actionpack 7.0.10 → 7.1.0.beta1

data/lib/action_controller/metal/strong_parameters.rb

@@ -64,7 +64,14 @@ module ActionController
     end
   end
 
-  # == Action Controller \Parameters
+  # Raised when initializing Parameters with keys that aren't strings or symbols.
+  #
+  #   ActionController::Parameters.new(123 => 456)
+  #   # => ActionController::InvalidParameterKey: all keys must be Strings or Symbols, got: Integer
+  class InvalidParameterKey < ArgumentError
+  end
+
+  # = Action Controller \Parameters
   #
   # Allows you to choose which attributes should be permitted for mass updating
   # and thus prevent accidentally exposing that which shouldn't be exposed.
@@ -92,8 +99,8 @@ module ActionController
   # * +permit_all_parameters+ - If it's +true+, all the parameters will be
   #   permitted by default. The default is +false+.
   # * +action_on_unpermitted_parameters+ - Controls behavior when parameters that are not explicitly
-  #    permitted are found. The default value is <tt>:log</tt> in test and development environments,
-  #    +false+ otherwise. The values can be:
+  #   permitted are found. The default value is <tt>:log</tt> in test and development environments,
+  #   +false+ otherwise. The values can be:
   #   * +false+ to take no action.
   #   * <tt>:log</tt> to emit an <tt>ActiveSupport::Notifications.instrument</tt> event on the
   #     <tt>unpermitted_parameters.action_controller</tt> topic and log at the DEBUG level.
@@ -123,7 +130,7 @@ module ActionController
   # environment they should only be set once at boot-time and never mutated at
   # runtime.
   #
-  # You can fetch values of <tt>ActionController::Parameters</tt> using either
+  # You can fetch values of +ActionController::Parameters+ using either
   # <tt>:key</tt> or <tt>"key"</tt>.
   #
   #   params = ActionController::Parameters.new(key: "value")
@@ -160,12 +167,12 @@ module ActionController
     # Returns true if the parameters have no key/value pairs.
 
     ##
-    # :method: has_value?
+    # :method: exclude?
     #
     # :call-seq:
-    #   has_value?(value)
+    #   exclude?(key)
     #
-    # Returns true if the given value is present for some key in the parameters.
+    # Returns true if the given key is not present in the parameters.
 
     ##
     # :method: include?
@@ -191,22 +198,7 @@ module ActionController
     #
     # Returns the content of the parameters as a string.
 
-    ##
-    # :method: value?
-    #
-    # :call-seq:
-    #   value?(value)
-    #
-    # Returns true if the given value is present for some key in the parameters.
-
-    ##
-    # :method: values
-    #
-    # :call-seq:
-    #   values()
-    #
-    # Returns a new array of the values of the parameters.
-    delegate :keys, :values, :has_value?, :value?, :empty?, :include?,
+    delegate :keys, :empty?, :exclude?, :include?,
       :as_json, :to_s, :each_key, to: :@parameters
 
     alias_method :has_key?, :include?
@@ -222,13 +214,15 @@ module ActionController
     #    config.action_controller.always_permitted_parameters = %w( controller action format )
     cattr_accessor :always_permitted_parameters, default: %w( controller action )
 
+    cattr_accessor :allow_deprecated_parameters_hash_equality, default: true, instance_accessor: false
+
     class << self
       def nested_attribute?(key, value) # :nodoc:
         /\A-?\d+\z/.match?(key) && (value.is_a?(Hash) || value.is_a?(Parameters))
       end
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance.
+    # Returns a new +ActionController::Parameters+ instance.
     # Also, sets the +permitted+ attribute to the default value of
     # <tt>ActionController::Parameters.permit_all_parameters</tt>.
     #
@@ -245,6 +239,12 @@ module ActionController
     #   params.permitted?  # => true
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def initialize(parameters = {}, logging_context = {})
+      parameters.each_key do |key|
+        unless key.is_a?(String) || key.is_a?(Symbol)
+          raise InvalidParameterKey, "all keys must be Strings or Symbols, got: #{key.class}"
+        end
+      end
+
       @parameters = parameters.with_indifferent_access
       @logging_context = logging_context
       @permitted = self.class.permit_all_parameters
@@ -256,7 +256,20 @@ module ActionController
       if other.respond_to?(:permitted?)
         permitted? == other.permitted? && parameters == other.parameters
       else
-        @parameters == other
+        if self.class.allow_deprecated_parameters_hash_equality && Hash === other
+          ActionController.deprecator.warn <<-WARNING.squish
+            Comparing equality between `ActionController::Parameters` and a
+            `Hash` is deprecated and will be removed in Rails 7.2. Please only do
+            comparisons between instances of `ActionController::Parameters`. If
+            you need to compare to a hash, first convert it using
+            `ActionController::Parameters#new`.
+            To disable the deprecated behavior set
+            `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality = false`.
+          WARNING
+          @parameters == other
+        else
+          super
+        end
       end
     end
 
