actionpack 3.0.20 → 3.1.0.beta1

data/CHANGELOG

@@ -1,208 +1,153 @@
-## Rails 3.0.20 (unreleased)
+*Rails 3.1.0 (unreleased)*
 
-* Fixed JSON params parsing regression for non-object JSON content.
+* Only show dump of regular env methods on exception screen (not all the rack crap) [DHH]
 
-## Rails 3.0.19 (Jan 8, 2013)
+* auto_link has been removed with no replacement.  If you still use auto_link
+  please install the rails_autolink gem:
+    http://github.com/tenderlove/rails_autolink
 
-* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+  [tenderlove]
 
-## Rails 3.0.18 (Jan 2, 2013)
+* Added streaming support, you can enable it with: [José Valim]
 
-* No changes.
-
-## Rails 3.0.17 (Aug 9, 2012)
-
-* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
-  helper doesn't correctly handle malformed html.  As a result an attacker can
-  execute arbitrary javascript through the use of specially crafted malformed
-  html.
-
-  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
-
-* When an "include_blank" value is supplied to the `select_tag` helper, the "include_blank" value is not escaped.  If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
-  Vulnerable code will look something like this:
-    select_tag("name", options, :include_blank => UNTRUSTED_INPUT)
-
-  *Santiago Pastorino*
-
-## Rails 3.0.16 (Jul 26, 2012)
-
-* Do not convert digest auth strings to symbols. CVE-2012-3424
-
-## Rails 3.0.14 (Jun 12, 2012)
-
-*   nil is removed from array parameter values
-
-    CVE-2012-2694
-
-* Rails 3.0.13 (May 31, 2012)
-
-* Strip null bytes from Location header
-
-* load the encoding converter to work around [ruby-core:41556] when switching
-  encodings
-
-* Avoid inspecting the whole route set, closes #1525
-
-* whitelist protocols for auto_link
-
-* Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
-  CVE-2012-2660
-
-*Rails 3.0.12 (unreleased)*
-
-* Fix using `tranlate` helper with a html translation which uses the `:count` option for
-  pluralization.
-
-  *Jon Leighton*
-
-*Rails 3.0.11 (unreleased)*
-
-* Fix XSS security vulnerability in the `translate` helper method. When using interpolation
-  in combination with HTML-safe translations, the interpolated input would not get HTML
-  escaped. *GH 3664*
-
-  Before:
-
-      translate('foo_html', :something => '<script>') # => "...<script>..."
-
-  After:
-
-      translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."
-
-  *Sergey Nartimov*
-
-* Implement a workaround for a bug in ruby-1.9.3p0 where an error would be
-  raised while attempting to convert a template from one encoding to another.
-
-  Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.
-
-  The workaround is to load all conversions into memory ahead of time, and will
-  only happen if the ruby version is exactly 1.9.3p0. The hope is obviously
-  that the underlying problem will be resolved in the next patchlevel release
-  of 1.9.3.
-
-* Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.
-
-* Fix url_for when passed a hash to prevent additional options (eg. :host, :protocol) from being added to the hash after calling it.
-
-
-*Rails 3.0.10 (August 16, 2011)*
+    class PostsController < ActionController::Base
+      stream :only => :index
+    end
+  
+  Please read the docs at `ActionController::Streaming` for more information.
 
-* Fixes an issue where cache sweepers with only after filters would have no
-controller object, it would raise undefined method controller_name for nil [jeroenj]
+* Added `ActionDispatch::Request.ignore_accept_header` to ignore accept headers and only consider the format given as parameter [José Valim]
 
-* Ensure status codes are logged when exceptions are raised.
+* Created `ActionView::Renderer` and specified an API for `ActionView::Context`, check those objects for more information [José Valim]
 
-* Subclasses of OutputBuffer are respected.
+* Added `ActionController::ParamsWrapper` to wrap parameters into a nested hash, and will be turned on for JSON request in new applications by default [Prem Sichanugrist]
 
-* Fixed ActionView::FormOptionsHelper#select with :multiple => false
+  This can be customized by setting `ActionController::Base.wrap_parameters` in `config/initializer/wrap_parameters.rb`
 
-* Avoid extra call to Cache#read in case of a fragment cache hit
+* RJS has been extracted out to a gem. [fxn]
 
-*Rails 3.0.9 (June 16, 2011)*
+* Implicit actions named not_implemented can be rendered. [Santiago Pastorino]
 
-* json_escape will now return a SafeBuffer string if it receives SafeBuffer string [tenderlove]
+* Wildcard route will always match the optional format segment by default. [Prem Sichanugrist]
 
-* Make sure escape_js returns SafeBuffer string if it receives SafeBuffer string [Prem Sichanugrist]
+  For example if you have this route:
 
