actionpack 7.1.5.1 → 7.2.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (157) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +61 -642
  3. data/lib/abstract_controller/asset_paths.rb +2 -0
  4. data/lib/abstract_controller/base.rb +102 -98
  5. data/lib/abstract_controller/caching/fragments.rb +50 -53
  6. data/lib/abstract_controller/caching.rb +2 -0
  7. data/lib/abstract_controller/callbacks.rb +66 -64
  8. data/lib/abstract_controller/collector.rb +6 -6
  9. data/lib/abstract_controller/deprecator.rb +2 -0
  10. data/lib/abstract_controller/error.rb +2 -0
  11. data/lib/abstract_controller/helpers.rb +70 -85
  12. data/lib/abstract_controller/logger.rb +2 -0
  13. data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
  14. data/lib/abstract_controller/rendering.rb +13 -12
  15. data/lib/abstract_controller/translation.rb +12 -13
  16. data/lib/abstract_controller/url_for.rb +8 -6
  17. data/lib/abstract_controller.rb +2 -0
  18. data/lib/action_controller/api/api_rendering.rb +2 -0
  19. data/lib/action_controller/api.rb +74 -72
  20. data/lib/action_controller/base.rb +155 -117
  21. data/lib/action_controller/caching.rb +15 -12
  22. data/lib/action_controller/deprecator.rb +2 -0
  23. data/lib/action_controller/form_builder.rb +20 -17
  24. data/lib/action_controller/log_subscriber.rb +3 -1
  25. data/lib/action_controller/metal/allow_browser.rb +119 -0
  26. data/lib/action_controller/metal/basic_implicit_render.rb +2 -0
  27. data/lib/action_controller/metal/conditional_get.rb +188 -174
  28. data/lib/action_controller/metal/content_security_policy.rb +25 -24
  29. data/lib/action_controller/metal/cookies.rb +4 -2
  30. data/lib/action_controller/metal/data_streaming.rb +64 -55
  31. data/lib/action_controller/metal/default_headers.rb +5 -3
  32. data/lib/action_controller/metal/etag_with_flash.rb +3 -1
  33. data/lib/action_controller/metal/etag_with_template_digest.rb +17 -15
  34. data/lib/action_controller/metal/exceptions.rb +11 -9
  35. data/lib/action_controller/metal/flash.rb +12 -10
  36. data/lib/action_controller/metal/head.rb +12 -10
  37. data/lib/action_controller/metal/helpers.rb +63 -55
  38. data/lib/action_controller/metal/http_authentication.rb +214 -203
  39. data/lib/action_controller/metal/implicit_render.rb +17 -15
  40. data/lib/action_controller/metal/instrumentation.rb +15 -12
  41. data/lib/action_controller/metal/live.rb +113 -107
  42. data/lib/action_controller/metal/logging.rb +6 -4
  43. data/lib/action_controller/metal/mime_responds.rb +151 -142
  44. data/lib/action_controller/metal/parameter_encoding.rb +34 -32
  45. data/lib/action_controller/metal/params_wrapper.rb +57 -59
  46. data/lib/action_controller/metal/permissions_policy.rb +13 -12
  47. data/lib/action_controller/metal/rate_limiting.rb +62 -0
  48. data/lib/action_controller/metal/redirecting.rb +108 -82
  49. data/lib/action_controller/metal/renderers.rb +50 -49
  50. data/lib/action_controller/metal/rendering.rb +103 -75
  51. data/lib/action_controller/metal/request_forgery_protection.rb +162 -133
  52. data/lib/action_controller/metal/rescue.rb +11 -9
  53. data/lib/action_controller/metal/streaming.rb +138 -136
  54. data/lib/action_controller/metal/strong_parameters.rb +483 -478
  55. data/lib/action_controller/metal/testing.rb +2 -0
  56. data/lib/action_controller/metal/url_for.rb +17 -15
  57. data/lib/action_controller/metal.rb +58 -57
  58. data/lib/action_controller/railtie.rb +3 -0
  59. data/lib/action_controller/railties/helpers.rb +2 -0
  60. data/lib/action_controller/renderer.rb +42 -36
  61. data/lib/action_controller/template_assertions.rb +4 -2
