actionpack 3.1.0.beta1 → 3.1.0.rc1

data/CHANGELOG

@@ -1,5 +1,9 @@
 *Rails 3.1.0 (unreleased)*
 
+* Warn if we cannot verify CSRF token authenticity [José Valim]
+
+* Allow AM/PM format in datetime selectors [Aditya Sanghi]
+
 * Only show dump of regular env methods on exception screen (not all the rack crap) [DHH]
 
 * auto_link has been removed with no replacement.  If you still use auto_link
@@ -13,7 +17,7 @@
     class PostsController < ActionController::Base
       stream :only => :index
     end
-  
+
   Please read the docs at `ActionController::Streaming` for more information.
 
 * Added `ActionDispatch::Request.ignore_accept_header` to ignore accept headers and only consider the format given as parameter [José Valim]
@@ -114,8 +118,6 @@ tested.
 
   Keys are dasherized. Values are JSON-encoded, except for strings and symbols. [Stephen Celis]
 
-* Added render :once. You can pass either a string or an array of strings and Rails will ensure they each of them are rendered just once. [José Valim]
-
 * Deprecate old template handler API. The new API simply requires a template handler to respond to call. [José Valim]
 
 * :rhtml and :rxml were finally removed as template handlers. [José Valim]
@@ -131,7 +133,58 @@ tested.
 * Add Rack::Cache to the default stack. Create a Rails store that delegates to the Rails cache, so by default, whatever caching layer you are using will be used for HTTP caching. Note that Rack::Cache will be used if you use #expires_in, #fresh_when or #stale with :public => true. Otherwise, the caching rules will apply to the browser only. [Yehuda Katz, Carl Lerche]
 
 
-*Rails 3.0.2 (unreleased)*
+*Rails 3.0.7 (April 18, 2011)*
+
+*No changes.
+
+
+*Rails 3.0.6 (April 5, 2011)
+
+* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks input as
+  html safe.  Please make sure that calls to auto_link() are wrapped in a
+  sanitize(), or a raw() depending on the type of input passed to auto_link().
+  For example:
+
+    <%= sanitize(auto_link(some_user_input)) %>
+
+  Thanks to Torben Schulz for reporting this.  The fix can be found here:
+  61ee3449674c591747db95f9b3472c5c3bd9e84d
+
+* Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
+
+* Fixes an issue with number_to_human when converting values which are less than 1 but greater than -1 [Josh Kalderimis]
+
+* Sensitive query string parameters (specified in config.filter_parameters) will now be filtered out from the request paths in the log file. [Prem Sichanugrist, fxn]
+
+* URL parameters which return nil for to_param are now removed from the query string [Andrew White]
+
+* Don't allow i18n to change the minor version, version now set to ~> 0.5.0 [Santiago Pastorino]
+
+* Make TranslationHelper#translate use the :rescue_format option in I18n 0.5.0 [Sven Fuchs]
+
+* Fix regression: javascript_include_tag shouldn't raise if you register an expansion key with nil or [] value [Santiago Pastorino]
+
+* Fix Action caching bug where an action that has a non-cacheable response always renders a nil response body. It now correctly renders the response body. [Cheah Chu Yeow]
+
+
+*Rails 3.0.5 (February 26, 2011)*
+
+* No changes.
+
+
+*Rails 3.0.4 (February 8, 2011)*
+
+* No changes.
+
+
+*Rails 3.0.3 (November 16, 2010)*
+
+* When ActiveRecord::Base objects are sent to predicate methods, the id of the object should be sent to ARel, not the ActiveRecord::Base object.
+
+* :constraints routing should only do sanity checks against regular expressions.  String arguments are OK.
+
+
+*Rails 3.0.2 (November 15, 2010)*
 
 * The helper number_to_currency accepts a new :negative_format option to be able to configure how to render negative amounts. [Don Wilson]
 

data/README.rdoc

@@ -33,7 +33,7 @@ A short rundown of some of the major features:
 * Actions grouped in controller as methods instead of separate command objects
   and can therefore share helper methods
 
