actionpack 6.1.7 → 7.0.4.1

data/lib/action_controller/metal/exceptions.rb

@@ -1,20 +1,20 @@
 # frozen_string_literal: true
 
 module ActionController
-  class ActionControllerError < StandardError #:nodoc:
+  class ActionControllerError < StandardError # :nodoc:
   end
 
-  class BadRequest < ActionControllerError #:nodoc:
+  class BadRequest < ActionControllerError # :nodoc:
     def initialize(msg = nil)
       super(msg)
       set_backtrace $!.backtrace if $!
     end
   end
 
-  class RenderError < ActionControllerError #:nodoc:
+  class RenderError < ActionControllerError # :nodoc:
   end
 
-  class RoutingError < ActionControllerError #:nodoc:
+  class RoutingError < ActionControllerError # :nodoc:
     attr_reader :failures
     def initialize(message, failures = [])
       super(message)
@@ -22,7 +22,7 @@ module ActionController
     end
   end
 
-  class UrlGenerationError < ActionControllerError #:nodoc:
+  class UrlGenerationError < ActionControllerError # :nodoc:
     attr_reader :routes, :route_name, :method_name
 
     def initialize(message, routes = nil, route_name = nil, method_name = nil)
@@ -33,44 +33,33 @@ module ActionController
       super(message)
     end
 
-    class Correction
-      def initialize(error)
-        @error = error
-      end
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable
 
       def corrections
-        if @error.method_name
-          maybe_these = @error.routes.named_routes.helper_names.grep(/#{@error.route_name}/)
-          maybe_these -= [@error.method_name.to_s] # remove exact match
-
-          maybe_these.sort_by { |n|
-            DidYouMean::Jaro.distance(@error.route_name, n)
-          }.reverse.first(4)
-        else
-          []
+        @corrections ||= begin
+          maybe_these = routes&.named_routes&.helper_names&.grep(/#{route_name}/) || []
+          maybe_these -= [method_name.to_s] # remove exact match
+
+          DidYouMean::SpellChecker.new(dictionary: maybe_these).correct(route_name)
         end
       end
     end
-
-    # We may not have DYM, and DYM might not let us register error handlers
-    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
-      DidYouMean.correct_error(self, Correction)
-    end
   end
 
-  class MethodNotAllowed < ActionControllerError #:nodoc:
+  class MethodNotAllowed < ActionControllerError # :nodoc:
     def initialize(*allowed_methods)
       super("Only #{allowed_methods.to_sentence} requests are allowed.")
     end
   end
 
-  class NotImplemented < MethodNotAllowed #:nodoc:
+  class NotImplemented < MethodNotAllowed # :nodoc:
   end
 
-  class MissingFile < ActionControllerError #:nodoc:
+  class MissingFile < ActionControllerError # :nodoc:
   end
 
-  class SessionOverflowError < ActionControllerError #:nodoc:
+  class SessionOverflowError < ActionControllerError # :nodoc:
     DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
 
     def initialize(message = nil)
@@ -78,10 +67,10 @@ module ActionController
     end
   end
 
-  class UnknownHttpMethod < ActionControllerError #:nodoc:
+  class UnknownHttpMethod < ActionControllerError # :nodoc:
   end
 
-  class UnknownFormat < ActionControllerError #:nodoc:
+  class UnknownFormat < ActionControllerError # :nodoc:
   end
 
   # Raised when a nested respond_to is triggered and the content types of each
@@ -102,6 +91,6 @@ module ActionController
     end
   end
 
-  class MissingExactTemplate < UnknownFormat #:nodoc:
+  class MissingExactTemplate < UnknownFormat # :nodoc:
   end
 end

data/lib/action_controller/metal/flash.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Flash
     extend ActiveSupport::Concern
 
