actionpack 7.2.2.1 → 8.1.2

data/lib/abstract_controller/base.rb

@@ -3,7 +3,6 @@
 # :markup: markdown
 
 require "abstract_controller/error"
-require "active_support/configurable"
 require "active_support/descendants_tracker"
 require "active_support/core_ext/module/anonymous"
 require "active_support/core_ext/module/attr_internal"
@@ -47,7 +46,7 @@ module AbstractController
     # Returns the formats that can be processed by the controller.
     attr_internal :formats
 
-    include ActiveSupport::Configurable
+    class_attribute :config, instance_predicate: false, default: ActiveSupport::OrderedOptions.new
     extend ActiveSupport::DescendantsTracker
 
     class << self
@@ -65,6 +64,7 @@ module AbstractController
         unless klass.instance_variable_defined?(:@abstract)
           klass.instance_variable_set(:@abstract, false)
         end
+        klass.config = ActiveSupport::InheritableOptions.new(config)
         super
       end
 
@@ -86,22 +86,16 @@ module AbstractController
         controller.public_instance_methods(true) - methods
       end
 
-      # A list of method names that should be considered actions. This includes all
+      # A `Set` of method names that should be considered actions. This includes all
       # public instance methods on a controller, less any internal methods (see
       # internal_methods), adding back in any methods that are internal, but still
       # exist on the class itself.
-      #
-      # #### Returns
-      # *   `Set` - A set of all methods that should be considered actions.
-      #
       def action_methods
         @action_methods ||= begin
           # All public instance methods of this class, including ancestors except for
           # public instance methods of Base and its ancestors.
           methods = public_instance_methods(true) - internal_methods
-          # Be sure to include shadowed public instance methods of this class.
-          methods.concat(public_instance_methods(false))
-          methods.map!(&:to_s)
+          methods.map!(&:name)
           methods.to_set
         end
       end
@@ -121,13 +115,14 @@ module AbstractController
       #
       #     MyApp::MyPostsController.controller_path # => "my_app/my_posts"
       #
-      # #### Returns
-      # *   `String`
-      #
       def controller_path
         @controller_path ||= name.delete_suffix("Controller").underscore unless anonymous?
       end
 
+      def configure # :nodoc:
+        yield config
+      end
+
       # Refresh the cached action_methods when a new action_method is added.
       def method_added(name)
         super
@@ -147,10 +142,6 @@ module AbstractController
     # The actual method that is called is determined by calling #method_for_action.
     # If no method can handle the action, then an AbstractController::ActionNotFound
     # error is raised.
-    #
-    # #### Returns
-    # *   `self`
-    #
     def process(action, ...)
       @_action_name = action.to_s
 
@@ -201,6 +192,10 @@ module AbstractController
       true
     end
 
+    def config # :nodoc:
+      @_config ||= self.class.config.inheritable_copy
+    end
+
     def inspect # :nodoc:
       "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
     end

data/lib/abstract_controller/caching.rb

@@ -32,13 +32,16 @@ module AbstractController
     included do
       extend ConfigMethods
 
-      config_accessor :default_static_extension
+      singleton_class.delegate :default_static_extension, :default_static_extension=, to: :config
+      delegate :default_static_extension, :default_static_extension=, to: :config
       self.default_static_extension ||= ".html"
 
-      config_accessor :perform_caching
+      singleton_class.delegate :perform_caching, :perform_caching=, to: :config
+      delegate :perform_caching, :perform_caching=, to: :config
       self.perform_caching = true if perform_caching.nil?
 