  62. data/lib/action_controller/test_case.rb +146 -126
  63. data/lib/action_controller.rb +5 -1
  64. data/lib/action_dispatch/constants.rb +2 -0
  65. data/lib/action_dispatch/deprecator.rb +2 -0
  66. data/lib/action_dispatch/http/cache.rb +27 -26
  67. data/lib/action_dispatch/http/content_disposition.rb +2 -0
  68. data/lib/action_dispatch/http/content_security_policy.rb +48 -59
  69. data/lib/action_dispatch/http/filter_parameters.rb +13 -14
  70. data/lib/action_dispatch/http/filter_redirect.rb +15 -1
  71. data/lib/action_dispatch/http/headers.rb +22 -22
  72. data/lib/action_dispatch/http/mime_negotiation.rb +30 -41
  73. data/lib/action_dispatch/http/mime_type.rb +25 -21
  74. data/lib/action_dispatch/http/mime_types.rb +2 -0
  75. data/lib/action_dispatch/http/parameters.rb +11 -9
  76. data/lib/action_dispatch/http/permissions_policy.rb +26 -36
  77. data/lib/action_dispatch/http/rack_cache.rb +2 -0
  78. data/lib/action_dispatch/http/request.rb +75 -95
  79. data/lib/action_dispatch/http/response.rb +61 -61
  80. data/lib/action_dispatch/http/upload.rb +18 -16
  81. data/lib/action_dispatch/http/url.rb +75 -73
  82. data/lib/action_dispatch/journey/formatter.rb +13 -6
  83. data/lib/action_dispatch/journey/gtg/builder.rb +4 -3
  84. data/lib/action_dispatch/journey/gtg/simulator.rb +2 -0
  85. data/lib/action_dispatch/journey/gtg/transition_table.rb +10 -8
  86. data/lib/action_dispatch/journey/nfa/dot.rb +2 -0
  87. data/lib/action_dispatch/journey/nodes/node.rb +6 -5
  88. data/lib/action_dispatch/journey/parser.rb +4 -3
  89. data/lib/action_dispatch/journey/parser_extras.rb +2 -0
  90. data/lib/action_dispatch/journey/path/pattern.rb +4 -1
  91. data/lib/action_dispatch/journey/route.rb +9 -7
  92. data/lib/action_dispatch/journey/router/utils.rb +16 -15
  93. data/lib/action_dispatch/journey/router.rb +4 -2
  94. data/lib/action_dispatch/journey/routes.rb +4 -2
  95. data/lib/action_dispatch/journey/scanner.rb +4 -2
  96. data/lib/action_dispatch/journey/visitors.rb +2 -0
  97. data/lib/action_dispatch/journey.rb +2 -0
  98. data/lib/action_dispatch/log_subscriber.rb +2 -0
  99. data/lib/action_dispatch/middleware/actionable_exceptions.rb +2 -0
  100. data/lib/action_dispatch/middleware/assume_ssl.rb +8 -5
  101. data/lib/action_dispatch/middleware/callbacks.rb +3 -1
  102. data/lib/action_dispatch/middleware/cookies.rb +119 -104
  103. data/lib/action_dispatch/middleware/debug_exceptions.rb +13 -5
  104. data/lib/action_dispatch/middleware/debug_locks.rb +15 -13
  105. data/lib/action_dispatch/middleware/debug_view.rb +2 -0
  106. data/lib/action_dispatch/middleware/exception_wrapper.rb +6 -11
  107. data/lib/action_dispatch/middleware/executor.rb +2 -0
  108. data/lib/action_dispatch/middleware/flash.rb +63 -51
  109. data/lib/action_dispatch/middleware/host_authorization.rb +17 -15
  110. data/lib/action_dispatch/middleware/public_exceptions.rb +8 -6
  111. data/lib/action_dispatch/middleware/reloader.rb +5 -3
  112. data/lib/action_dispatch/middleware/remote_ip.rb +77 -72
  113. data/lib/action_dispatch/middleware/request_id.rb +14 -9
  114. data/lib/action_dispatch/middleware/server_timing.rb +4 -2
  115. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -0
  116. data/lib/action_dispatch/middleware/session/cache_store.rb +13 -8
  117. data/lib/action_dispatch/middleware/session/cookie_store.rb +27 -26
  118. data/lib/action_dispatch/middleware/session/mem_cache_store.rb +7 -3
  119. data/lib/action_dispatch/middleware/show_exceptions.rb +16 -16
  120. data/lib/action_dispatch/middleware/ssl.rb +43 -40
  121. data/lib/action_dispatch/middleware/stack.rb +11 -10
  122. data/lib/action_dispatch/middleware/static.rb +33 -31