@@ -41,10 +41,14 @@ module ActionController #:nodoc:
           self._flash_types += [type]
         end
       end
+
+      def action_methods # :nodoc:
+        @action_methods ||= super - _flash_types.map(&:to_s).to_set
+      end
     end
 
     private
-      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) # :doc:
         self.class._flash_types.each do |flash_type|
           if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type

data/lib/action_controller/metal/helpers.rb

@@ -26,7 +26,7 @@ module ActionController
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message=" ")
-  #       time.blank? ? blank_message : time.to_s(format)
+  #       time.blank? ? blank_message : time.to_fs(format)
   #     end
   #   end
   #
@@ -91,7 +91,7 @@ module ActionController
         end
       end
 
-      # Overwrite modules_for_helpers to accept :all as argument, which loads
+      # Override modules_for_helpers to accept +:all+ as argument, which loads
       # all helpers in helpers_path.
       #
       # ==== Parameters

data/lib/action_controller/metal/http_authentication.rb

@@ -5,9 +5,9 @@ require "active_support/security_utils"
 require "active_support/core_ext/array/access"
 
 module ActionController
-  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest, and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic authentication.
+    # = HTTP \Basic authentication
     #
     # === Simple \Basic example
     #
@@ -25,8 +25,8 @@ module ActionController
     #
     # === Advanced \Basic example
     #
-    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API are protected by HTTP authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -70,7 +70,12 @@ module ActionController
         extend ActiveSupport::Concern
 
         module ClassMethods
+          # Enables HTTP \Basic authentication.
+          #
+          # See ActionController::HttpAuthentication::Basic for example usage.
           def http_basic_authenticate_with(name:, password:, realm: nil, **options)
+            raise ArgumentError, "Expected name: to be a String, got #{name.class}" unless name.is_a?(String)
+            raise ArgumentError, "Expected password: to be a String, got #{password.class}" unless password.is_a?(String)
             before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
           end
         end
@@ -79,8 +84,8 @@ module ActionController
           authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
             # This comparison uses & so that it doesn't short circuit and
             # uses `secure_compare` so that length information isn't leaked.
-            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
-              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
+            ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name) &
+              ActiveSupport::SecurityUtils.secure_compare(given_password.to_s, password)
           end
         end
 
@@ -135,15 +140,15 @@ module ActionController
       end
     end
 
-    # Makes it dead easy to do HTTP \Digest authentication.
+    # = HTTP \Digest authentication
     #
     # === Simple \Digest example
     #
-    #   require "digest/md5"
+    #   require "openssl"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #              "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
     #
     #     before_action :authenticate, except: [:index]
     #
@@ -181,22 +186,28 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP \Digest, or otherwise render an HTTP header
+        # requesting the client to send a \Digest.
+        #
+        # See ActionController::HttpAuthentication::Digest for example usage.
         def authenticate_or_request_with_http_digest(realm = "Application", message = nil, &password_procedure)
           authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm, message)
         end
 
-        # Authenticate with HTTP Digest, returns true or false
+        # Authenticate using an HTTP \Digest. Returns true if authentication is
+        # successful, false otherwise.
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
           HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
         end
 
-        # Render output including the HTTP Digest authentication header
+        # Render an HTTP header requesting the client to send a \Digest for
+        # authentication.
         def request_http_digest_authentication(realm = "Application", message = nil)
           HttpAuthentication::Digest.authentication_request(self, realm, message)
         end
       end
 
-      # Returns false on a valid response, true otherwise
+      # Returns false on a valid response, true otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -231,12 +242,12 @@ module ActionController
       # of a plain-text password.
       def expected_response(http_method, uri, credentials, password, password_is_ha1 = true)
         ha1 = password_is_ha1 ? password : ha1(credentials, password)
-        ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
-        ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
+        ha2 = OpenSSL::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
       end
 
       def ha1(credentials, password)
-        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
       end
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
@@ -301,7 +312,7 @@ module ActionController
       #
       # An implementation might choose not to accept a previously used nonce or a previously used digest, in order to
       # protect against a replay attack. Or, an implementation might choose to use one-time nonces or digests for
-      # POST, PUT, or PATCH requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
+      # POST, PUT, or PATCH requests, and a time-stamp for GET requests. For more details on the issues involved see Section 4
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
@@ -310,7 +321,7 @@ module ActionController
       def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
-        digest = ::Digest::MD5.hexdigest(hashed.join(":"))
+        digest = OpenSSL::Digest::MD5.hexdigest(hashed.join(":"))
         ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
@@ -327,13 +338,13 @@ module ActionController
 