-* Fix text helpers to work correctly with the new SafeBuffer restriction [Paul Gallagher, Arun Agrawal, Prem Sichanugrist]
+    map '*pages' => 'pages#show'
 
+  by requesting '/foo/bar.json', your `params[:pages]` will be equals to "foo/bar" with the request format of JSON. If you want the old 3.0.x behavior back, you could supply `:format => false` like this:
 
-*Rails 3.0.8 (June 7, 2011)*
+    map '*pages' => 'pages#show', :format => false
 
-* It is prohibited to perform a in-place SafeBuffer mutation [tenderlove]
+* Added Base.http_basic_authenticate_with to do simple http basic authentication with a single class method call [DHH]
 
-  The old behavior of SafeBuffer allowed you to mutate string in place via
-  method like `sub!`. These methods can add unsafe strings to a safe buffer,
-  and the safe buffer will continue to be marked as safe.
+    class PostsController < ApplicationController
+      USER_NAME, PASSWORD = "dhh", "secret"
 
-  An example problem would be something like this:
+      before_filter :authenticate, :except => [ :index ]
 
-    <%= link_to('hello world', @user).sub!(/hello/, params[:xss])  %>
+      def index
+        render :text => "Everyone can see me!"
+      end
 
-  In the above example, an untrusted string (`params[:xss]`) is added to the
-  safe buffer returned by `link_to`, and the untrusted content is successfully
-  sent to the client without being escaped.  To prevent this from happening
-  `sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
+      def edit
+        render :text => "I'm only accessible if you know the password"
+      end
 
-  In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:
+      private
+        def authenticate
+          authenticate_or_request_with_http_basic do |user_name, password|
+            user_name == USER_NAME && password == PASSWORD
+          end
+        end
+    end
 
-     <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
+  ..can now be written as
 
-  The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
+    class PostsController < ApplicationController
+      http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
 
-  You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb
+      def index
+        render :text => "Everyone can see me!"
+      end
 
-* Fixed github issue #342 with asset paths and relative roots.
+      def edit
+        render :text => "I'm only accessible if you know the password"
+      end
+    end
 
+* Allow you to add `force_ssl` into controller to force browser to transfer data via HTTPS protocol on that particular controller. You can also specify `:only` or `:except` to specific it to particular action. [DHH and Prem Sichanugrist]
 
-*Rails 3.0.7 (April 18, 2011)*
+* Allow FormHelper#form_for to specify the :method as a direct option instead of through the :html hash [DHH]
 
-*No changes.
+    form_for(@post, remote: true, method: :delete) instead of form_for(@post, remote: true, html: { method: :delete })
 
+* Make JavaScriptHelper#j() an alias for JavaScriptHelper#escape_javascript() -- note this then supersedes the Object#j() method that the JSON gem adds within templates using the JavaScriptHelper [DHH]
 
-*Rails 3.0.6 (April 5, 2011)
+* Sensitive query string parameters (specified in config.filter_parameters) will now be filtered out from the request paths in the log file. [Prem Sichanugrist, fxn]
 
-* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks input as
-  html safe.  Please make sure that calls to auto_link() are wrapped in a
-  sanitize(), or a raw() depending on the type of input passed to auto_link().
-  For example:
+* URL parameters which return false for to_param now appear in the query string (previously they were removed) [Andrew White]
 
-    <%= sanitize(auto_link(some_user_input)) %>
+* URL parameters which return nil for to_param are now removed from the query string [Andrew White]
 
-  Thanks to Torben Schulz for reporting this.  The fix can be found here:
-  61ee3449674c591747db95f9b3472c5c3bd9e84d
+* ActionDispatch::MiddlewareStack now uses composition over inheritance. It is
+no longer an array which means there may be methods missing that were not
+tested.
 
-* Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
+* Add an :authenticity_token option to form_tag for custom handling or to omit the token (pass :authenticity_token => false).  [Jakub Kuźma, Igor Wiedler]
 
-* Fixes an issue with number_to_human when converting values which are less than 1 but greater than -1 [Josh Kalderimis]
+* HTML5 button_tag helper. [Rizwan Reza]
 
-* Sensitive query string parameters (specified in config.filter_parameters) will now be filtered out from the request paths in the log file. [Prem Sichanugrist, fxn]
+* Template lookup now searches further up in the inheritance chain. [Artemave]
 
-* URL parameters which return nil for to_param are now removed from the query string [Andrew White]
+* Brought back config.action_view.cache_template_loading, which allows to decide whether templates should be cached or not. [Piotr Sarnacki]
 
-* Don't allow i18n to change the minor version, version now set to ~> 0.5.0 [Santiago Pastorino]
+* url_for and named url helpers now accept :subdomain and :domain as options, [Josh Kalderimis]
 