@@ -282,9 +295,9 @@ module ActionController
     #
     #   safe_params = params.permit(:name)
     #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
-    def to_h
+    def to_h(&block)
       if permitted?
-        convert_parameters_to_hashes(@parameters, :to_h)
+        convert_parameters_to_hashes(@parameters, :to_h, &block)
       else
         raise UnfilteredParameters
       end
@@ -374,6 +387,11 @@ module ActionController
       self
     end
 
+    # Returns a new array of the values of the parameters.
+    def values
+      to_enum(:each_value).to_a
+    end
+
     # Attribute that keeps track of converted arrays, if any, to avoid double
     # looping in the common use case permit + mass-assignment. Defined in a
     # method to instantiate it only if needed.
@@ -480,7 +498,7 @@ module ActionController
 
     alias :required :require
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance that
+    # Returns a new +ActionController::Parameters+ instance that
     # includes only the given +filters+ and sets the +permitted+ attribute
     # for the object to +true+. This is useful for limiting which attributes
     # should be allowed for mass updating.
@@ -665,7 +683,7 @@ module ActionController
       @parameters.dig(*keys)
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance that
+    # Returns a new +ActionController::Parameters+ instance that
     # includes only the given +keys+. If the given +keys+
     # don't exist, returns an empty hash.
     #
@@ -676,14 +694,14 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.slice(*keys))
     end
 
-    # Returns the current <tt>ActionController::Parameters</tt> instance which
+    # Returns the current +ActionController::Parameters+ instance which
     # contains only the given +keys+.
     def slice!(*keys)
       @parameters.slice!(*keys)
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance that
+    # Returns a new +ActionController::Parameters+ instance that
     # filters out the given +keys+.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
@@ -692,6 +710,7 @@ module ActionController
     def except(*keys)
       new_instance_with_inherited_permitted_status(@parameters.except(*keys))
     end
+    alias_method :without, :except
 
     # Removes and returns the key/value pairs matching the given keys.
     #
@@ -702,7 +721,7 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.extract!(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with the results of
+    # Returns a new +ActionController::Parameters+ instance with the results of
     # running +block+ once for every value. The keys are unchanged.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
@@ -716,14 +735,14 @@ module ActionController
     end
 
     # Performs values transformation and returns the altered
-    # <tt>ActionController::Parameters</tt> instance.
+    # +ActionController::Parameters+ instance.
     def transform_values!
       return to_enum(:transform_values!) unless block_given?
       @parameters.transform_values! { |v| yield convert_value_to_parameters(v) }
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with the
+    # Returns a new +ActionController::Parameters+ instance with the
     # results of running +block+ once for every key. The values are unchanged.
     def transform_keys(&block)
       return to_enum(:transform_keys) unless block_given?
@@ -733,14 +752,14 @@ module ActionController
     end
 
     # Performs keys transformation and returns the altered
-    # <tt>ActionController::Parameters</tt> instance.
+    # +ActionController::Parameters+ instance.
     def transform_keys!(&block)
       return to_enum(:transform_keys!) unless block_given?
       @parameters.transform_keys!(&block)
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with the
+    # Returns a new +ActionController::Parameters+ instance with the
     # results of running +block+ once for every key. This includes the keys
     # from the root hash and from all nested hashes and arrays. The values are unchanged.
     def deep_transform_keys(&block)
@@ -749,7 +768,7 @@ module ActionController
       )
     end
 