  123. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +1 -1
  124. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +1 -1
  125. data/lib/action_dispatch/railtie.rb +2 -3
  126. data/lib/action_dispatch/request/session.rb +23 -21
  127. data/lib/action_dispatch/request/utils.rb +2 -0
  128. data/lib/action_dispatch/routing/endpoint.rb +2 -0
  129. data/lib/action_dispatch/routing/inspector.rb +6 -4
  130. data/lib/action_dispatch/routing/mapper.rb +623 -625
  131. data/lib/action_dispatch/routing/polymorphic_routes.rb +69 -62
  132. data/lib/action_dispatch/routing/redirection.rb +37 -32
  133. data/lib/action_dispatch/routing/route_set.rb +60 -46
  134. data/lib/action_dispatch/routing/routes_proxy.rb +6 -4
  135. data/lib/action_dispatch/routing/url_for.rb +130 -125
  136. data/lib/action_dispatch/routing.rb +150 -148
  137. data/lib/action_dispatch/system_test_case.rb +91 -81
  138. data/lib/action_dispatch/system_testing/browser.rb +4 -2
  139. data/lib/action_dispatch/system_testing/driver.rb +2 -0
  140. data/lib/action_dispatch/system_testing/server.rb +2 -0
  141. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +32 -21
  142. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +2 -0
  143. data/lib/action_dispatch/testing/assertion_response.rb +8 -6
  144. data/lib/action_dispatch/testing/assertions/response.rb +26 -23
  145. data/lib/action_dispatch/testing/assertions/routing.rb +153 -84
  146. data/lib/action_dispatch/testing/assertions.rb +2 -0
  147. data/lib/action_dispatch/testing/integration.rb +223 -222
  148. data/lib/action_dispatch/testing/request_encoder.rb +2 -0
  149. data/lib/action_dispatch/testing/test_helpers/page_dump_helper.rb +35 -0
  150. data/lib/action_dispatch/testing/test_process.rb +12 -8
  151. data/lib/action_dispatch/testing/test_request.rb +3 -1
  152. data/lib/action_dispatch/testing/test_response.rb +27 -26
  153. data/lib/action_dispatch.rb +22 -32
  154. data/lib/action_pack/gem_version.rb +6 -4
  155. data/lib/action_pack/version.rb +3 -1
  156. data/lib/action_pack.rb +17 -16
  157. metadata +33 -16
@@ -1,14 +1,16 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ # :markup: markdown
4
+
3
5
  module AbstractController
4
- # = URL For
6
+ # # URL For
5
7
  #
6
- # Includes +url_for+ into the host class (e.g. an abstract controller or mailer). The class
7
- # has to provide a +RouteSet+ by implementing the <tt>_routes</tt> methods. Otherwise, an
8
- # exception will be raised.
8
+ # Includes `url_for` into the host class (e.g. an abstract controller or
9
+ # mailer). The class has to provide a `RouteSet` by implementing the `_routes`
10
+ # methods. Otherwise, an exception will be raised.
9
11
  #
10
- # Note that this module is completely decoupled from HTTP - the only requirement is a valid
11
- # <tt>_routes</tt> implementation.
12
+ # Note that this module is completely decoupled from HTTP - the only requirement
13
+ # is a valid `_routes` implementation.
12
14
  module UrlFor
13
15
  extend ActiveSupport::Concern
14
16
  include ActionDispatch::Routing::UrlFor
@@ -1,5 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ # :markup: markdown
4
+
3
5
  require "action_pack"
4
6
  require "active_support"
5
7
  require "active_support/rails"
@@ -1,5 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ # :markup: markdown
4
+
3
5
  module ActionController
4
6
  module ApiRendering
5
7
  extend ActiveSupport::Concern
@@ -1,107 +1,108 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ # :markup: markdown
4
+
3
5
  require "action_view"
4
6
  require "action_controller"
5
7
  require "action_controller/log_subscriber"
6
8
 