-    CustomersController < ActionController::Base
+    class CustomersController < ActionController::Base
       def show
         @customer = find_customer
       end
@@ -58,7 +58,7 @@ A short rundown of some of the major features:
 
 * ERB templates (static content mixed with dynamic output from ruby)
 
-    <% for post in @posts %>
+    <% @posts.each do |post| %>
       Title: <%= post.title %>
     <% end %>
 
@@ -81,7 +81,7 @@ A short rundown of some of the major features:
         xml.language "en-us"
         xml.ttl "40"
 
-        for item in @recent_items
+        @recent_items.each do |item|
           xml.item do
             xml.title(item_title(item))
             xml.description(item_description(item))
@@ -293,7 +293,7 @@ And the templates look like this:
     </body></html>
 
   weblog/index.html.erb:
-    <% for post in @posts %>
+    <% @posts.each do |post| %>
       <p><%= link_to(post.title, :action => "show", :id => post.id) %></p>
     <% end %>
 
@@ -338,4 +338,4 @@ API documentation is at
 
 Bug reports and feature requests can be filed with the rest for the Ruby on Rails project here:
 
-* https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets
+* https://github.com/rails/rails/issues

data/lib/abstract_controller/base.rb

@@ -130,27 +130,39 @@ module AbstractController
       self.class.action_methods
     end
 
-    # Returns true if the name can be considered an action. This can
-    # be overridden in subclasses to modify the semantics of what
-    # can be considered an action.
+    # Returns true if a method for the action is available and
+    # can be dispatched, false otherwise.
     #
-    # For instance, this is overriden by ActionController to add
-    # the implicit rendering feature.
-    #
-    # ==== Parameters
-    # * <tt>name</tt> - The name of an action to be tested
-    #
-    # ==== Returns
-    # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
-    def action_method?(name)
-      self.class.action_methods.include?(name)
+    # Notice that <tt>action_methods.include?("foo")</tt> may return
+    # false and <tt>available_action?("foo")</tt> returns true because
+    # available action consider actions that are also available
+    # through other means, for example, implicit render ones.
+    def available_action?(action_name)
+      method_for_action(action_name).present?
     end
 
     private
 
+      # Returns true if the name can be considered an action because
+      # it has a method defined in the controller.
+      #
+      # ==== Parameters
+      # * <tt>name</tt> - The name of an action to be tested
+      #
+      # ==== Returns
+      # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
+      #
+      # :api: private
+      def action_method?(name)
+        self.class.action_methods.include?(name)
+      end
+
       # Call the action. Override this in a subclass to modify the
       # behavior around processing an action. This, and not #process,
       # is the intended way to override action dispatching.
+      #
+      # Notice that the first argument is the method to be dispatched
+      # which is *not* necessarily the same as the action name.
       def process_action(method_name, *args)
         send_action(method_name, *args)
       end

data/lib/abstract_controller/callbacks.rb

@@ -13,8 +13,8 @@ module AbstractController
 
     # Override AbstractController::Base's process_action to run the
     # process_action callbacks around the normal behavior.
-    def process_action(method_name, *args)
-      run_callbacks(:process_action, method_name) do
+    def process_action(*args)
+      run_callbacks(:process_action, action_name) do
         super
       end
     end

data/lib/abstract_controller/layouts.rb

@@ -292,15 +292,15 @@ module AbstractController
       end
     end
 
-    attr_writer :action_has_layout
+    attr_internal_writer :action_has_layout
 
     def initialize(*)
-      @action_has_layout = true
+      @_action_has_layout = true
       super
     end
 
     def action_has_layout?
-      @action_has_layout
+      @_action_has_layout
     end
 
   private

data/lib/abstract_controller/rendering.rb

@@ -32,9 +32,13 @@ module AbstractController
 
   module Rendering
     extend ActiveSupport::Concern
-
     include AbstractController::ViewPaths
 