-    # Returns the same <tt>ActionController::Parameters</tt> instance with
+    # Returns the same +ActionController::Parameters+ instance with
     # changed keys. This includes the keys from the root hash and from all
     # nested hashes and arrays. The values are unchanged.
     def deep_transform_keys!(&block)
@@ -765,7 +784,7 @@ module ActionController
       convert_value_to_parameters(@parameters.delete(key, &block))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with only
+    # Returns a new +ActionController::Parameters+ instance with only
     # items that the block evaluates to true.
     def select(&block)
       new_instance_with_inherited_permitted_status(@parameters.select(&block))
@@ -778,7 +797,7 @@ module ActionController
     end
     alias_method :keep_if, :select!
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with items
+    # Returns a new +ActionController::Parameters+ instance with items
     # that the block evaluates to true removed.
     def reject(&block)
       new_instance_with_inherited_permitted_status(@parameters.reject(&block))
@@ -791,7 +810,7 @@ module ActionController
     end
     alias_method :delete_if, :reject!
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with +nil+ values removed.
+    # Returns a new +ActionController::Parameters+ instance with +nil+ values removed.
     def compact
       new_instance_with_inherited_permitted_status(@parameters.compact)
     end
@@ -801,7 +820,7 @@ module ActionController
       self if @parameters.compact!
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance without the blank values.
+    # Returns a new +ActionController::Parameters+ instance without the blank values.
     # Uses Object#blank? for determining if a value is blank.
     def compact_blank
       reject { |_k, v| v.blank? }
@@ -813,13 +832,20 @@ module ActionController
       reject! { |_k, v| v.blank? }
     end
 
+    # Returns true if the given value is present for some key in the parameters.
+    def has_value?(value)
+      each_value.include?(convert_value_to_parameters(value))
+    end
+
+    alias value? has_value?
+
     # Returns values that were assigned to the given +keys+. Note that all the
-    # +Hash+ objects will be converted to <tt>ActionController::Parameters</tt>.
+    # +Hash+ objects will be converted to +ActionController::Parameters+.
     def values_at(*keys)
       convert_value_to_parameters(@parameters.values_at(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys from
+    # Returns a new +ActionController::Parameters+ instance with all keys from
     # +other_hash+ merged into current hash.
     def merge(other_hash)
       new_instance_with_inherited_permitted_status(
@@ -827,14 +853,14 @@ module ActionController
       )
     end
 
-    # Returns the current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current +ActionController::Parameters+ instance with
     # +other_hash+ merged into current hash.
     def merge!(other_hash)
       @parameters.merge!(other_hash.to_h)
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys
+    # Returns a new +ActionController::Parameters+ instance with all keys
     # from current hash merged into +other_hash+.
     def reverse_merge(other_hash)
       new_instance_with_inherited_permitted_status(
@@ -843,7 +869,7 @@ module ActionController
     end
     alias_method :with_defaults, :reverse_merge
 
-    # Returns the current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current +ActionController::Parameters+ instance with
     # current hash merged into +other_hash+.
     def reverse_merge!(other_hash)
       @parameters.merge!(other_hash.to_h) { |key, left, right| left }
@@ -900,6 +926,16 @@ module ActionController
       end
     end
 
+    # Returns parameter value for the given +key+ separated by +delimiter+.
+    #
+    #   params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
+    #   params.extract_value(:id) # => ["1", "123"]
+    #   params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
+    #   params.extract_value(:non_existent_key) # => nil
+    def extract_value(key, delimiter: "_")
+      @parameters[key]&.split(delimiter)
+    end
+
     protected
       attr_reader :parameters
 
@@ -922,14 +958,15 @@ module ActionController
         end
       end
 
-      def convert_parameters_to_hashes(value, using)
+      def convert_parameters_to_hashes(value, using, &block)
         case value
         when Array
           value.map { |v| convert_parameters_to_hashes(v, using) }
         when Hash
-          value.transform_values do |v|
+          transformed = value.transform_values do |v|
             convert_parameters_to_hashes(v, using)
-          end.with_indifferent_access
+          end
+          (block_given? ? transformed.to_h(&block) : transformed).with_indifferent_access
         when Parameters
           value.send(using)
         else
@@ -1112,6 +1149,8 @@ module ActionController
             case element
             when ->(e) { permitted_scalar?(e) }
               sanitized << element
+            when Array
+              sanitized << permit_any_in_array(element)
             when Parameters
               sanitized << permit_any_in_parameters(element)
             else
@@ -1127,7 +1166,7 @@ module ActionController
       end
   end
 