-      config_accessor :enable_fragment_cache_logging
+      singleton_class.delegate :enable_fragment_cache_logging, :enable_fragment_cache_logging=, to: :config
+      delegate :enable_fragment_cache_logging, :enable_fragment_cache_logging=, to: :config
       self.enable_fragment_cache_logging = false
 
       class_attribute :_view_cache_dependencies, default: []

data/lib/abstract_controller/callbacks.rb

@@ -29,6 +29,8 @@ module AbstractController
     # ActiveSupport::Callbacks.
     include ActiveSupport::Callbacks
 
+    DEFAULT_INTERNAL_METHODS = [:_run_process_action_callbacks].freeze # :nodoc:
+
     included do
       define_callbacks :process_action,
                        terminator: ->(controller, result_lambda) { result_lambda.call; controller.performed? },
@@ -251,6 +253,10 @@ module AbstractController
         # *_action is the same as append_*_action
         alias_method :"append_#{callback}_action", :"#{callback}_action"
       end
+
+      def internal_methods # :nodoc:
+        super.concat(DEFAULT_INTERNAL_METHODS)
+      end
     end
 
     private

data/lib/abstract_controller/collector.rb

@@ -27,7 +27,7 @@ module AbstractController
     def method_missing(symbol, ...)
       unless mime_constant = Mime[symbol]
         raise NoMethodError, "To respond to a custom format, register it as a MIME type first: " \
-          "https://guides.rubyonrails.org/action_controller_overview.html#restful-downloads. " \
+          "https://guides.rubyonrails.org/action_controller_advanced_topics.html#restful-downloads. " \
           "If you meant to respond to a variant like :tablet or :phone, not a custom format, " \
           "be sure to nest your variant response within a format response: " \
           "format.html { |html| html.tablet { ... } }"

data/lib/abstract_controller/helpers.rb

@@ -90,7 +90,7 @@ module AbstractController
       #--
       # Implemented by Resolution#modules_for_helpers.
 
-      # :method: # all_helpers_from_path
+      # :method: all_helpers_from_path
       # :call-seq: all_helpers_from_path(path)
       #
       # Returns a list of helper names in a given path.

data/lib/abstract_controller/logger.rb

@@ -9,7 +9,8 @@ module AbstractController
     extend ActiveSupport::Concern
 
     included do
-      config_accessor :logger
+      singleton_class.delegate :logger, :logger=, to: :config
+      delegate :logger, :logger=, to: :config
       include ActiveSupport::Benchmarkable
     end
   end

data/lib/abstract_controller/rendering.rb

@@ -5,7 +5,6 @@
 require "abstract_controller/error"
 require "action_view"
 require "action_view/view_paths"
-require "set"
 
 module AbstractController
   class DoubleRenderError < Error

data/lib/action_controller/api.rb

@@ -5,6 +5,7 @@
 require "action_view"
 require "action_controller"
 require "action_controller/log_subscriber"
+require "action_controller/structured_event_subscriber"
 
 module ActionController
   # # Action Controller API

data/lib/action_controller/base.rb

@@ -4,6 +4,7 @@
 
 require "action_view"
 require "action_controller/log_subscriber"
+require "action_controller/structured_event_subscriber"
 require "action_controller/metal/params_wrapper"
 
 module ActionController
@@ -128,7 +129,7 @@ module ActionController
   #
   # Action Controller sends content to the user by using one of five rendering
   # methods. The most versatile and common is the rendering of a template.
-  # Included in the Action Pack is the Action View, which enables rendering of ERB
+  # Also included with \Rails is Action View, which enables rendering of ERB
   # templates. It's automatically configured. The controller passes objects to the
   # view by assigning instance variables:
   #
@@ -266,7 +267,7 @@ module ActionController
       ParamsWrapper
     ]
 