7
9
  module ActionController
8
- # = Action Controller \API
10
+ # # Action Controller API
9
11
  #
10
- # API Controller is a lightweight version of ActionController::Base,
11
- # created for applications that don't require all functionalities that a complete
12
- # \Rails controller provides, allowing you to create controllers with just the
13
- # features that you need for API only applications.
12
+ # API Controller is a lightweight version of ActionController::Base, created for
13
+ # applications that don't require all functionalities that a complete Rails
14
+ # controller provides, allowing you to create controllers with just the features
15
+ # that you need for API only applications.
14
16
  #
15
- # An API Controller is different from a normal controller in the sense that
16
- # by default it doesn't include a number of features that are usually required
17
- # by browser access only: layouts and templates rendering,
18
- # flash, assets, and so on. This makes the entire controller stack thinner,
19
- # suitable for API applications. It doesn't mean you won't have such
20
- # features if you need them: they're all available for you to include in
21
- # your application, they're just not part of the default API controller stack.
17
+ # An API Controller is different from a normal controller in the sense that by
18
+ # default it doesn't include a number of features that are usually required by
19
+ # browser access only: layouts and templates rendering, flash, assets, and so
20
+ # on. This makes the entire controller stack thinner, suitable for API
21
+ # applications. It doesn't mean you won't have such features if you need them:
22
+ # they're all available for you to include in your application, they're just not
23
+ # part of the default API controller stack.
22
24
  #
23
- # Normally, +ApplicationController+ is the only controller that inherits from
24
- # +ActionController::API+. All other controllers in turn inherit from
25
- # +ApplicationController+.
25
+ # Normally, `ApplicationController` is the only controller that inherits from
26
+ # `ActionController::API`. All other controllers in turn inherit from
27
+ # `ApplicationController`.
26
28
  #
27
29
  # A sample controller could look like this:
28
30
  #
29
- # class PostsController < ApplicationController
30
- # def index
31
- # posts = Post.all
32
- # render json: posts
31
+ # class PostsController < ApplicationController
32
+ # def index
33
+ # posts = Post.all
34
+ # render json: posts
35
+ # end
33
36
  # end
34
- # end
35
37
  #
36
38
  # Request, response, and parameters objects all work the exact same way as
37
39
  # ActionController::Base.
38
40
  #
39
- # == Renders
41
+ # ## Renders
40
42
  #
41
- # The default API Controller stack includes all renderers, which means you
42
- # can use <tt>render :json</tt> and siblings freely in your controllers. Keep
43
- # in mind that templates are not going to be rendered, so you need to ensure
44
- # your controller is calling either <tt>render</tt> or <tt>redirect_to</tt> in
45
- # all actions, otherwise it will return <tt>204 No Content</tt>.
43
+ # The default API Controller stack includes all renderers, which means you can
44
+ # use `render :json` and siblings freely in your controllers. Keep in mind that
45
+ # templates are not going to be rendered, so you need to ensure your controller
46
+ # is calling either `render` or `redirect_to` in all actions, otherwise it will
47
+ # return `204 No Content`.
46
48
  #
47
- # def show
48
- # post = Post.find(params[:id])
49
- # render json: post
50
- # end
49
+ # def show
50
+ # post = Post.find(params[:id])
51
+ # render json: post
52
+ # end
51
53
  #
52
- # == Redirects
54
+ # ## Redirects
53
55
  #
54
56
  # Redirects are used to move from one action to another. You can use the
55
- # <tt>redirect_to</tt> method in your controllers in the same way as in
57
+ # `redirect_to` method in your controllers in the same way as in
56
58
  # ActionController::Base. For example:
57
59
  #
58
- # def create
59
- # redirect_to root_url and return if not_authorized?
60
- # # do stuff here
61
- # end
60
+ # def create
61
+ # redirect_to root_url and return if not_authorized?
62
+ # # do stuff here
63
+ # end
62
64
  #
63
- # == Adding New Behavior
65
+ # ## Adding New Behavior
64
66
  #
65
67
  # In some scenarios you may want to add back some functionality provided by
66
68
  # ActionController::Base that is not present by default in
67
- # +ActionController::API+, for instance <tt>MimeResponds</tt>. This
68
- # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
69
- # you just need to include the module in a specific controller or in
70
- # +ApplicationController+ in case you want it available in your entire
71
- # application:
72
- #
73
- # class ApplicationController < ActionController::API
74
- # include ActionController::MimeResponds
75
- # end
76
- #
77
- # class PostsController < ApplicationController
78
- # def index
79
- # posts = Post.all
80
- #
81
- # respond_to do |format|
82
- # format.json { render json: posts }
83
- # format.xml { render xml: posts }
69
+ # `ActionController::API`, for instance `MimeResponds`. This module gives you
70
+ # the `respond_to` method. Adding it is quite simple, you just need to include
71
+ # the module in a specific controller or in `ApplicationController` in case you
72
+ # want it available in your entire application:
73
+ #
74
+ # class ApplicationController < ActionController::API
75
+ # include ActionController::MimeResponds
76
+ # end
77
+ #
78
+ # class PostsController < ApplicationController
79
+ # def index
80
+ # posts = Post.all
81
+ #
82
+ # respond_to do |format|
83
+ # format.json { render json: posts }
84
+ # format.xml { render xml: posts }
85
+ # end
84
86
  # end
85
87
  # end
86
- # end
87
88
  #
88
- # Make sure to check the modules included in ActionController::Base
89
- # if you want to use any other functionality that is not provided
90
- # by +ActionController::API+ out of the box.
89
+ # Make sure to check the modules included in ActionController::Base if you want
90
+ # to use any other functionality that is not provided by `ActionController::API`
91
+ # out of the box.
91
92
  class API < Metal
92
93
  abstract!
93
94
 