       # Opaque based on digest of secret key
       def opaque(secret_key)
-        ::Digest::MD5.hexdigest(secret_key)
+        OpenSSL::Digest::MD5.hexdigest(secret_key)
       end
     end
 
-    # Makes it dead easy to do HTTP Token authentication.
+    # = HTTP \Token authentication
     #
-    # Simple Token example:
+    # === Simple \Token example
     #
     #   class PostsController < ApplicationController
     #     TOKEN = "secret"
@@ -359,8 +370,8 @@ module ActionController
     #   end
     #
     #
-    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced Token example where only Atom feeds and the XML API are protected by HTTP token authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -412,14 +423,22 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
+        # header requesting the client to send a Bearer token.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_or_request_with_http_token(realm = "Application", message = nil, &login_procedure)
           authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
+        # Authenticate using an HTTP Bearer token. Returns true if
+        # authentication is successful, false otherwise.
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
 
+        # Render an HTTP header requesting the client to send a Bearer token for
+        # authentication.
         def request_http_token_authentication(realm = "Application", message = nil)
           Token.authentication_request(self, realm, message)
         end
@@ -428,17 +447,17 @@ module ActionController
       # If token Authorization header is present, call the login
       # procedure with the present token and options.
       #
-      # [controller]
-      #   ActionController::Base instance for the current request.
+      # Returns the return value of <tt>login_procedure</tt> if a
+      # token is found. Returns <tt>nil</tt> if no token is found.
+      #
+      # ==== Parameters
       #
-      # [login_procedure]
-      #   Proc to call if a token is present. The Proc should take two arguments:
+      # * +controller+ - ActionController::Base instance for the current request.
+      # * +login_procedure+ - Proc to call if a token is present. The Proc
+      #   should take two arguments:
       #
       #     authenticate(controller) { |token, options| ... }
       #
-      # Returns the return value of <tt>login_procedure</tt> if a
-      # token is found. Returns <tt>nil</tt> if no token is found.
-
       def authenticate(controller, &login_procedure)
         token, options = token_and_options(controller.request)
         unless token.blank?
@@ -449,14 +468,18 @@ module ActionController
       # Parses the token and options out of the token Authorization header.
       # The value for the Authorization header is expected to have the prefix
       # <tt>"Token"</tt> or <tt>"Bearer"</tt>. If the header looks like this:
+      #
       #   Authorization: Token token="abc", nonce="def"
-      # Then the returned token is <tt>"abc"</tt>, and the options are
-      # <tt>{nonce: "def"}</tt>
       #
-      # request - ActionDispatch::Request instance with the current headers.
+      # Then the returned token is <tt>"abc"</tt>, and the options are
+      # <tt>{nonce: "def"}</tt>.
       #
       # Returns an +Array+ of <tt>[String, Hash]</tt> if a token is present.
       # Returns +nil+ if no token is found.
+      #
+      # ==== Parameters
+      #
+      # * +request+ - ActionDispatch::Request instance with the current headers.
       def token_and_options(request)
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
@@ -469,7 +492,7 @@ module ActionController
         rewrite_param_values params_array_from raw_params auth
       end
 
-      # Takes raw_params and turns it into an array of parameters
+      # Takes +raw_params+ and turns it into an array of parameters.
       def params_array_from(raw_params)
         raw_params.map { |param| param.split %r/=(.+)?/ }
       end
@@ -494,10 +517,12 @@ module ActionController
 