-    # Note: Documenting these severely degrates the performance of rdoc
+    # Note: Documenting these severely degrades the performance of rdoc
     # :stopdoc:
     include AbstractController::Rendering
     include AbstractController::Translation

data/lib/action_controller/caching.rb

@@ -9,9 +9,8 @@ module ActionController
   # of calculations, renderings, and database calls around for subsequent
   # requests.
   #
-  # You can read more about each approach by clicking the modules below.
-  #
   # Note: To turn off all caching provided by Action Controller, set
+  #
   #     config.action_controller.perform_caching = false
   #
   # ## Caching stores

data/lib/action_controller/form_builder.rb

@@ -22,10 +22,10 @@ module ActionController
   #       default_form_builder AdminFormBuilder
   #     end
   #
-  # Then in the view any form using `form_for` will be an instance of the
-  # specified form builder:
+  # Then in the view any form using `form_with` or `form_for` will be an
+  # instance of the specified form builder:
   #
-  #     <%= form_for(@instance) do |builder| %>
+  #     <%= form_with(model: @instance) do |builder| %>
   #       <%= builder.special_field(:name) %>
   #     <% end %>
   module FormBuilder
@@ -40,7 +40,7 @@ module ActionController
       # rendered by this controller and its subclasses.
       #
       # #### Parameters
-      # *   `builder` - Default form builder, an instance of
+      # *   `builder` - Default form builder. Accepts a subclass of
       #     ActionView::Helpers::FormBuilder
       def default_form_builder(builder)
         self._default_form_builder = builder

data/lib/action_controller/log_subscriber.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-# :markup: markdown
-
 module ActionController
-  class LogSubscriber < ActiveSupport::LogSubscriber
+  class LogSubscriber < ActiveSupport::LogSubscriber # :nodoc:
     INTERNAL_PARAMS = %w(controller action format _method only_path)
 
+    class_attribute :backtrace_cleaner, default: ActiveSupport::BacktraceCleaner.new
+
     def start_processing(event)
       return unless logger.info?
 
@@ -49,6 +49,17 @@ module ActionController
     end
     subscribe_log_level :halted_callback, :info
 
+    # Manually subscribed below
+    def rescue_from_callback(event)
+      exception = event.payload[:exception]
+
+      exception_backtrace = exception.backtrace&.first
+      exception_backtrace = exception_backtrace&.delete_prefix("#{Rails.root}/") if defined?(Rails.root) && Rails.root
+
+      info { "rescue_from handled #{exception.class} (#{exception.message}) - #{exception_backtrace}" }
+    end
+    subscribe_log_level :rescue_from_callback, :info
+
     def send_file(event)
       info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
     end
@@ -56,6 +67,10 @@ module ActionController
 
     def redirect_to(event)
       info { "Redirected to #{event.payload[:location]}" }
+
+      if ActionDispatch.verbose_redirect_logs && (source = redirect_source_location)
+        info { "↳ #{source}" }
+      end
     end
     subscribe_log_level :redirect_to, :info
 
@@ -90,6 +105,10 @@ module ActionController
     def logger
       ActionController::Base.logger
     end
+
+    def redirect_source_location
+      backtrace_cleaner.first_clean_frame
+    end
   end
 end
 

data/lib/action_controller/metal/allow_browser.rb

@@ -14,7 +14,7 @@ module ActionController # :nodoc:
       # aren't reporting a user-agent header, will be allowed access.
       #
       # A browser that's blocked will by default be served the file in
-      # public/406-unsupported-browser.html with a HTTP status code of "406 Not
+      # public/406-unsupported-browser.html with an HTTP status code of "406 Not
       # Acceptable".
       #
       # In addition to specifically named browser versions, you can also pass
@@ -36,6 +36,16 @@ module ActionController # :nodoc:
       #     end
       #
       #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern, block: :handle_outdated_browser
+      #
+      #       private
+      #         def handle_outdated_browser
+      #           render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+      #         end
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
       #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
       #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
       #     end
@@ -55,7 +65,7 @@ module ActionController # :nodoc:
 
         if BrowserBlocker.new(request, versions: versions).blocked?
           ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
-            instance_exec(&block)
+            block.is_a?(Symbol) ? send(block) : instance_exec(&block)
           end
         end
       end