94
- # Shortcut helper that returns all the ActionController::API modules except
95
- # the ones passed as arguments:
95
+ # Shortcut helper that returns all the ActionController::API modules except the
96
+ # ones passed as arguments:
96
97
  #
97
- # class MyAPIBaseController < ActionController::Metal
98
- # ActionController::API.without_modules(:UrlFor).each do |left|
99
- # include left
98
+ # class MyAPIBaseController < ActionController::Metal
99
+ # ActionController::API.without_modules(:UrlFor).each do |left|
100
+ # include left
101
+ # end
100
102
  # end
101
- # end
102
103
  #
103
- # This gives better control over what you want to exclude and makes it easier
104
- # to create an API controller class, instead of listing the modules required
104
+ # This gives better control over what you want to exclude and makes it easier to
105
+ # create an API controller class, instead of listing the modules required
105
106
  # manually.
106
107
  def self.without_modules(*modules)
107
108
  modules = modules.map do |m|
@@ -121,24 +122,25 @@ module ActionController
121
122
  ConditionalGet,
122
123
  BasicImplicitRender,
123
124
  StrongParameters,
125
+ RateLimiting,
124
126
 
125
127
  DataStreaming,
126
128
  DefaultHeaders,
127
129
  Logging,
128
130
 
129
- # Before callbacks should also be executed as early as possible, so
130
- # also include them at the bottom.
131
+ # Before callbacks should also be executed as early as possible, so also include
132
+ # them at the bottom.
131
133
  AbstractController::Callbacks,
132
134
 
133
135
  # Append rescue at the bottom to wrap as much as possible.
134
136
  Rescue,
135
137
 
136
- # Add instrumentations hooks at the bottom, to ensure they instrument
137
- # all the methods properly.
138
+ # Add instrumentations hooks at the bottom, to ensure they instrument all the
139
+ # methods properly.
138
140
  Instrumentation,
139
141
 
140
- # Params wrapper should come before instrumentation so they are
141
- # properly showed in logs
142
+ # Params wrapper should come before instrumentation so they are properly showed
143
+ # in logs
142
144
  ParamsWrapper
143
145
  ]
144
146
 
@@ -1,170 +1,205 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ # :markup: markdown
4
+
3
5
  require "action_view"
4
6
  require "action_controller/log_subscriber"
5
7
  require "action_controller/metal/params_wrapper"
6
8
 