       # Encodes the given token and options into an Authorization header value.
       #
-      # token   - String token.
-      # options - optional Hash of the options.
-      #
       # Returns String.
+      #
+      # ==== Parameters
+      #
+      # * +token+ - String token.
+      # * +options+ - Optional Hash of the options.
       def encode_credentials(token, options = {})
         values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
@@ -507,10 +532,12 @@ module ActionController
 
       # Sets a WWW-Authenticate header to let the client know a token is desired.
       #
-      # controller - ActionController::Base instance for the outgoing response.
-      # realm      - String realm to use in the header.
-      #
       # Returns nothing.
+      #
+      # ==== Parameters
+      #
+      # * +controller+ - ActionController::Base instance for the outgoing response.
+      # * +realm+ - String realm to use in the header.
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Token: Access denied.\n"
         controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"', "")}")

data/lib/action_controller/metal/instrumentation.rb

@@ -16,30 +16,6 @@ module ActionController
 
     attr_internal :view_runtime
 
-    def process_action(*)
-      raw_payload = {
-        controller: self.class.name,
-        action: action_name,
-        request: request,
-        params: request.filtered_parameters,
-        headers: request.headers,
-        format: request.format.ref,
-        method: request.request_method,
-        path: request.fullpath
-      }
-
-      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
-
-      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        result = super
-        payload[:response] = response
-        payload[:status]   = response.status
-        result
-      ensure
-        append_info_to_payload(payload)
-      end
-    end
-
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
@@ -70,37 +46,66 @@ module ActionController
       end
     end
 
-  private
-    # A hook invoked every time a before callback is halted.
-    def halted_callback_hook(filter, _)
-      ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
-    end
+    private
+      def process_action(*)
+        ActiveSupport::ExecutionContext[:controller] = self
 
-    # A hook which allows you to clean up any time, wrongly taken into account in
-    # views, like database querying time.
-    #
-    #   def cleanup_view_runtime
-    #     super - time_taken_in_something_expensive
-    #   end
-    def cleanup_view_runtime # :doc:
-      yield
-    end
+        raw_payload = {
+          controller: self.class.name,
+          action: action_name,
+          request: request,
+          params: request.filtered_parameters,
+          headers: request.headers,
+          format: request.format.ref,
+          method: request.request_method,
+          path: request.fullpath
+        }
 
-    # Every time after an action is processed, this method is invoked
-    # with the payload, so you can add more information.
-    def append_info_to_payload(payload) # :doc:
-      payload[:view_runtime] = view_runtime
-    end
+        ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
 
-    module ClassMethods
-      # A hook which allows other frameworks to log what happened during
-      # controller process action. This method should return an array
-      # with the messages to be added.
-      def log_process_action(payload) #:nodoc:
-        messages, view_runtime = [], payload[:view_runtime]
-        messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
-        messages
+        ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
+          result = super
+          payload[:response] = response
+          payload[:status]   = response.status
+          result
+        rescue => error
+          payload[:status] = ActionDispatch::ExceptionWrapper.status_code_for_exception(error.class.name)
+          raise
+        ensure
+          append_info_to_payload(payload)
+        end
+      end
+
+      # A hook invoked every time a before callback is halted.
+      def halted_callback_hook(filter, _)
+        ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
+      end
+
+      # A hook which allows you to clean up any time, wrongly taken into account in
+      # views, like database querying time.
+      #
+      #   def cleanup_view_runtime
+      #     super - time_taken_in_something_expensive
+      #   end
+      def cleanup_view_runtime # :doc:
+        yield
+      end
+
+      # Every time after an action is processed, this method is invoked
+      # with the payload, so you can add more information.
+      def append_info_to_payload(payload) # :doc:
+        payload[:view_runtime] = view_runtime
+      end
+
+      module ClassMethods
+        # A hook which allows other frameworks to log what happened during
+        # controller process action. This method should return an array
+        # with the messages to be added.
+        def log_process_action(payload) # :nodoc:
+          messages, view_runtime = [], payload[:view_runtime]
+          messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
+          messages
+        end
       end
-    end
   end
 end

data/lib/action_controller/metal/live.rb

@@ -124,7 +124,7 @@ module ActionController
     class ClientDisconnected < RuntimeError
     end
 