-* Make TranslationHelper#translate use the :rescue_format option in I18n 0.5.0 [Sven Fuchs]
+* The redirect route method now also accepts a hash of options which will only change the parts of the url in question, or an object which responds to call, allowing for redirects to be reused (check the documentation for examples). [Josh Kalderimis]
 
-* Fix regression: javascript_include_tag shouldn't raise if you register an expansion key with nil or [] value [Santiago Pastorino]
+* Added config.action_controller.include_all_helpers. By default 'helper :all' is done in ActionController::Base, which includes all the helpers by default. Setting include_all_helpers to false will result in including only application_helper and helper corresponding to controller (like foo_helper for foo_controller). [Piotr Sarnacki]
 
-* Fix Action caching bug where an action that has a non-cacheable response always renders a nil response body. It now correctly renders the response body. [Cheah Chu Yeow]
+* Added a convenience idiom to generate HTML5 data-* attributes in tag helpers from a :data hash of options:
 
+    tag("div", :data => {:name => 'Stephen', :city_state => %w(Chicago IL)})
+    # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
 
-*Rails 3.0.5 (February 26, 2011)*
+  Keys are dasherized. Values are JSON-encoded, except for strings and symbols. [Stephen Celis]
 
-* No changes.
+* Added render :once. You can pass either a string or an array of strings and Rails will ensure they each of them are rendered just once. [José Valim]
 
+* Deprecate old template handler API. The new API simply requires a template handler to respond to call. [José Valim]
 
-*Rails 3.0.4 (February 8, 2011)*
+* :rhtml and :rxml were finally removed as template handlers. [José Valim]
 
-* No changes.
+* Moved etag responsibility from ActionDispatch::Response to the middleware stack. [José Valim]
 
+* Rely on Rack::Session stores API for more compatibility across the Ruby world. This is backwards incompatible since Rack::Session expects #get_session to accept 4 arguments and requires #destroy_session instead of simply #destroy. [José Valim]
 
-*Rails 3.0.3 (November 16, 2010)*
+* file_field automatically adds :multipart => true to the enclosing form. [Santiago Pastorino]
 
-* When ActiveRecord::Base objects are sent to predicate methods, the id of the object should be sent to ARel, not the ActiveRecord::Base object.
+* Renames csrf_meta_tag -> csrf_meta_tags, and aliases csrf_meta_tag for backwards compatibility. [fxn]
 
-* :constraints routing should only do sanity checks against regular expressions.  String arguments are OK.
+* Add Rack::Cache to the default stack. Create a Rails store that delegates to the Rails cache, so by default, whatever caching layer you are using will be used for HTTP caching. Note that Rack::Cache will be used if you use #expires_in, #fresh_when or #stale with :public => true. Otherwise, the caching rules will apply to the browser only. [Yehuda Katz, Carl Lerche]
 
 
-*Rails 3.0.2 (November 15, 2010)*
+*Rails 3.0.2 (unreleased)*
 
 * The helper number_to_currency accepts a new :negative_format option to be able to configure how to render negative amounts. [Don Wilson]
 
 
 *Rails 3.0.1 (October 15, 2010)*
 
-* No changes.
+* No Changes, just a version bump.
 
 
 *Rails 3.0.0 (August 29, 2010)*
 
-* Symbols and strings in routes should yield the same behavior. Note this may break existing apps that were using symbols with the new routes API [José Valim]
+* password_field renders with nil value by default making the use of passwords secure by default, if you want to render you should do for instance f.password_field(:password, :value => @user.password) [Santiago Pastorino]
+
+* Symbols and strings in routes should yield the same behavior. Note this may break existing apps that were using symbols with the new routes API. [José Valim]
 
-* Add clear_helpers as a way to clean up all helpers added to this controller, maintaing just the helper with the same name as the controller. [José Valim]
+* Add clear_helpers as a way to clean up all helpers added to this controller, maintaining just the helper with the same name as the controller. [José Valim]
 
 * Support routing constraints in functional tests. [Andrew White]
 
@@ -340,6 +285,7 @@ controller object, it would raise undefined method controller_name for nil [jero
 
 * Added ActionController::Base#notice/= and ActionController::Base#alert/= as a convenience accessors in both the controller and the view for flash[:notice]/= and flash[:alert]/= [DHH]
 
+
 * Introduce grouped_collection_select helper.  #1249 [Dan Codeape, Erik Ostrom]
 
 * Make sure javascript_include_tag/stylesheet_link_tag does not append ".js" or ".css" onto external urls. #1664 [Matthew Rudy Jacobs]
@@ -2204,7 +2150,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Update documentation for erb trim syntax. #5651 [matt@mattmargolis.net]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 
@@ -2801,7 +2747,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Provide support for decimal columns to form helpers. Closes #5672. [Dave Thomas]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2010 David Heinemeier Hansson
+Copyright (c) 2004-2011 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -19,9 +19,8 @@ It consists of several modules:
 
 * Action View, which handles view template lookup and rendering, and provides
   view helpers that assist when building HTML forms, Atom feeds and more.
-  Template formats that Action View handles are ERb (embedded Ruby, typically
-  used to inline short Ruby snippets inside HTML), XML Builder and RJS
-  (dynamically generated JavaScript from Ruby code).
+  Template formats that Action View handles are ERB (embedded Ruby, typically
+  used to inline short Ruby snippets inside HTML), and XML Builder.
 