7
9
  module ActionController
8
- # = Action Controller \Base
10
+ # # Action Controller Base
9
11
  #
10
- # Action Controllers are the core of a web request in \Rails. They are made up of one or more actions that are executed
11
- # on request and then either it renders a template or redirects to another action. An action is defined as a public method
12
- # on the controller, which will automatically be made accessible to the web-server through \Rails Routes.
12
+ # Action Controllers are the core of a web request in Rails. They are made up of
13
+ # one or more actions that are executed on request and then either it renders a
14
+ # template or redirects to another action. An action is defined as a public
15
+ # method on the controller, which will automatically be made accessible to the
16
+ # web-server through Rails Routes.
13
17
  #
14
- # By default, only the ApplicationController in a \Rails application inherits from +ActionController::Base+. All other
15
- # controllers inherit from ApplicationController. This gives you one class to configure things such as
18
+ # By default, only the ApplicationController in a Rails application inherits
19
+ # from `ActionController::Base`. All other controllers inherit from
20
+ # ApplicationController. This gives you one class to configure things such as
16
21
  # request forgery protection and filtering of sensitive request parameters.
17
22
  #
18
23
  # A sample controller could look like this:
19
24
  #
20
- # class PostsController < ApplicationController
21
- # def index
22
- # @posts = Post.all
23
- # end
25
+ # class PostsController < ApplicationController
26
+ # def index
27
+ # @posts = Post.all
28
+ # end
24
29
  #
25
- # def create
26
- # @post = Post.create params[:post]
27
- # redirect_to posts_path
30
+ # def create
31
+ # @post = Post.create params[:post]
32
+ # redirect_to posts_path
33
+ # end
28
34
  # end
29
- # end
30
35
  #
31
- # Actions, by default, render a template in the <tt>app/views</tt> directory corresponding to the name of the controller and action
32
- # after executing code in the action. For example, the +index+ action of the PostsController would render the
33
- # template <tt>app/views/posts/index.html.erb</tt> by default after populating the <tt>@posts</tt> instance variable.
36
+ # Actions, by default, render a template in the `app/views` directory
37
+ # corresponding to the name of the controller and action after executing code in
38
+ # the action. For example, the `index` action of the PostsController would
39
+ # render the template `app/views/posts/index.html.erb` by default after
40
+ # populating the `@posts` instance variable.
34
41
  #
35
- # Unlike index, the create action will not render a template. After performing its main purpose (creating a
36
- # new post), it initiates a redirect instead. This redirect works by returning an external
37
- # <tt>302 Moved</tt> HTTP response that takes the user to the index action.
42
+ # Unlike index, the create action will not render a template. After performing
43
+ # its main purpose (creating a new post), it initiates a redirect instead. This
44
+ # redirect works by returning an external `302 Moved` HTTP response that takes
45
+ # the user to the index action.
38
46
  #
39
- # These two methods represent the two basic action archetypes used in Action Controllers: Get-and-show and do-and-redirect.
40
- # Most actions are variations on these themes.
47
+ # These two methods represent the two basic action archetypes used in Action
48
+ # Controllers: Get-and-show and do-and-redirect. Most actions are variations on
49
+ # these themes.
41
50
  #
42
- # == Requests
51
+ # ## Requests
43
52
  #
44
- # For every request, the router determines the value of the +controller+ and +action+ keys. These determine which controller
45
- # and action are called. The remaining request parameters, the session (if one is available), and the full request with
46
- # all the HTTP headers are made available to the action through accessor methods. Then the action is performed.
53
+ # For every request, the router determines the value of the `controller` and
54
+ # `action` keys. These determine which controller and action are called. The
55
+ # remaining request parameters, the session (if one is available), and the full
56
+ # request with all the HTTP headers are made available to the action through
57
+ # accessor methods. Then the action is performed.
47
58
  #
48
- # The full request object is available via the request accessor and is primarily used to query for HTTP headers:
59
+ # The full request object is available via the request accessor and is primarily
60
+ # used to query for HTTP headers:
49
61
  #
50
- # def server_ip
51
- # location = request.env["REMOTE_ADDR"]
52
- # render plain: "This server hosted at #{location}"
53
- # end
62
+ # def server_ip
63
+ # location = request.env["REMOTE_ADDR"]
64
+ # render plain: "This server hosted at #{location}"
65
+ # end
54
66
  #
55
- # == Parameters
67
+ # ## Parameters
56
68
  #
57
- # All request parameters, whether they come from a query string in the URL or form data submitted through a POST request are
58
- # available through the <tt>params</tt> method which returns a hash. For example, an action that was performed through
59
- # <tt>/posts?category=All&limit=5</tt> will include <tt>{ "category" => "All", "limit" => "5" }</tt> in <tt>params</tt>.
69
+ # All request parameters, whether they come from a query string in the URL or
70
+ # form data submitted through a POST request are available through the `params`
71
+ # method which returns a hash. For example, an action that was performed through
72
+ # `/posts?category=All&limit=5` will include `{ "category" => "All", "limit" =>
73
+ # "5" }` in `params`.
60
74
  #
61
- # It's also possible to construct multi-dimensional parameter hashes by specifying keys using brackets, such as:
75
+ # It's also possible to construct multi-dimensional parameter hashes by
76
+ # specifying keys using brackets, such as:
62
77
  #
63
- # <input type="text" name="post[name]" value="david">
64
- # <input type="text" name="post[address]" value="hyacintvej">
78
+ # <input type="text" name="post[name]" value="david">
79
+ # <input type="text" name="post[address]" value="hyacintvej">
65
80
  #
66
- # A request coming from a form holding these inputs will include <tt>{ "post" => { "name" => "david", "address" => "hyacintvej" } }</tt>.
