actionpack 4.1.0.beta2 → 4.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 15de71bf10888141943471370dab6751651568e3
-  data.tar.gz: dd9e956e2cd764224f61b55d8448c8f57a8ea1ca
+  metadata.gz: 48441494a6b94b3b37656c33c887284d571c4950
+  data.tar.gz: 159b15d6c50c7eda3830b4f28700c260d3e9f2aa
 SHA512:
-  metadata.gz: 3e7c908afc6b584c3169b9a41ddba0750fe469762469e3b0ee66dd51f8635842664a19f29297d8c1ebca3427e0a8e0d54473f400bd893531263edbd26c36fdea
-  data.tar.gz: 2b63b8efd84bc84fd7079641f269aa48838ff044d736cec0c9562e2c42b620f1cea77248653cfeb1afb4f36f108c56e139dbb768b20d282b297da3e577e92f86
+  metadata.gz: fe168a619210d069350c142ccdf35cbf08e0cc1ef6762be5c7616182f26ec334eb3cf4ce948cfb2dc3e3245957886514e2e04243860a609ce5254c8de68976b5
+  data.tar.gz: c51d0e2a179ea132ec8ad8814917cdaefa646b3d0d93f6c68ad7f0d06a18fdf82e80ccdf118b0f13d486f47c850c41f1d605adb13e175038f4bda73de961a1a9