 With the Ruby on Rails framework, users only directly interface with the
 Action Controller module. Necessary Action Dispatch functionality is activated
@@ -57,7 +56,7 @@ A short rundown of some of the major features:
   {Learn more}[link:classes/ActionController/Base.html]
 
 
-* ERb templates (static content mixed with dynamic output from ruby)
+* ERB templates (static content mixed with dynamic output from ruby)
 
     <% for post in @posts %>
       Title: <%= post.title %>
@@ -262,7 +261,7 @@ methods:
     layout "weblog/layout"
 
     def index
-      @posts = Post.find(:all)
+      @posts = Post.all
     end
 
     def show
@@ -323,7 +322,7 @@ The latest version of Action Pack can be installed with Rubygems:
 
 Source code can be downloaded as part of the Rails project on GitHub
 
-* http://github.com/rails/rails/tree/master/actionpack/
+* https://github.com/rails/rails/tree/master/actionpack/
 
 
 == License

data/lib/abstract_controller.rb

@@ -24,4 +24,5 @@ module AbstractController
   autoload :Translation
   autoload :AssetPaths
   autoload :ViewPaths
+  autoload :UrlFor
 end

data/lib/abstract_controller/asset_paths.rb

@@ -3,7 +3,7 @@ module AbstractController
     extend ActiveSupport::Concern
 
     included do
-      config_accessor :asset_host, :asset_path, :assets_dir, :javascripts_dir, :stylesheets_dir
+      config_accessor :asset_host, :asset_path, :assets_dir, :javascripts_dir, :stylesheets_dir, :use_sprockets
     end
   end
-end
+end

data/lib/abstract_controller/base.rb

@@ -1,3 +1,4 @@
+require 'erubis'
 require 'active_support/configurable'
 require 'active_support/descendants_tracker'
 require 'active_support/core_ext/module/anonymous'
@@ -18,6 +19,7 @@ module AbstractController
     include ActiveSupport::Configurable
     extend ActiveSupport::DescendantsTracker
 
+    undef_method :not_implemented
     class << self
       attr_reader :abstract
       alias_method :abstract?, :abstract
@@ -61,13 +63,13 @@ module AbstractController
       def action_methods
         @action_methods ||= begin
           # All public instance methods of this class, including ancestors
-          methods = public_instance_methods(true).map { |m| m.to_s }.to_set -
+          methods = (public_instance_methods(true) -
             # Except for public instance methods of Base and its ancestors
-            internal_methods.map { |m| m.to_s } +
+            internal_methods +
             # Be sure to include shadowed public instance methods of this class
-            public_instance_methods(false).map { |m| m.to_s } -
+            public_instance_methods(false)).uniq.map { |x| x.to_s } -
             # And always exclude explicitly hidden actions
-            hidden_actions
+            hidden_actions.to_a
 
           # Clear out AS callback method pollution
           methods.reject { |method| method =~ /_one_time_conditions/ }
@@ -128,20 +130,23 @@ module AbstractController
       self.class.action_methods
     end
 
-    private
+    # Returns true if the name can be considered an action. This can
+    # be overridden in subclasses to modify the semantics of what
+    # can be considered an action.
+    #
+    # For instance, this is overriden by ActionController to add
+    # the implicit rendering feature.
+    #
+    # ==== Parameters
+    # * <tt>name</tt> - The name of an action to be tested
+    #
+    # ==== Returns
+    # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
+    def action_method?(name)
+      self.class.action_methods.include?(name)
+    end
 
-      # Returns true if the name can be considered an action. This can
-      # be overridden in subclasses to modify the semantics of what
-      # can be considered an action.
-      #
-      # ==== Parameters
-      # * <tt>name</tt> - The name of an action to be tested
-      #
-      # ==== Returns
-      # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
-      def action_method?(name)
-        self.class.action_methods.include?(name)
-      end
+    private
 
       # Call the action. Override this in a subclass to modify the
       # behavior around processing an action. This, and not #process,
@@ -160,8 +165,8 @@ module AbstractController
       # If the action name was not found, but a method called "action_missing"
       # was found, #method_for_action will return "_handle_action_missing".
       # This method calls #action_missing with the current action name.
-      def _handle_action_missing
-        action_missing(@_action_name)
+      def _handle_action_missing(*args)
+        action_missing(@_action_name, *args)
       end
 
       # Takes an action name and returns the name of the method that will