-  # == Strong \Parameters
+  # = Strong \Parameters
   #
   # It provides an interface for protecting attributes from end-user
   # assignment. This makes Action Controller parameters forbidden

data/lib/action_controller/metal/url_for.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller \UrlFor
+  #
   # Includes +url_for+ into the host class. The class has to provide a +RouteSet+ by implementing
   # the <tt>_routes</tt> method. Otherwise, an exception will be raised.
   #
@@ -25,6 +27,11 @@ module ActionController
 
     include AbstractController::UrlFor
 
+    def initialize(...)
+      super
+      @_url_options = nil
+    end
+
     def url_options
       @_url_options ||= {
         host: request.host,

data/lib/action_controller/metal.rb

@@ -4,6 +4,8 @@ require "active_support/core_ext/array/extract_options"
 require "action_dispatch/middleware/stack"
 
 module ActionController
+  # = Action Controller \MiddlewareStack
+  #
   # Extend ActionDispatch middleware stack to make it aware of options
   # allowing the following syntax in controllers:
   #
@@ -58,7 +60,9 @@ module ActionController
       end
   end
 
-  # <tt>ActionController::Metal</tt> is the simplest possible controller, providing a
+  # = Action Controller \Metal
+  #
+  # +ActionController::Metal+ is the simplest possible controller, providing a
   # valid Rack interface without the additional niceties provided by
   # ActionController::Base.
   #
@@ -78,9 +82,9 @@ module ActionController
   # The +action+ method returns a valid Rack application for the \Rails
   # router to dispatch to.
   #
-  # == Rendering Helpers
+  # == \Rendering \Helpers
   #
-  # <tt>ActionController::Metal</tt> by default provides no utilities for rendering
+  # +ActionController::Metal+ by default provides no utilities for rendering
   # views, partials, or other responses aside from explicitly calling of
   # <tt>response_body=</tt>, <tt>content_type=</tt>, and <tt>status=</tt>. To
   # add the render helpers you're used to having in a normal controller, you
@@ -96,7 +100,7 @@ module ActionController
   #     end
   #   end
   #
-  # == Redirection Helpers
+  # == Redirection \Helpers
   #
   # To add redirection helpers to your metal controller, do the following:
   #
@@ -109,7 +113,7 @@ module ActionController
   #     end
   #   end
   #
-  # == Other Helpers
+  # == Other \Helpers
   #
   # You can refer to the modules included in ActionController::Base to see
   # other features you can bring into your metal controller.
@@ -118,8 +122,8 @@ module ActionController
     abstract!
 
     # Returns the last part of the controller's name, underscored, without the ending
-    # <tt>Controller</tt>. For instance, PostsController returns <tt>posts</tt>.
-    # Namespaces are left out, so Admin::PostsController returns <tt>posts</tt> as well.
+    # <tt>Controller</tt>. For instance, +PostsController+ returns <tt>posts</tt>.
+    # Namespaces are left out, so +Admin::PostsController+ returns <tt>posts</tt> as well.
     #
     # ==== Returns
     # * <tt>string</tt>
@@ -137,20 +141,53 @@ module ActionController
       false
     end
 
+    class << self
+      private
+        def inherited(subclass)
+          super
+          subclass.middleware_stack = middleware_stack.dup
+          subclass.class_eval do
+            @controller_name = nil
+          end
+        end
+    end
+
     # Delegates to the class's ::controller_name.
     def controller_name
       self.class.controller_name
     end
 
-    attr_internal :response, :request
+    ##
+    # :attr_reader: request
+    #
+    # The ActionDispatch::Request instance for the current request.
+    attr_internal :request
+
+    ##
+    # :attr_reader: response
+    #
+    # The ActionDispatch::Response instance for the current response.
+    attr_internal_reader :response
+
+    ##
+    # The ActionDispatch::Request::Session instance for the current request.
+    # See further details in the
+    # {Active Controller Session guide}[https://guides.rubyonrails.org/action_controller_overview.html#session].
     delegate :session, to: "@_request"
-    delegate :headers, :status=, :location=, :content_type=,
+
+    ##
+    # Delegates to ActionDispatch::Response#headers.
+    delegate :headers, to: "@_response"
+
+    delegate :status=, :location=, :content_type=,
              :status, :location, :content_type, :media_type, to: "@_response"
 
     def initialize
       @_request = nil
       @_response = nil
+      @_response_body = nil
       @_routes = nil
+      @_params = nil
       super
     end
 
@@ -164,17 +201,19 @@ module ActionController
 
     alias :response_code :status # :nodoc:
 
-    # Basic url_for that can be overridden for more robust functionality.
+    # Basic \url_for that can be overridden for more robust functionality.
     def url_for(string)
       string
     end
 
     def response_body=(body)
-      body = [body] unless body.nil? || body.respond_to?(:each)
-      response.reset_body!
-      return unless body
-      response.body = body
-      super
+      if body
+        body = [body] if body.is_a?(String)
+        response.body = body
+        super
+      else
+        response.reset_body!
+      end
     end
 