data/CHANGELOG.md

@@ -1,3 +1,221 @@
+*   Introduce `render :html` as an option to render HTML content with a content
+    type of `text/html`. This rendering option calls `ERB::Util.html_escape`
+    internally to escape unsafe HTML string, so you will have to mark your
+    string as html safe if you have any HTML tag in it.
+
+    Please see #12374 for more detail.
+
+    *Prem Sichanugrist*
+
+*   Introduce `render :plain` as an option to render content with a content type
+    of `text/plain`. This is the preferred option if you are planning to render
+    a plain text content.
+
+    Please see #12374 for more detail.
+
+    *Prem Sichanugrist*
+
+*   Introduce `render :body` as an option for sending a raw content back to
+    browser. Note that this rendering option will unset the default content type
+    and does not include "Content-Type" header back in the response.
+
+    You should only use this option if you are expecting the "Content-Type"
+    header to not be set. More information on "Content-Type" header can be found
+    on RFC 2616, section 7.2.1.
+
+    Please see #12374 for more detail.
+
+    *Prem Sichanugrist*
+
+*   Set stream status to 500 (or 400 on BadRequest) when an error is thrown
+    before commiting.
+
+    Fixes #12552.
+
+    *Kevin Casey*
+
+*   Add new config option `config.action_dispatch.cookies_serializer` for
+    specifying a serializer for the signed and encrypted cookie jars.
+
+    The possible values are:
+
+    * `:json` - serialize cookie values with `JSON`
+    * `:marshal` - serialize cookie values with `Marshal`
+    * `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
+
+    For new apps `:json` option is added by default and `:marshal` is used
+    when no option is specified to maintain backwards compatibility.
+
+    *Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
+
+*   `FlashHash` now behaves like a `HashWithIndifferentAccess`.
+
+    *Guillermo Iguaran*
+
+*   Set the `:shallow_path` scope option as each scope is generated rather than
+    waiting until the `shallow` option is set. Also make the behavior of the
+    `:shallow` resource option consistent with the behavior of the `shallow` method.
+
+    Fixes #12498.
+
+    *Andrew White*, *Aleksi Aalto*
+
+*   Properly require `action_view` in `AbstractController::Rendering` to prevent
+    uninitialized constant error for `ENCODING_FLAG`.
+
+    *Philipe Fatio*
+
+*   Do not discard query parameters that form a hash with the same root key as
+    the `wrapper_key` for a request using `wrap_parameters`.
+
+    *Josh Jordan*
+
+*   Ensure that `request.filtered_parameters` is reset between calls to `process`
+    in `ActionController::TestCase`.
+
+    Fixes #13803.
+
+    *Andrew White*
+
+*   Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
+
+    Fixes #13810.
+
+    *Maurizio De Santis*
+
+*   Log which keys were affected by deep munge.
+
+    Deep munge solves CVE-2013-0155 security vulnerability, but its
+    behaviour is definately confusing, so now at least information
+    about for which keys values were set to nil is visible in logs.
+
+    *Łukasz Sarnacki*
+
+*   Automatically convert dashes to underscores for shorthand routes, e.g:
+
+        get '/our-work/latest'
+
+    When running `rake routes` you will get the following output:
+
+                 Prefix Verb URI Pattern                Controller#Action
+        our_work_latest GET  /our-work/latest(.:format) our_work#latest
+
+    *Mikko Johansson*
+
+*   Automatically convert dashes to underscores for url helpers, e.g:
+
+        get '/contact-us' => 'pages#contact'
+        get '/about-us'   => 'pages#about_us'
+
+    When running `rake routes` you will get the following output:
+
+            Prefix Verb URI Pattern           Controller#Action
+        contact_us GET  /contact-us(.:format) pages#contact
+          about_us GET  /about-us(.:format)   pages#about_us
+
+    *Amr Tamimi*
+
+*   Fix stream closing when sending file with `ActionController::Live` included.
+
+    Fixes #12381
+
+    *Alessandro Diaferia*
+
+*   Allow an absolute controller path inside a module scope. Fixes #12777.
+
+    Example:
+
+        namespace :foo do
+          # will route to BarController without the namespace.
+          get '/special', to: '/bar#index'
+        end
+
+
+*   Unique the segment keys array for non-optimized url helpers
+
+    In Rails 3.2 you only needed pass an argument for dynamic segment once so
+    unique the segment keys array to match the number of args. Since the number
+    of args is less than required parts the non-optimized code path is selected.
+    This means to benefit from optimized url generation the arg needs to be
+    specified as many times as it appears in the path.
+
+    Fixes #12808.
+
+    *Andrew White*
+
+*   Show full route constraints in error message.
+
+    When an optimized helper fails to generate, show the full route constraints
+    in the error message. Previously it would only show the contraints that were
+    required as part of the path.
+
+    Fixes #13592.
+
+    *Andrew White*
+
+*   Use a custom route visitor for optimized url generation. Fixes #13349.
+
+    *Andrew White*
+
+*   Allow engine root relative redirects using an empty string.
+
+    Example:
+
+        # application routes.rb
+        mount BlogEngine => '/blog'
+
+        # engine routes.rb
+        get '/welcome' => redirect('')
+
+    This now redirects to the path `/blog`, whereas before it would redirect
+    to the application root path. In the case of a path redirect or a custom
+    redirect if the path returned contains a host then the path is treated as
+    absolute. Similarly for option redirects, if the options hash returned
+    contains a `:host` or `:domain` key then the path is treated as absolute.
+
+    Fixes #7977.
+
+    *Andrew White*
+
+*   Fix `Encoding::CompatibilityError` when public path is UTF-8
+
+    In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling
+    from blowing up before an application has had chance to deal with possibly invalid
+    urls. However this has a negative side effect of making it an incompatible encoding
+    if the application's public path has UTF-8 characters in it.
+
+    To work around the problem we check to see if the path has a valid encoding once
+    it has been unescaped. If it is not valid then we can return early since it will
+    not match any file anyway.
+
+    Fixes #13518.
+
+    *Andrew White*
+
+*   `ActionController::Parameters#permit!` permits hashes in array values.
+
+    *Xavier Noria*
+
+*   Converts hashes in arrays of unfiltered params to unpermitted params.
+
+    Fixes #13382.
+
+    *Xavier Noria*
+
+*   New config option to opt out of params "deep munging" that was used to
+    address security vulnerability CVE-2013-0155. In your app config:
+
+        config.action_dispatch.perform_deep_munge = false
+
+    Take care to understand the security risk involved before disabling this.
+    [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
+
+    *Bernard Potocki*
+
+*   `rake routes` shows routes defined under assets prefix.
+
+    *Ryunosuke SATO*
+
 *   Extend cross-site request forgery (CSRF) protection to GET requests with
     JavaScript responses, protecting apps from cross-origin `<script>` tags.
 