data/lib/action_controller/metal/conditional_get.rb

@@ -259,6 +259,9 @@ module ActionController
     # `:stale_if_error`
     # :   Sets the value of the `stale-if-error` directive.
     #
+    # `:immutable`
+    # :   If true, adds the `immutable` directive.
+    #
     #
     # Any additional key-value pairs are concatenated as directives. For a list of
     # supported `Cache-Control` directives, see the [article on
@@ -292,6 +295,7 @@ module ActionController
         must_revalidate: options.delete(:must_revalidate),
         stale_while_revalidate: options.delete(:stale_while_revalidate),
         stale_if_error: options.delete(:stale_if_error),
+        immutable: options.delete(:immutable),
       )
       options.delete(:private)
 
@@ -315,7 +319,7 @@ module ActionController
     #     user's web browser. To allow proxies to cache the response, set `true` to
     #     indicate that they can serve the cached response to all users.
     def http_cache_forever(public: false)
-      expires_in 100.years, public: public
+      expires_in 100.years, public: public, immutable: true
 
       yield if stale?(etag: request.fullpath,
                       last_modified: Time.new(2011, 1, 1).utc,
@@ -328,6 +332,31 @@ module ActionController
       response.cache_control.replace(no_store: true)
     end
 
+    # Adds the `must-understand` directive to the `Cache-Control` header, which indicates
+    # that a cache MUST understand the semantics of the response status code that has been
+    # received, or discard the response.
+    #
+    # This is particularly useful when returning responses with new or uncommon
+    # status codes that might not be properly interpreted by older caches.
+    #
+    # #### Example
+    #
+    #     def show
+    #       @article = Article.find(params[:id])
+    #
+    #       if @article.early_access?
+    #         must_understand
+    #         render status: 203 # Non-Authoritative Information
+    #       else
+    #         fresh_when @article
+    #       end
+    #     end
+    #
+    def must_understand
+      response.cache_control[:must_understand] = true
+      response.cache_control[:no_store] = true
+    end
+
     private
       def combine_etags(validator, options)
         [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact

data/lib/action_controller/metal/data_streaming.rb

@@ -28,7 +28,8 @@ module ActionController # :nodoc:
       # `send_file(params[:path])` allows a malicious user to download any file on
       # your server.
       #
-      # Options:
+      # #### Options:
+      #
       # *   `:filename` - suggests a filename for the browser to use. Defaults to
       #     `File.basename(path)`.
       # *   `:type` - specifies an HTTP content type. You can specify either a string
@@ -90,7 +91,8 @@ module ActionController # :nodoc:
       # inline data. You may also set the content type, the file name, and other
       # things.
       #
-      # Options:
+      # #### Options:
+      #
       # *   `:filename` - suggests a filename for the browser to use.
       # *   `:type` - specifies an HTTP content type. Defaults to
       #     `application/octet-stream`. You can specify either a string or a symbol
@@ -132,9 +134,7 @@ module ActionController # :nodoc:
         raise ArgumentError, ":type option required" if content_type.nil?
 
         if content_type.is_a?(Symbol)
-          extension = Mime[content_type]
-          raise ArgumentError, "Unknown MIME type #{options[:type]}" unless extension
-          self.content_type = extension
+          self.content_type = content_type
         else
           if !type_provided && options[:filename]
             # If type wasn't provided, try guessing from file extension.

data/lib/action_controller/metal/exceptions.rb

@@ -103,4 +103,9 @@ module ActionController
       super(message)
     end
   end
+
+  # Raised when a Rate Limit is exceeded by too many requests within a period of
+  # time.
+  class TooManyRequests < ActionControllerError
+  end
 end

data/lib/action_controller/metal/flash.rb

@@ -38,15 +38,12 @@ module ActionController # :nodoc:
           define_method(type) do
             request.flash[type]
           end
+          private type
           helper_method(type) if respond_to?(:helper_method)
 
           self._flash_types += [type]
         end
       end
-
-      def action_methods # :nodoc:
-        @action_methods ||= super - _flash_types.map(&:to_s).to_set
-      end
     end
 
     private

data/lib/action_controller/metal/head.rb

@@ -25,6 +25,8 @@ module ActionController
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."
       end
 