-    class Buffer < ActionDispatch::Response::Buffer #:nodoc:
+    class Buffer < ActionDispatch::Response::Buffer # :nodoc:
       include MonitorMixin
 
       class << self
@@ -168,6 +168,11 @@ module ActionController
         end
       end
 
+      # Same as +write+ but automatically include a newline at the end of the string.
+      def writeln(string)
+        write string.end_with?("\n") ? string : "#{string}\n"
+      end
+
       # Write a 'close' event to the buffer; the producer/writing thread
       # uses this to notify us that it's finished supplying content.
       #
@@ -225,7 +230,7 @@ module ActionController
         end
     end
 
-    class Response < ActionDispatch::Response #:nodoc: all
+    class Response < ActionDispatch::Response # :nodoc: all
       private
         def before_committed
           super
@@ -256,6 +261,7 @@ module ActionController
           # Since we're processing the view in a different thread, copy the
           # thread locals from the main thread to the child thread. :'(
           locals.each { |k, v| t2[k] = v }
+          ActiveSupport::IsolatedExecutionState.share_with(t1)
 
           begin
             super(name)
@@ -291,6 +297,41 @@ module ActionController
       response.close if response
     end
 
+    # Sends a stream to the browser, which is helpful when you're generating exports or other running data where you
+    # don't want the entire file buffered in memory first. Similar to send_data, but where the data is generated live.
+    #
+    # Options:
+    # * <tt>:filename</tt> - suggests a filename for the browser to use.
+    # * <tt>:type</tt> - specifies an HTTP content type.
+    #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+    #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+    #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+    # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+    #   Valid values are 'inline' and 'attachment' (default).
+    #
+    # Example of generating a csv export:
+    #
+    #    send_stream(filename: "subscribers.csv") do |stream|
+    #      stream.write "email_address,updated_at\n"
+    #
+    #      @subscribers.find_each do |subscriber|
+    #        stream.write "#{subscriber.email_address},#{subscriber.updated_at}\n"
+    #      end
+    #    end
+    def send_stream(filename:, disposition: "attachment", type: nil)
+      response.headers["Content-Type"] =
+        (type.is_a?(Symbol) ? Mime[type].to_s : type) ||
+        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete(".")) ||
+        "application/octet-stream"
+
+      response.headers["Content-Disposition"] =
+        ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: filename)
+
+      yield response.stream
+    ensure
+      response.stream.close
+    end
+
     private
       # Spawn a new thread to serve up the controller in. This is to get
       # around the fact that Rack isn't based around IOs and we need to use

data/lib/action_controller/metal/mime_responds.rb

@@ -2,7 +2,7 @@
 
 require "abstract_controller/collector"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module MimeResponds
     # Without web-service support, an action which collects the data for displaying a list of people
     # might look something like this:
@@ -103,7 +103,7 @@ module ActionController #:nodoc:
     # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
     # +config/initializers/mime_types.rb+ as follows.
     #
-    #   Mime::Type.register "image/jpg", :jpg
+    #   Mime::Type.register "image/jpeg", :jpg
     #
     # +respond_to+ also allows you to specify a common block for different formats by using +any+:
     #
@@ -289,7 +289,7 @@ module ActionController #:nodoc:
         @format = request.negotiate_mime(@responses.keys)
       end
 
-      class VariantCollector #:nodoc:
+      class VariantCollector # :nodoc:
         def initialize(variant = nil)
           @variant = variant
           @variants = {}