@@ -60,16 +278,35 @@
           format.html.none  { render "trash" }
         end
 
+    Variants also support common `any`/`all` block that formats have.
+
+    It works for both inline:
+
+        respond_to do |format|
+          format.html.any   { render text: "any"   }
+          format.html.phone { render text: "phone" }
+        end
+
+    and block syntax:
+
+        respond_to do |format|
+          format.html do |variant|
+            variant.any(:tablet, :phablet){ render text: "any" }
+            variant.phone { render text: "phone" }
+          end
+        end
+
     *Łukasz Strzałkowski*
 
-*   Fix header `Content-Type: #<Mime::NullType:...>` in localized template.
+*   Fix render of localized templates without an explicit format using wrong
+    content header and not passing correct formats to template due to the
+    introduction of the `NullType` for mimes.
 
-    When localized template has no format in the template name,
-    the response now has the default and correct `content-type`.
+    Templates like `hello.it.erb` were subject to this issue.
 
     Fixes #13064.
 
-    *Angelo Capilleri*
+    *Angelo Capilleri*, *Carlos Antonio da Silva*
 
 *   Try to escape each part of a url correctly when using a redirect route.
 
@@ -311,10 +548,4 @@
 
     *Piotr Sarnacki*, *Łukasz Strzałkowski*
 
-*   Fix removing trailing slash for mounted apps.
-
-    Fixes #3215.
-
-    *Piotr Sarnacki*
-
 Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2013 David Heinemeier Hansson
+Copyright (c) 2004-2014 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/lib/abstract_controller/rendering.rb

@@ -1,5 +1,6 @@
 require 'active_support/concern'
 require 'active_support/core_ext/class/attribute'
+require 'action_view'
 require 'action_view/view_paths'
 require 'set'
 
@@ -22,7 +23,7 @@ module AbstractController
     def render(*args, &block)
       options = _normalize_render(*args, &block)
       self.response_body = render_to_body(options)
-      _process_format(rendered_format)
+      _process_format(rendered_format, options) if rendered_format
       self.response_body
     end
 
@@ -47,7 +48,7 @@ module AbstractController
     def render_to_body(options = {})
     end
 
-    # Return Content-Type of rendered content
+    # Returns Content-Type of rendered content
     # :api: public
     def rendered_format
       Mime::TEXT
@@ -97,7 +98,7 @@ module AbstractController
 
     # Process the rendered format.
     # :api: private
-    def _process_format(format)
+    def _process_format(format, options = {})
     end
 
     # Normalize args and options.

data/lib/action_controller/log_subscriber.rb

@@ -53,6 +53,15 @@ module ActionController
       debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}")
     end
 
+    def deep_munge(event)
+      message = "Value for params[:#{event.payload[:keys].join('][:')}] was set"\
+                "to nil, because it was one of [], [null] or [null, null, ...]."\
+                "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation"\
+                "for more information."\
+
+      debug(message)
+    end
+
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1

data/lib/action_controller/metal/head.rb

@@ -1,6 +1,6 @@
 module ActionController
   module Head
-    # Return a response that has no content (merely headers). The options
+    # Returns a response that has no content (merely headers). The options
     # argument is interpreted to be a hash of header names and values.
     # This allows you to easily return a response that consists only of
     # significant headers:

data/lib/action_controller/metal/live.rb

@@ -205,6 +205,8 @@ module ActionController
         begin
           super(name)
         rescue => e
+          @_response.status = 500 unless @_response.committed?
+          @_response.status = 400 if e.class == ActionController::BadRequest
           begin
             @_response.stream.write(ActionView::Base.streaming_completion_on_exception) if request.format == :html
             @_response.stream.call_on_error
@@ -234,7 +236,7 @@ module ActionController
 
     def response_body=(body)
       super
-      response.stream.close if response
+      response.close if response
     end
 
     def set_response!(request)

data/lib/action_controller/metal/mime_responds.rb

@@ -217,6 +217,36 @@ module ActionController #:nodoc:
     #     format.html.phone { redirect_to progress_path }
     #     format.html.none  { render "trash" }
     #   end
+    # 
+    # Variants also support common `any`/`all` block that formats have.
+    #
+    # It works for both inline:
+    #
+    #   respond_to do |format|
+    #     format.html.any   { render text: "any"   }
+    #     format.html.phone { render text: "phone" }
+    #   end
+    #
+    # and block syntax:
+    #
+    #   respond_to do |format|
+    #     format.html do |variant|
+    #       variant.any(:tablet, :phablet){ render text: "any" }
+    #       variant.phone { render text: "phone" }
+    #     end
+    #   end
+    #
+    # You can also set an array of variants:
+    #
+    #   request.variant = [:tablet, :phone]
+    #
+    # which will work similarly to formats and MIME types negotiation. If there will be no
+    # :tablet variant declared, :phone variant will be picked:
+    #
+    #   respond_to do |format|
+    #     format.html.none
+    #     format.html.phone # this gets rendered
+    #   end
     #
     # Be sure to check the documentation of +respond_with+ and
     # <tt>ActionController::MimeResponds.respond_to</tt> for more examples.
@@ -224,7 +254,7 @@ module ActionController #:nodoc:
       raise ArgumentError, "respond_to takes either types or a block, never both" if mimes.any? && block_given?
 
