaths # :nodoc:
     extend ActiveSupport::Concern
 
     included do

data/lib/abstract_controller/base.rb

@@ -9,35 +9,21 @@ require "active_support/core_ext/module/attr_internal"
 module AbstractController
   # Raised when a non-existing controller action is triggered.
   class ActionNotFound < StandardError
-    attr_reader :controller, :action
-    def initialize(message = nil, controller = nil, action = nil)
+    attr_reader :controller, :action # :nodoc:
+
+    def initialize(message = nil, controller = nil, action = nil) # :nodoc:
       @controller = controller
       @action = action
       super(message)
     end
 
-    class Correction
-      def initialize(error)
-        @error = error
-      end
-
-      def corrections
-        if @error.action
-          maybe_these = @error.controller.class.action_methods
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable # :nodoc:
 
-          maybe_these.sort_by { |n|
-            DidYouMean::Jaro.distance(@error.action.to_s, n)
-          }.reverse.first(4)
-        else
-          []
-        end
+      def corrections # :nodoc:
+        @corrections ||= DidYouMean::SpellChecker.new(dictionary: controller.class.action_methods).correct(action)
       end
     end
-
-    # We may not have DYM, and DYM might not let us register error handlers
-    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
-      DidYouMean.correct_error(self, Correction)
-    end
   end
 
   # AbstractController::Base is a low-level API. Nobody should be
@@ -164,13 +150,14 @@ module AbstractController
 
       process_action(action_name, *args)
     end
+    ruby2_keywords(:process)
 
-    # Delegates to the class' ::controller_path
+    # Delegates to the class's ::controller_path.
     def controller_path
       self.class.controller_path
     end
 
-    # Delegates to the class' ::action_methods
+    # Delegates to the class's ::action_methods.
     def action_methods
       self.class.action_methods
     end
@@ -191,7 +178,7 @@ module AbstractController
 
     # Tests if a response body is set. Used to determine if the
     # +process_action+ callback needs to be terminated in
-    # +AbstractController::Callbacks+.
+    # AbstractController::Callbacks.
     def performed?
       response_body
     end
@@ -224,8 +211,8 @@ module AbstractController
       #
       # Notice that the first argument is the method to be dispatched
       # which is *not* necessarily the same as the action name.
-      def process_action(method_name, *args)
-        send_action(method_name, *args)
+      def process_action(...)
+        send_action(...)
       end
 
       # Actually call the method associated with the action. Override

data/lib/abstract_controller/caching/fragments.rb

@@ -142,8 +142,8 @@ module AbstractController
         end
       end
 
-      def instrument_fragment_cache(name, key) # :nodoc:
-        ActiveSupport::Notifications.instrument("#{name}.#{instrument_name}", instrument_payload(key)) { yield }
+      def instrument_fragment_cache(name, key, &block) # :nodoc:
+        ActiveSupport::Notifications.instrument("#{name}.#{instrument_name}", instrument_payload(key), &block)
       end
     end
   end

data/lib/abstract_controller/caching.rb

@@ -50,7 +50,7 @@ module AbstractController
     end
 
     def view_cache_dependencies
-      self.class._view_cache_dependencies.map { |dep| instance_exec(&dep) }.compact
+      self.class._view_cache_dependencies.filter_map { |dep| instance_exec(&dep) }
     end
 
     private

data/lib/abstract_controller/callbacks.rb

@@ -35,12 +35,18 @@ module AbstractController
                        skip_after_callbacks_if_terminated: true
     end
 
-    # Override <tt>AbstractController::Base#process_action</tt> to run the
-    # <tt>process_action</tt> callbacks around the normal behavior.
-    def process_action(*)
-      run_callbacks(:process_action) do
-        super
+    class ActionFilter # :nodoc:
+      def initialize(actions)
+        @actions = Array(actions).map(&:to_s).to_set
       end
+
+      def match?(controller)
+        @actions.include?(controller.action_name)
+      end
+
+      alias after  match?
+      alias before match?
+      alias around match?
     end
 
     module ClassMethods
@@ -70,8 +76,7 @@ module AbstractController
 
       def _normalize_callback_option(options, from, to) # :nodoc:
         if from = options.delete(from)
-          _from = Array(from).map(&:to_s).to_set
-          from = proc { |c| _from.include? c.action_name }
+          from = ActionFilter.new(from)
           options[to] = Array(options[to]).unshift(from)
         end
       end
@@ -220,5 +225,14 @@ module AbstractController
         alias_method :"append_#{callback}_action", :"#{callback}_action"
       end
     end
+
+    private
+      # Override <tt>AbstractController::Base#process_action</tt> to run the
+      # <tt>process_action</tt> callbacks around the normal behavior.
+      def process_action(...)
+        run_callbacks(:process_action) do
+          super
+        end
+      end
   end
 end

data/lib/abstract_controller/collector.rb

@@ -10,7 +10,7 @@ module AbstractController
         def #{sym}(*args, &block)
           custom(Mime[:#{sym}], *args, &block)
         end
-        ruby2_keywords(:#{sym}) if respond_to?(:ruby2_keywords, true)
+        ruby2_keywords(:#{sym})
       RUBY
     end
 