+      raise ::AbstractController::DoubleRenderError if response_body
+
       status ||= :ok
 
       if options
@@ -41,7 +43,7 @@ module ActionController
 
       if include_content?(response_code)
         unless self.media_type
-          self.content_type = content_type || ((f = formats) && Mime[f.first]) || Mime[:html]
+          self.content_type = content_type || ((f = formats) && Mime[f.first]) || :html
         end
 
         response.charset = false

data/lib/action_controller/metal/instrumentation.rb

@@ -2,7 +2,6 @@
 
 # :markup: markdown
 
-require "benchmark"
 require "abstract_controller/logger"
 
 module ActionController
@@ -29,7 +28,7 @@ module ActionController
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
-        Benchmark.ms { render_output = super }
+        ActiveSupport::Benchmark.realtime(:float_millisecond) { render_output = super }
       end
       render_output
     end

data/lib/action_controller/metal/live.rb

@@ -53,12 +53,53 @@ module ActionController
   #       response.headers["Last-Modified"] = Time.now.httpdate # Add this line if your Rack version is 2.2.x
   #       ...
   #     end
+  #
+  # ## Streaming and Execution State
+  #
+  # When streaming, the action is executed in a separate thread. By default, this thread
+  # shares execution state from the parent thread.
+  #
+  # You can configure which execution state keys should be excluded from being shared
+  # using the `config.action_controller.live_streaming_excluded_keys` configuration:
+  #
+  #   # config/application.rb
+  #   config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]
+  #
+  # This is useful when using ActionController::Live inside a `connected_to` block. For example,
+  # if the parent request is reading from a replica using `connected_to(role: :reading)`, you may
+  # want the streaming thread to use its own connection context instead of inheriting the read-only
+  # context:
+  #
+  #   # Without configuration, streaming thread inherits read-only connection
+  #   ActiveRecord::Base.connected_to(role: :reading) do
+  #     @posts = Post.all
+  #     render stream: true # Streaming thread cannot write to database
+  #   end
+  #
+  #   # With configuration, streaming thread gets fresh connection context
+  #   # config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]
+  #   ActiveRecord::Base.connected_to(role: :reading) do
+  #     @posts = Post.all
+  #     render stream: true # Streaming thread can write to database if needed
+  #   end
+  #
+  # Common keys you might want to exclude:
+  # - `:active_record_connected_to_stack` - Database connection routing and roles
+  # - `:active_record_prohibit_shard_swapping` - Shard swapping restrictions
+  #
+  # By default, no keys are excluded to maintain backward compatibility.
   module Live
     extend ActiveSupport::Concern
 
+    mattr_accessor :live_streaming_excluded_keys, default: []
+
+    included do
+      class_attribute :live_streaming_excluded_keys, instance_accessor: false, default: Live.live_streaming_excluded_keys
+    end
+
     module ClassMethods
       def make_response!(request)
-        if request.get_header("HTTP_VERSION") == "HTTP/1.0"
+        if (request.get_header("SERVER_PROTOCOL") || request.get_header("HTTP_VERSION")) == "HTTP/1.0"
           super
         else
           Live::Response.new.tap do |res|
@@ -133,15 +174,16 @@ module ActionController
       private
         def perform_write(json, options)
           current_options = @options.merge(options).stringify_keys
-
+          event = +""
           PERMITTED_OPTIONS.each do |option_name|
             if (option_value = current_options[option_name])
-              @stream.write "#{option_name}: #{option_value}\n"
+              event << "#{option_name}: #{option_value}\n"
             end
           end
 
           message = json.gsub("\n", "\ndata: ")
-          @stream.write "data: #{message}\n\n"
+          event << "data: #{message}\n\n"
+          @stream.write event
         end
     end
 