67
- # If the address input had been named <tt>post[address][street]</tt>, the <tt>params</tt> would have included
68
- # <tt>{ "post" => { "address" => { "street" => "hyacintvej" } } }</tt>. There's no limit to the depth of the nesting.
81
+ # A request coming from a form holding these inputs will include `{ "post" => {
82
+ # "name" => "david", "address" => "hyacintvej" } }`. If the address input had
83
+ # been named `post[address][street]`, the `params` would have included `{ "post"
84
+ # => { "address" => { "street" => "hyacintvej" } } }`. There's no limit to the
85
+ # depth of the nesting.
69
86
  #
70
- # == Sessions
87
+ # ## Sessions
71
88
  #
72
- # Sessions allow you to store objects in between requests. This is useful for objects that are not yet ready to be persisted,
73
- # such as a Signup object constructed in a multi-paged process, or objects that don't change much and are needed all the time, such
74
- # as a User object for a system that requires login. The session should not be used, however, as a cache for objects where it's likely
75
- # they could be changed unknowingly. It's usually too much work to keep it all synchronized -- something databases already excel at.
89
+ # Sessions allow you to store objects in between requests. This is useful for
90
+ # objects that are not yet ready to be persisted, such as a Signup object
91
+ # constructed in a multi-paged process, or objects that don't change much and
92
+ # are needed all the time, such as a User object for a system that requires
93
+ # login. The session should not be used, however, as a cache for objects where
94
+ # it's likely they could be changed unknowingly. It's usually too much work to
95
+ # keep it all synchronized -- something databases already excel at.
76
96
  #
77
- # You can place objects in the session by using the <tt>session</tt> method, which accesses a hash:
97
+ # You can place objects in the session by using the `session` method, which
98
+ # accesses a hash:
78
99
  #
79
- # session[:person] = Person.authenticate(user_name, password)
100
+ # session[:person] = Person.authenticate(user_name, password)
80
101
  #
81
102
  # You can retrieve it again through the same hash:
82
103
  #
83
- # "Hello #{session[:person]}"
104
+ # "Hello #{session[:person]}"
84
105
  #
85
- # For removing objects from the session, you can either assign a single key to +nil+:
106
+ # For removing objects from the session, you can either assign a single key to
107
+ # `nil`:
86
108
  #
87
- # # removes :person from session
88
- # session[:person] = nil
109
+ # # removes :person from session
110
+ # session[:person] = nil
89
111
  #
90
- # or you can remove the entire session with +reset_session+.
112
+ # or you can remove the entire session with `reset_session`.
91
113
  #
92
114
  # By default, sessions are stored in an encrypted browser cookie (see
93
- # ActionDispatch::Session::CookieStore). Thus the user will not be able to
94
- # read or edit the session data. However, the user can keep a copy of the
95
- # cookie even after it has expired, so you should avoid storing sensitive
96
- # information in cookie-based sessions.
115
+ # ActionDispatch::Session::CookieStore). Thus the user will not be able to read
116
+ # or edit the session data. However, the user can keep a copy of the cookie even
117
+ # after it has expired, so you should avoid storing sensitive information in
118
+ # cookie-based sessions.
97
119
  #
98
- # == Responses
120
+ # ## Responses
99
121
  #
100
- # Each action results in a response, which holds the headers and document to be sent to the user's browser. The actual response
101
- # object is generated automatically through the use of renders and redirects and requires no user intervention.
122
+ # Each action results in a response, which holds the headers and document to be
123
+ # sent to the user's browser. The actual response object is generated
124
+ # automatically through the use of renders and redirects and requires no user
125
+ # intervention.
102
126
  #
103
- # == Renders
127
+ # ## Renders
104
128
  #
105
- # Action Controller sends content to the user by using one of five rendering methods. The most versatile and common is the rendering
106
- # of a template. Included in the Action Pack is the Action View, which enables rendering of ERB templates. It's automatically configured.
107
- # The controller passes objects to the view by assigning instance variables:
129
+ # Action Controller sends content to the user by using one of five rendering
130
+ # methods. The most versatile and common is the rendering of a template.
131
+ # Included in the Action Pack is the Action View, which enables rendering of ERB
132
+ # templates. It's automatically configured. The controller passes objects to the
133
+ # view by assigning instance variables:
108
134
  #
109
- # def show
110
- # @post = Post.find(params[:id])
111
- # end
135
+ # def show
136
+ # @post = Post.find(params[:id])
137
+ # end
112
138
  #
113
139
  # Which are then automatically available to the view:
114
140
  #
115
- # Title: <%= @post.title %>
141
+ # Title: <%= @post.title %>
116
142
  #
117
- # You don't have to rely on the automated rendering. For example, actions that could result in the rendering of different templates
118
- # will use the manual rendering methods:
143
+ # You don't have to rely on the automated rendering. For example, actions that
144
+ # could result in the rendering of different templates will use the manual
145
+ # rendering methods:
119
146
  #
120
- # def search
121
- # @results = Search.find(params[:query])
122
- # case @results.count
123
- # when 0 then render action: "no_results"
124
- # when 1 then render action: "show"
125
- # when 2..10 then render action: "show_many"
147
+ # def search
148
+ # @results = Search.find(params[:query])
149
+ # case @results.count
150
+ # when 0 then render action: "no_results"
151
+ # when 1 then render action: "show"
152
+ # when 2..10 then render action: "show_many"
153
+ # end
126
154
  # end
127
- # end
128
155
  #
129
156
  # Read more about writing ERB and Builder templates in ActionView::Base.
130
157
  #
131
- # == Redirects
158
+ # ## Redirects
132
159
  #
133
- # Redirects are used to move from one action to another. For example, after a <tt>create</tt> action, which stores a blog entry to the