@@ -39,6 +39,6 @@ module AbstractController
         super
       end
     end
-    ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:method_missing)
   end
 end

data/lib/abstract_controller/error.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module AbstractController
-  class Error < StandardError #:nodoc:
+  class Error < StandardError # :nodoc:
   end
 end

data/lib/abstract_controller/helpers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/dependencies"
+require "active_support/core_ext/name_error"
 
 module AbstractController
   module Helpers
@@ -83,11 +84,11 @@ module AbstractController
         file, line = location.path, location.lineno
 
         methods.each do |method|
-          _helpers_for_modification.class_eval <<-ruby_eval, file, line
+          _helpers_for_modification.class_eval <<~ruby_eval, file, line
             def #{method}(*args, &block)                    # def current_user(*args, &block)
               controller.send(:'#{method}', *args, &block)  #   controller.send(:'current_user', *args, &block)
             end                                             # end
-            ruby2_keywords(:'#{method}') if respond_to?(:ruby2_keywords, true)
+            ruby2_keywords(:'#{method}')
           ruby_eval
         end
       end
@@ -109,7 +110,7 @@ module AbstractController
       # The last two assume that <tt>"foo".camelize</tt> returns "Foo".
       #
       # When strings or symbols are passed, the method finds the actual module
-      # object using +String#constantize+. Therefore, if the module has not been
+      # object using String#constantize. Therefore, if the module has not been
       # yet loaded, it has to be autoloadable, which is normally the case.
       #
       # Namespaces are supported. The following calls include +Foo::BarHelper+:

data/lib/abstract_controller/logger.rb

@@ -3,7 +3,7 @@
 require "active_support/benchmarkable"
 
 module AbstractController
-  module Logger #:nodoc:
+  module Logger # :nodoc:
     extend ActiveSupport::Concern
 
     included do

data/lib/abstract_controller/railties/routes_helpers.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/module/introspection"
+
 module AbstractController
   module Railties
     module RoutesHelpers

data/lib/abstract_controller/translation.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/symbol/starts_ends_with"
+require "active_support/html_safe_translation"
 
 module AbstractController
   module Translation
@@ -24,7 +24,8 @@ module AbstractController
       end
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
-      I18n.translate(key, **options, raise: i18n_raise)
+
+      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
     end
     alias :t :translate
 

data/lib/abstract_controller/url_for.rb

@@ -22,12 +22,10 @@ module AbstractController
       end
 
       def action_methods
-        @action_methods ||= begin
-          if _routes
-            super - _routes.named_routes.helper_names
-          else
-            super
-          end
+        @action_methods ||= if _routes
+          super - _routes.named_routes.helper_names
+        else
+          super
         end
       end
     end

data/lib/action_controller/api.rb

@@ -5,7 +5,7 @@ require "action_controller"
 require "action_controller/log_subscriber"
 
 module ActionController
-  # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+  # API Controller is a lightweight version of ActionController::Base,
   # created for applications that don't require all functionalities that a complete
   # \Rails controller provides, allowing you to create controllers with just the
   # features that you need for API only applications.
@@ -32,12 +32,12 @@ module ActionController
   #   end
   #
   # Request, response, and parameters objects all work the exact same way as
-  # <tt>ActionController::Base</tt>.
+  # ActionController::Base.
   #
   # == Renders
   #
   # The default API Controller stack includes all renderers, which means you
-  # can use <tt>render :json</tt> and brothers freely in your controllers. Keep
+  # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
   # in mind that templates are not going to be rendered, so you need to ensure
   # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
   # all actions, otherwise it will return 204 No Content.
@@ -51,7 +51,7 @@ module ActionController
   #
   # Redirects are used to move from one action to another. You can use the
   # <tt>redirect_to</tt> method in your controllers in the same way as in
-  # <tt>ActionController::Base</tt>. For example:
+  # ActionController::Base. For example:
   #
   #   def create
   #     redirect_to root_url and return if not_authorized?
@@ -61,7 +61,7 @@ module ActionController
   # == Adding New Behavior
   #
   # In some scenarios you may want to add back some functionality provided by
-  # <tt>ActionController::Base</tt> that is not present by default in
+  # ActionController::Base that is not present by default in
   # <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
   # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
   # you just need to include the module in a specific controller or in
@@ -83,7 +83,7 @@ module ActionController
   #     end
   #   end
   #
-  # Make sure to check the modules included in <tt>ActionController::Base</tt>
+  # Make sure to check the modules included in ActionController::Base
   # if you want to use any other functionality that is not provided
   # by <tt>ActionController::API</tt> out of the box.
   class API < Metal