     # Tests if render or redirect has already happened.
@@ -191,9 +230,22 @@ module ActionController
     end
 
     def set_response!(response) # :nodoc:
+      if @_response
+        _, _, body = @_response
+        body.close if body.respond_to?(:close)
+      end
+
       @_response = response
     end
 
+    # Assign the response and mark it as committed. No further processing will occur.
+    def response=(response)
+      set_response!(response)
+
+      # Force `performed?` to return true:
+      @_response_body = true
+    end
+
     def set_request!(request) # :nodoc:
       @_request = request
       @_request.controller_instance = self
@@ -209,11 +261,6 @@ module ActionController
 
     class_attribute :middleware_stack, default: ActionController::MiddlewareStack.new
 
-    def self.inherited(base) # :nodoc:
-      base.middleware_stack = middleware_stack.dup
-      super
-    end
-
     class << self
       # Pushes the given Rack middleware and its arguments to the bottom of the
       # middleware stack.
@@ -222,7 +269,18 @@ module ActionController
       end
     end
 
-    # Alias for +middleware_stack+.
+    # The middleware stack used by this controller.
+    #
+    # By default uses a variation of ActionDispatch::MiddlewareStack which
+    # allows for the following syntax:
+    #
+    #   class PostsController < ApplicationController
+    #     use AuthenticationMiddleware, except: [:index, :show]
+    #   end
+    #
+    # Read more about {Rails middleware
+    # stack}[https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack]
+    # in the guides.
     def self.middleware
       middleware_stack
     end

data/lib/action_controller/railtie.rb

@@ -14,8 +14,13 @@ module ActionController
     config.action_controller.log_query_tags_around_actions = true
     config.action_controller.wrap_parameters_by_default = false
 
+    config.eager_load_namespaces << AbstractController
     config.eager_load_namespaces << ActionController
 
+    initializer "action_controller.deprecator", before: :load_environment_config do |app|
+      app.deprecators[:action_controller] = ActionController.deprecator
+    end
+
     initializer "action_controller.assets_config", group: :all do |app|
       app.config.action_controller.assets_dir ||= app.config.paths["public"].first
     end
@@ -37,10 +42,15 @@ module ActionController
         action_on_unpermitted_parameters = options.action_on_unpermitted_parameters
 
         if action_on_unpermitted_parameters.nil?
-          action_on_unpermitted_parameters = (Rails.env.test? || Rails.env.development?) ? :log : false
+          action_on_unpermitted_parameters = Rails.env.local? ? :log : false
         end
 
         ActionController::Parameters.action_on_unpermitted_parameters = action_on_unpermitted_parameters
+
+        unless options.allow_deprecated_parameters_hash_equality.nil?
+          ActionController::Parameters.allow_deprecated_parameters_hash_equality =
+            options.allow_deprecated_parameters_hash_equality
+        end
       end
     end
 
@@ -71,7 +81,8 @@ module ActionController
           :permit_all_parameters,
           :action_on_unpermitted_parameters,
           :always_permitted_parameters,
-          :wrap_parameters_by_default
+          :wrap_parameters_by_default,
+          :allow_deprecated_parameters_hash_equality
         )
 
         filtered_options.each do |k, v|
@@ -99,12 +110,6 @@ module ActionController
       end
     end
 
-    initializer "action_controller.eager_load_actions" do
-      ActiveSupport.on_load(:after_initialize) do
-        ActionController::Metal.descendants.each(&:action_methods) if config.eager_load
-      end
-    end
-
     initializer "action_controller.query_log_tags" do |app|
       query_logs_tags_enabled = app.config.respond_to?(:active_record) &&
         app.config.active_record.query_log_tags_enabled &&
@@ -118,7 +123,15 @@ module ActionController
           ActiveRecord::QueryLogs.taggings.merge!(
             controller:            ->(context) { context[:controller]&.controller_name },
             action:                ->(context) { context[:controller]&.action_name },
-            namespaced_controller: ->(context) { context[:controller].class.name if context[:controller] }
+            namespaced_controller: ->(context) {
+              if context[:controller]
+                controller_class = context[:controller].class
+                # based on ActionController::Metal#controller_name, but does not demodulize
+                unless controller_class.anonymous?
+                  controller_class.name.delete_suffix("Controller").underscore
+                end
+              end
+            }
           )
         end
       end