134
- # database, we might like to show the user the new entry. Because we're following good DRY principles (Don't Repeat Yourself), we're
135
- # going to reuse (and redirect to) a <tt>show</tt> action that we'll assume has already been created. The code might look like this:
160
+ # Redirects are used to move from one action to another. For example, after a
161
+ # `create` action, which stores a blog entry to the database, we might like to
162
+ # show the user the new entry. Because we're following good DRY principles
163
+ # (Don't Repeat Yourself), we're going to reuse (and redirect to) a `show`
164
+ # action that we'll assume has already been created. The code might look like
165
+ # this:
136
166
  #
137
- # def create
138
- # @entry = Entry.new(params[:entry])
139
- # if @entry.save
140
- # # The entry was saved correctly, redirect to show
141
- # redirect_to action: 'show', id: @entry.id
142
- # else
143
- # # things didn't go so well, do something else
167
+ # def create
168
+ # @entry = Entry.new(params[:entry])
169
+ # if @entry.save
170
+ # # The entry was saved correctly, redirect to show
171
+ # redirect_to action: 'show', id: @entry.id
172
+ # else
173
+ # # things didn't go so well, do something else
174
+ # end
144
175
  # end
145
- # end
146
176
  #
147
- # In this case, after saving our new entry to the database, the user is redirected to the <tt>show</tt> method, which is then executed.
148
- # Note that this is an external HTTP-level redirection which will cause the browser to make a second request (a GET to the show action),
149
- # and not some internal re-routing which calls both "create" and then "show" within one request.
177
+ # In this case, after saving our new entry to the database, the user is
178
+ # redirected to the `show` method, which is then executed. Note that this is an
179
+ # external HTTP-level redirection which will cause the browser to make a second
180
+ # request (a GET to the show action), and not some internal re-routing which
181
+ # calls both "create" and then "show" within one request.
150
182
  #
151
- # Learn more about <tt>redirect_to</tt> and what options you have in ActionController::Redirecting.
183
+ # Learn more about `redirect_to` and what options you have in
184
+ # ActionController::Redirecting.
152
185
  #
153
- # == Calling multiple redirects or renders
186
+ # ## Calling multiple redirects or renders
154
187
  #
155
- # An action may contain only a single render or a single redirect. Attempting to try to do either again will result in a DoubleRenderError:
188
+ # An action may contain only a single render or a single redirect. Attempting to
189
+ # try to do either again will result in a DoubleRenderError:
156
190
  #
157
- # def do_something
158
- # redirect_to action: "elsewhere"
159
- # render action: "overthere" # raises DoubleRenderError
160
- # end
191
+ # def do_something
192
+ # redirect_to action: "elsewhere"
193
+ # render action: "overthere" # raises DoubleRenderError
194
+ # end
161
195
  #
162
- # If you need to redirect on the condition of something, then be sure to add "and return" to halt execution.
196
+ # If you need to redirect on the condition of something, then be sure to add
197
+ # "and return" to halt execution.
163
198
  #
164
- # def do_something
165
- # redirect_to(action: "elsewhere") and return if monkeys.nil?
166
- # render action: "overthere" # won't be called if monkeys is nil
167
- # end
199
+ # def do_something
200
+ # redirect_to(action: "elsewhere") and return if monkeys.nil?
201
+ # render action: "overthere" # won't be called if monkeys is nil
202
+ # end
168
203
  #
169
204
  class Base < Metal
170
205
  abstract!
@@ -172,15 +207,15 @@ module ActionController
172
207
  # Shortcut helper that returns all the modules included in
173
208
  # ActionController::Base except the ones passed as arguments:
174
209
  #
175
- # class MyBaseController < ActionController::Metal
176
- # ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
177
- # include left
210
+ # class MyBaseController < ActionController::Metal
211
+ # ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
212
+ # include left
213
+ # end
178
214
  # end
179
- # end
180
215
  #
181
- # This gives better control over what you want to exclude and makes it
182
- # easier to create a bare controller class, instead of listing the modules
183
- # required manually.
216
+ # This gives better control over what you want to exclude and makes it easier to
217
+ # create a bare controller class, instead of listing the modules required
218
+ # manually.
184
219
  def self.without_modules(*modules)
185
220
  modules = modules.map do |m|
186
221
  m.is_a?(Symbol) ? ActionController.const_get(m) : m
@@ -214,6 +249,8 @@ module ActionController
214
249
  RequestForgeryProtection,
215
250
  ContentSecurityPolicy,
216
251
  PermissionsPolicy,
252
+ RateLimiting,
253
+ AllowBrowser,
217
254
  Streaming,
218
255
  DataStreaming,
219
256
  HttpAuthentication::Basic::ControllerMethods,
@@ -222,19 +259,19 @@ module ActionController
222
259
  DefaultHeaders,
223
260
  Logging,
224
261
 
225
- # Before callbacks should also be executed as early as possible, so
226
- # also include them at the bottom.
262
+ # Before callbacks should also be executed as early as possible, so also include
263
+ # them at the bottom.
227
264
  AbstractController::Callbacks,
228
265
 
229
266
  # Append rescue at the bottom to wrap as much as possible.
230
267
  Rescue,
231
268
 
232
- # Add instrumentations hooks at the bottom, to ensure they instrument
233
- # all the methods properly.
269
+ # Add instrumentations hooks at the bottom, to ensure they instrument all the
270
+ # methods properly.
234
271
  Instrumentation,
235
272
 
236
- # Params wrapper should come before instrumentation so they are
237
- # properly showed in logs
273
+ # Params wrapper should come before instrumentation so they are properly showed
274
+ # in logs
238
275
  ParamsWrapper
239
276
  ]
240
277
 
@@ -247,6 +284,7 @@ module ActionController
247
284
  PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + %i(
248
285
  @_params @_response @_request @_config @_url_options @_action_has_layout @_view_context_class
249
286
  @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
287
+ @_marked_for_same_origin_verification @_rendered_format
250
288
  )
251
289
 
252
290
  def _protected_ivars