data/lib/action_controller/base.rb

@@ -87,10 +87,11 @@ module ActionController
   #
   # or you can remove the entire session with +reset_session+.
   #
-  # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
-  # This prevents the user from tampering with the session but also allows them to see its contents.
-  #
-  # Do not put secret information in cookie-based sessions!
+  # By default, sessions are stored in an encrypted browser cookie (see
+  # ActionDispatch::Session::CookieStore). Thus the user will not be able to
+  # read or edit the session data. However, the user can keep a copy of the
+  # cookie even after it has expired, so you should avoid storing sensitive
+  # information in cookie-based sessions.
   #
   # == Responses
   #

data/lib/action_controller/form_builder.rb

@@ -3,7 +3,7 @@
 module ActionController
   # Override the default form builder for all views rendered by this
   # controller and any of its descendants. Accepts a subclass of
-  # +ActionView::Helpers::FormBuilder+.
+  # ActionView::Helpers::FormBuilder.
   #
   # For example, given a form builder:
   #
@@ -36,7 +36,7 @@ module ActionController
       # in the views rendered by this controller and its subclasses.
       #
       # ==== Parameters
-      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      # * <tt>builder</tt> - Default form builder, an instance of ActionView::Helpers::FormBuilder
       def default_form_builder(builder)
         self._default_form_builder = builder
       end

data/lib/action_controller/log_subscriber.rb

@@ -56,12 +56,13 @@ module ActionController
     def unpermitted_parameters(event)
       debug do
         unpermitted_keys = event.payload[:keys]
-        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{unpermitted_keys.map { |e| ":#{e}" }.join(", ")}", RED)
+        display_unpermitted_keys = unpermitted_keys.map { |e| ":#{e}" }.join(", ")
+        context = event.payload[:context].map { |k, v| "#{k}: #{v}" }.join(", ")
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{display_unpermitted_keys}. Context: { #{context} }", RED)
       end
     end
 
-    %w(write_fragment read_fragment exist_fragment?
-       expire_fragment expire_page write_page).each do |method|
+    %w(write_fragment read_fragment exist_fragment? expire_fragment).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{method}(event)
           return unless logger.info? && ActionController::Base.enable_fragment_cache_logging

data/lib/action_controller/metal/conditional_get.rb

@@ -57,6 +57,8 @@ module ActionController
     #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cacheable by other devices (proxy caches).
+    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
+    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -98,12 +100,22 @@ module ActionController
     #     fresh_when(@article, public: true)
     #   end
     #
+    # When overwriting Cache-Control header:
+    #
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     fresh_when(@article, public: true, cache_control: { no_cache: true })
+    #   end
+    #
+    # This will set in the response Cache-Control = public, no-cache.
+    #
     # When rendering a different template than the default controller/action
     # style, you can indicate which digest to include in the ETag:
     #
     #   before_action { fresh_when @article, template: 'widgets/show' }
     #
-    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, template: nil)
+    def fresh_when(object = nil, etag: nil, weak_etag: nil, strong_etag: nil, last_modified: nil, public: false, cache_control: {}, template: nil)
+      response.cache_control.delete(:no_store)
       weak_etag ||= etag || object unless strong_etag
       last_modified ||= object.try(:updated_at) || object.try(:maximum, :updated_at)
 
@@ -117,6 +129,7 @@ module ActionController
 
       response.last_modified = last_modified if last_modified
       response.cache_control[:public] = true if public
+      response.cache_control.merge!(cache_control)
 