+    included do
+      config_accessor :protected_instance_variables, :instance_reader => false
+      self.protected_instance_variables = []
+    end
+
     # Overwrite process to setup I18n proxy.
     def process(*) #:nodoc:
       old_config, I18n.config = I18n.config, I18nProxy.new(I18n.config, lookup_context)
@@ -53,14 +57,20 @@ module AbstractController
       end
     end
 
-    attr_writer :view_context_class
+    attr_internal_writer :view_context_class
+
+    # Explicitly define protected_instance_variables so it can be
+    # inherited and overwritten by other modules if needed.
+    def protected_instance_variables
+      config.protected_instance_variables
+    end
 
     def view_context_class
-      @view_context_class || self.class.view_context_class
+      @_view_context_class || self.class.view_context_class
     end
 
     def initialize(*)
-      @view_context_class = nil
+      @_view_context_class = nil
       super
     end
 
@@ -79,7 +89,7 @@ module AbstractController
 
     # Returns an object that is able to render templates.
     def view_renderer
-      @view_renderer ||= ActionView::Renderer.new(lookup_context)
+      @_view_renderer ||= ActionView::Renderer.new(lookup_context)
     end
 
     # Normalize arguments, options and then delegates render_to_body and
@@ -112,13 +122,19 @@ module AbstractController
 
     private
 
+    DEFAULT_PROTECTED_INSTANCE_VARIABLES = %w(
+      @_action_name @_response_body @_formats @_prefixes @_config
+      @_view_context_class @_view_renderer @_lookup_context
+    )
+
     # This method should return a hash with assigns.
     # You can overwrite this configuration per controller.
     # :api: public
     def view_assigns
       hash = {}
       variables  = instance_variable_names
-      variables -= protected_instance_variables if respond_to?(:protected_instance_variables)
+      variables -= protected_instance_variables
+      variables -= DEFAULT_PROTECTED_INSTANCE_VARIABLES
       variables.each { |name| hash[name.to_s[1, name.length]] = instance_variable_get(name) }
       hash
     end

data/lib/abstract_controller/url_for.rb

@@ -1,3 +1,9 @@
+# Includes +url_for+ into the host class (e.g. an abstract controller or mailer). The class
+# has to provide a +RouteSet+ by implementing the <tt>_routes</tt> methods. Otherwise, an
+# exception will be raised.
+#
+# Note that this module is completely decoupled from HTTP - the only requirement is a valid 
+# <tt>_routes</tt> implementation.
 module AbstractController
   module UrlFor
     extend ActiveSupport::Concern

data/lib/abstract_controller/view_paths.rb

@@ -39,7 +39,7 @@ module AbstractController
     # templates, i.e. view paths and details. Check ActionView::LookupContext for more
     # information.
     def lookup_context
-      @lookup_context ||=
+      @_lookup_context ||=
         ActionView::LookupContext.new(self.class._view_paths, details_for_lookup, _prefixes)
     end
 

data/lib/action_controller/log_subscriber.rb

@@ -7,8 +7,10 @@ module ActionController
     def start_processing(event)
       payload = event.payload
       params  = payload[:params].except(*INTERNAL_PARAMS)
+      format  = payload[:format]
+      format  = format.to_s.upcase if format.is_a?(Symbol)
 
-      info "  Processing by #{payload[:controller]}##{payload[:action]} as #{payload[:formats].first.to_s.upcase}"
+      info "  Processing by #{payload[:controller]}##{payload[:action]} as #{format}"
       info "  Parameters: #{params.inspect}" unless params.empty?
     end
 

data/lib/action_controller/metal/compatibility.rb

@@ -18,13 +18,10 @@ module ActionController
         delegate :default_charset=, :to => "ActionDispatch::Response"
       end
 