       if collector = retrieve_collector_from_mimes(mimes, &block)
-        response = collector.response(request.variant)
+        response = collector.response
         response ? response.call : render({})
       end
     end
@@ -366,7 +396,7 @@ module ActionController #:nodoc:
       if collector = retrieve_collector_from_mimes(&block)
         options = resources.size == 1 ? {} : resources.extract_options!
         options = options.clone
-        options[:default_response] = collector.response(request.variant)
+        options[:default_response] = collector.response
         (options.delete(:responder) || self.class.responder).call(self, resources, options)
       end
     end
@@ -399,7 +429,7 @@ module ActionController #:nodoc:
     # is available.
     def retrieve_collector_from_mimes(mimes=nil, &block) #:nodoc:
       mimes ||= collect_mimes_from_class_level
-      collector = Collector.new(mimes)
+      collector = Collector.new(mimes, request.variant)
       block.call(collector) if block_given?
       format = collector.negotiate_format(request)
 
@@ -437,8 +467,9 @@ module ActionController #:nodoc:
       include AbstractController::Collector
       attr_accessor :format
 
-      def initialize(mimes)
+      def initialize(mimes, variant = nil)
         @responses = {}
+        @variant = variant
 
         mimes.each { |mime| @responses["Mime::#{mime.upcase}".constantize] = nil }
       end
@@ -457,18 +488,20 @@ module ActionController #:nodoc:
         @responses[mime_type] ||= if block_given?
           block
         else
-          VariantCollector.new
+          VariantCollector.new(@variant)
         end
       end
 
-      def response(variant)
+      def response
         response = @responses.fetch(format, @responses[Mime::ALL])
-        if response.is_a?(VariantCollector)
-          response.variant(variant)
-        elsif response.nil? || response.arity == 0
+        if response.is_a?(VariantCollector) # `format.html.phone` - variant inline syntax
+          response.variant
+        elsif response.nil? || response.arity == 0 # `format.html` - just a format, call its block
           response
-        else
-          lambda { response.call VariantFilter.new(variant) }
+        else # `format.html{ |variant| variant.phone }` - variant block syntax
+          variant_collector = VariantCollector.new(@variant)
+          response.call(variant_collector) # call format block with variants collector
+          variant_collector.variant
         end
       end
 
@@ -476,30 +509,36 @@ module ActionController #:nodoc:
         @format = request.negotiate_mime(@responses.keys)
       end
 
-      #Used for inline syntax
       class VariantCollector #:nodoc:
-        def initialize
+        def initialize(variant = nil)
+          @variant = variant
           @variants = {}
         end
 
-        def method_missing(name, *args, &block)
-          @variants[name] = block if block_given?
-        end
-
-        def variant(name)
-          @variants[name.nil? ? :none : name]
+        def any(*args, &block)
+          if block_given?
+            if args.any? && args.none?{ |a| a == @variant }
+              args.each{ |v| @variants[v] = block }
+            else
+              @variants[:any] = block
+            end
+          end
         end
-      end
+        alias :all :any
 
-      #Used for nested block syntax
-      class VariantFilter #:nodoc:
-        def initialize(variant)
-          @variant = variant
+        def method_missing(name, *args, &block)
+          @variants[name] = block if block_given?
         end
 
-        def method_missing(name)
-          if block_given?
-            yield if name == @variant || (name == :none && @variant.nil?)
+        def variant
+          if @variant.nil?
+            @variants[:none] || @variants[:any]
+          elsif (@variants.keys & @variant).any?
+            @variant.each do |v|
+              return @variants[v] if @variants.key?(v)
+            end
+          else
+            @variants[:any]
           end
         end
       end