@@ -171,12 +213,6 @@ module ActionController
         @ignore_disconnect = false
       end
 
-      # ActionDispatch::Response delegates #to_ary to the internal
-      # ActionDispatch::Response::Buffer, defining #to_ary is an indicator that the
-      # response body can be buffered and/or cached by Rack middlewares, this is not
-      # the case for Live responses so we undefine it for this Buffer subclass.
-      undef_method :to_ary
-
       def write(string)
         unless @response.committed?
           @response.headers["Cache-Control"] ||= "no-cache"
@@ -242,12 +278,7 @@ module ActionController
 
       private
         def each_chunk(&block)
-          loop do
-            str = nil
-            ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-              str = @buf.pop
-            end
-            break unless str
+          while str = @buf.pop
             yield str
           end
         end
@@ -281,16 +312,15 @@ module ActionController
       # This processes the action in a child thread. It lets us return the response
       # code and headers back up the Rack stack, and still process the body in
       # parallel with sending data to the client.
-      new_controller_thread {
+      new_controller_thread do
         ActiveSupport::Dependencies.interlock.running do
           t2 = Thread.current
 
           # Since we're processing the view in a different thread, copy the thread locals
           # from the main thread to the child thread. :'(
           locals.each { |k, v| t2[k] = v }
-          ActiveSupport::IsolatedExecutionState.share_with(t1)
 
-          begin
+          ActiveSupport::IsolatedExecutionState.share_with(t1, except: self.class.live_streaming_excluded_keys) do
             super(name)
           rescue => e
             if @_response.committed?
@@ -307,15 +337,15 @@ module ActionController
               error = e
             end
           ensure
+            clean_up_thread_locals(locals, t2)
+
             @_response.commit!
           end
         end
-      }
-
-      ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-        @_response.await_commit
       end
 
+      @_response.await_commit
+
       raise error if error
     end
 
@@ -328,7 +358,8 @@ module ActionController
     # or other running data where you don't want the entire file buffered in memory
     # first. Similar to send_data, but where the data is generated live.
     #
-    # Options:
+    # #### Options:
+    #
     # *   `:filename` - suggests a filename for the browser to use.
     # *   `:type` - specifies an HTTP content type. You can specify either a string
     #     or a symbol for a registered type with `Mime::Type.register`, for example
@@ -371,11 +402,20 @@ module ActionController
       # data from the response bodies. Nobody should call this method except in Rails
       # internals. Seriously!
       def new_controller_thread # :nodoc:
-        Thread.new {
+        ActionController::Live.live_thread_pool_executor.post do
           t2 = Thread.current
           t2.abort_on_exception = true
           yield
-        }
+        end
+      end
+
+      # Ensure we clean up any thread locals we copied so that the thread can reused.
+      def clean_up_thread_locals(locals, thread) # :nodoc:
+        locals.each { |k, _| thread[k] = nil }
+      end
+
+      def self.live_thread_pool_executor
+        @live_thread_pool_executor ||= Concurrent::CachedThreadPool.new(name: "action_controller.live")
       end
 
       def log_error(exception)

data/lib/action_controller/metal/params_wrapper.rb

@@ -198,14 +198,14 @@ module ActionController
       #       # enables the parameter wrapper for XML format
       #
       #     wrap_parameters :person
-      #       # wraps parameters into +params[:person]+ hash
+      #       # wraps parameters into params[:person] hash
       #
       #     wrap_parameters Person
       #       # wraps parameters by determining the wrapper key from Person class
-      #       # (+person+, in this case) and the list of attribute names
+      #       # (:person, in this case) and the list of attribute names
       #
       #     wrap_parameters include: [:username, :title]
-      #       # wraps only +:username+ and +:title+ attributes from parameters.
+      #       # wraps only :username and :title attributes from parameters.
       #
       #     wrap_parameters false
       #       # disables parameters wrapping for this controller altogether.