-      # TODO: Update protected instance variables list
-      config_accessor :protected_instance_variables
-      self.protected_instance_variables = %w(@assigns @performed_redirect @performed_render
-                                             @variables_added @request_origin @url
-                                             @parent_controller @action_name
-                                             @before_filter_chain_aborted @_headers @_params
-                                             @_response)
+      self.protected_instance_variables = %w(
+        @_status @_headers @_params @_env @_response @_request
+        @_view_runtime @_stream @_url_options @_action_has_layout
+      )
 
       def rescue_action(env)
         raise env["action_dispatch.rescue.exception"]

data/lib/action_controller/metal/implicit_render.rb

@@ -1,21 +1,19 @@
 module ActionController
   module ImplicitRender
     def send_action(method, *args)
-      if respond_to?(method, true)
-        ret = super
-        default_render unless response_body
-        ret
-      else
-        default_render
-      end
+      ret = super
+      default_render unless response_body
+      ret
     end
 
     def default_render(*args)
       render(*args)
     end
 
-    def action_method?(action_name)
-      super || template_exists?(action_name.to_s, _prefixes)
+    def method_for_action(action_name)
+      super || if template_exists?(action_name.to_s, _prefixes)
+        "default_render"
+      end
     end
   end
 end

data/lib/action_controller/metal/instrumentation.rb

@@ -19,7 +19,7 @@ module ActionController
         :controller => self.class.name,
         :action     => self.action_name,
         :params     => request.filtered_parameters,
-        :formats    => request.formats.map(&:to_sym),
+        :format     => request.format.ref,
         :method     => request.method,
         :path       => (request.fullpath rescue "unknown")
       }

data/lib/action_controller/metal/params_wrapper.rb

@@ -2,6 +2,7 @@ require 'active_support/core_ext/class/attribute'
 require 'active_support/core_ext/hash/slice'
 require 'active_support/core_ext/hash/except'
 require 'active_support/core_ext/array/wrap'
+require 'active_support/core_ext/module/anonymous'
 require 'action_dispatch/http/mime_types'
 
 module ActionController
@@ -36,11 +37,11 @@ module ActionController
   #     {"name" => "Konata", "user" => {"name" => "Konata"}}
   #
   # You can also specify the key in which the parameters should be wrapped to,
-  # and also the list of attributes it should wrap by using either +:only+ or
-  # +:except+ options like this:
+  # and also the list of attributes it should wrap by using either +:include+ or
+  # +:exclude+ options like this:
   #
   #     class UsersController < ApplicationController
-  #       wrap_parameters :person, :only => [:username, :password]
+  #       wrap_parameters :person, :include => [:username, :password]
   #     end
   #
   # If you're going to pass the parameters to an +ActiveModel+ object (such as
@@ -52,7 +53,7 @@ module ActionController
   #       wrap_parameters Person
   #     end
   #
-  # You still could pass +:only+ and +:except+ to set the list of attributes
+  # You still could pass +:include+ and +:exclude+ to set the list of attributes
   # you want to wrap.
   #
   # By default, if you don't specify the key in which the parameters would be
@@ -72,7 +73,7 @@ module ActionController
 
     included do
       class_attribute :_wrapper_options
-      self._wrapper_options = {:format => []}
+      self._wrapper_options = { :format => [] }
     end
 