       head :not_modified if request.fresh?(response)
     end
@@ -147,6 +160,8 @@ module ActionController
     #   304 Not Modified response if last_modified <= If-Modified-Since.
     # * <tt>:public</tt> By default the Cache-Control header is private, set this to
     #   +true+ if you want your application to be cacheable by other devices (proxy caches).
+    # * <tt>:cache_control</tt> When given will overwrite an existing Cache-Control header.
+    #   See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     # * <tt>:template</tt> By default, the template digest for the current
     #   controller/action is included in ETags. If the action renders a
     #   different template, you can include its digest instead. If the action
@@ -209,6 +224,21 @@ module ActionController
     #     end
     #   end
     #
+    # When overwriting Cache-Control header:
+    #
+    #   def show
+    #     @article = Article.find(params[:id])
+    #
+    #     if stale?(@article, public: true, cache_control: { no_cache: true })
+    #       @statistics = @articles.really_expensive_call
+    #       respond_to do |format|
+    #         # all the supported formats
+    #       end
+    #     end
+    #   end
+    #
+    # This will set in the response Cache-Control = public, no-cache.
+    #
     # When rendering a different template than the default controller/action
     # style, you can indicate which digest to include in the ETag:
     #
@@ -238,12 +268,13 @@ module ActionController
     #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
     #
     # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-    # Any additional key-value pairs are concatenated onto the `Cache-Control` header in the response:
+    # Any additional key-value pairs are concatenated onto the Cache-Control header in the response:
     #
     #   expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
     #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
+      response.cache_control.delete(:no_store)
       response.cache_control.merge!(
         max_age: seconds,
         public: options.delete(:public),
@@ -280,6 +311,12 @@ module ActionController
                       public: public)
     end
 
+    # Sets an HTTP 1.1 Cache-Control header of <tt>no-store</tt>. This means the
+    # resource may not be stored in any cache.
+    def no_store
+      response.cache_control.replace(no_store: true)
+    end
+
     private
       def combine_etags(validator, options)
         [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact

data/lib/action_controller/metal/content_security_policy.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module ContentSecurityPolicy
-    # TODO: Documentation
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
@@ -14,6 +13,29 @@ module ActionController #:nodoc:
     end
 
     module ClassMethods
+      # Overrides parts of the globally configured Content-Security-Policy
+      # header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy do |policy|
+      #       policy.base_uri "https://www.example.com"
+      #     end
+      #   end
+      #
+      # Options can be passed similar to +before_action+. For example, pass
+      # <tt>only: :index</tt> to override the header on the index action only:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy(only: :index) do |policy|
+      #       policy.default_src :self, :https
+      #     end
+      #   end
+      #
+      # Pass +false+ to remove the Content-Security-Policy header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy false, only: :index
+      #   end
       def content_security_policy(enabled = true, **options, &block)
         before_action(options) do
           if block_given?
@@ -28,6 +50,18 @@ module ActionController #:nodoc:
         end
       end
 
+      # Overrides the globally configured Content-Security-Policy-Report-Only
+      # header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy_report_only only: :index
+      #   end
+      #
+      # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy_report_only false, only: :index
+      #   end
       def content_security_policy_report_only(report_only = true, **options)
         before_action(options) do
           request.content_security_policy_report_only = report_only

data/lib/action_controller/metal/cookies.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Cookies
     extend ActiveSupport::Concern
 

data/lib/action_controller/metal/data_streaming.rb

@@ -3,7 +3,7 @@
 require "action_controller/metal/exceptions"
 require "action_dispatch/http/content_disposition"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # Methods for sending arbitrary data and for streaming files to the browser,
   # instead of rendering.
   module DataStreaming
@@ -11,8 +11,8 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" #:nodoc:
-    DEFAULT_SEND_FILE_DISPOSITION = "attachment" #:nodoc:
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream" # :nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment" # :nodoc:
 
     private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
@@ -66,7 +66,7 @@ module ActionController #:nodoc:
       # https://www.mnot.net/cache_docs/ for an overview of web caching and
       # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
       # for the Cache-Control header spec.
-      def send_file(path, options = {}) #:doc:
+      def send_file(path, options = {}) # :doc:
         raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
 
         options[:filename] ||= File.basename(path) unless options[:url_based_filename]
@@ -106,7 +106,7 @@ module ActionController #:nodoc:
       #   send_data image.data, type: image.content_type, disposition: 'inline'
       #
       # See +send_file+ for more information on HTTP Content-* headers and caching.
-      def send_data(data, options = {}) #:doc:
+      def send_data(data, options = {}) # :doc:
         send_file_headers! options
         render options.slice(:status, :content_type).merge(body: data)
       end
@@ -138,14 +138,6 @@ module ActionController #:nodoc:
         end
 
         headers["Content-Transfer-Encoding"] = "binary"
-
-        # Fix a problem with IE 6.0 on opening downloaded files:
-        # If Cache-Control: no-cache is set (which Rails does by default),
-        # IE removes the file it just downloaded from its cache immediately
-        # after it displays the "open/save" dialog, which means that if you
-        # hit "open" the file isn't there anymore when the application that
-        # is called for handling the download is run, so let's workaround that
-        response.cache_control[:public] ||= false
       end
   end
 end