     module ClassMethods
@@ -90,7 +91,7 @@ module ActionController
       #     # wraps parameters by determine the wrapper key from Person class
       #     (+person+, in this case) and the list of attribute names
       #
-      #   wrap_parameters :only => [:username, :title]
+      #   wrap_parameters :include => [:username, :title]
       #     # wraps only +:username+ and +:title+ attributes from parameters.
       #
       #   wrap_parameters false
@@ -99,9 +100,9 @@ module ActionController
       # ==== Options
       # * <tt>:format</tt> - The list of formats in which the parameters wrapper
       #   will be enabled.
-      # * <tt>:only</tt> - The list of attribute names which parameters wrapper
+      # * <tt>:include</tt> - The list of attribute names which parameters wrapper
       #   will wrap into a nested hash.
-      # * <tt>:except</tt> - The list of attribute names which parameters wrapper
+      # * <tt>:exclude</tt> - The list of attribute names which parameters wrapper
       #   will exclude from a nested hash.
       def wrap_parameters(name_or_model_or_options, options = {})
         model = nil
@@ -125,7 +126,7 @@ module ActionController
       # module is inherited.
       def inherited(klass)
         if klass._wrapper_options[:format].present?
-          klass._set_wrapper_defaults(klass._wrapper_options)
+          klass._set_wrapper_defaults(klass._wrapper_options.slice(:format))
         end
         super
       end
@@ -136,15 +137,25 @@ module ActionController
       # this could be done by trying to find the defined model that has the
       # same singularize name as the controller. For example, +UsersController+
       # will try to find if the +User+ model exists.
-      def _default_wrap_model
+      #
+      # This method also does namespace lookup. Foo::Bar::UsersController will
+      # try to find Foo::Bar::User, Foo::User and finally User.
+      def _default_wrap_model #:nodoc:
+        return nil if self.anonymous?
+
         model_name = self.name.sub(/Controller$/, '').singularize
 
         begin
           model_klass = model_name.constantize
-        rescue NameError => e
-          unscoped_model_name = model_name.split("::", 2).last
-          break if unscoped_model_name == model_name
-          model_name = unscoped_model_name
+        rescue NameError, ArgumentError => e
+          if e.message =~ /is not missing constant|uninitialized constant #{model_name}/
+            namespaces = model_name.split("::")
+            namespaces.delete_at(-2)
+            break if namespaces.last == model_name
+            model_name = namespaces.join("::")
+          else
+            raise
+          end
         end until model_klass
 
         model_klass
@@ -153,22 +164,22 @@ module ActionController
       def _set_wrapper_defaults(options, model=nil)
         options = options.dup
 
-        unless options[:only] || options[:except]
+        unless options[:include] || options[:exclude]
           model ||= _default_wrap_model
-          if model.respond_to?(:column_names)
-            options[:only] = model.column_names
+          if model.respond_to?(:attribute_names) && model.attribute_names.present?
+            options[:include] = model.attribute_names
           end
         end
 
-        unless options[:name]
+        unless options[:name] || self.anonymous?
           model ||= _default_wrap_model
           options[:name] = model ? model.to_s.demodulize.underscore :
             controller_name.singularize
         end
 
-        options[:only]   = Array.wrap(options[:only]).collect(&:to_s)   if options[:only]
-        options[:except] = Array.wrap(options[:except]).collect(&:to_s) if options[:except]
-        options[:format] = Array.wrap(options[:format])
+        options[:include] = Array.wrap(options[:include]).collect(&:to_s) if options[:include]
+        options[:exclude] = Array.wrap(options[:exclude]).collect(&:to_s) if options[:exclude]
+        options[:format]  = Array.wrap(options[:format])
 
         self._wrapper_options = options
       end
@@ -205,11 +216,11 @@ module ActionController
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if only = _wrapper_options[:only]
-          parameters.slice(*only)
+        value = if include_only = _wrapper_options[:include]
+          parameters.slice(*include_only)
         else
-          except = _wrapper_options[:except] || []
-          parameters.except(*(except + EXCLUDE_PARAMETERS))
+          exclude = _wrapper_options[:exclude] || []
+          parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
 
         { _wrapper_key => value }
@@ -218,7 +229,7 @@ module ActionController
       # Checks if we should perform parameters wrapping.
       def _wrapper_enabled?
         ref = request.content_mime_type.try(:ref)
-        _wrapper_formats.include?(ref) && !request.request_parameters[_wrapper_key]
+        _wrapper_formats.include?(ref) && _wrapper_key && !request.request_parameters[_wrapper_key]
       end
   end
 end