actionpack 5.0.0.1 → 5.0.1.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9bb0ad18a371762c930292314cbc735989ac58fe
-  data.tar.gz: b4e4ebf26e291aa7c6bf415d7efd5929d932991a
+  metadata.gz: ec4e939e3051bb6e62c29b8e14be2cf7fd3c1067
+  data.tar.gz: 52f14ea10ddf0ee7e4536f52ee615e08377ac783
 SHA512:
-  metadata.gz: 167ba1621b9f649d8d2631648fc105efc8b7f46754b1847db1f6e5f0a01a4cdcfa40514d963853c3ed9ae436a79f0377645c185f03e9bf6ef0c3393cb75853b7
-  data.tar.gz: 2822106415e6b68e4166905a8fcf99adbd6f07aa18463aa0e0b662c7066f21effb3d1de49fabbfd5a29a5fb0ab9dfa5b08aef4cbf9ec84925915a0fc2ccb64c6
+  metadata.gz: 558700b79b1d18c569d846bb1e44a3384c3e1c7f5dd6e4322f4d8a428b1d91e02cb5cc44b4e68facf0e6531f66dd05fcee2be7844c2f2320c5ac6b9763542a26
+  data.tar.gz: 7a8eee67d4a321617be9c909be937b7f0f0603404c731946d07b33a343bafc1e00656caef764c73b3ad6314625f44373a4db90d2255f6067906cd0def1476bd3

data/CHANGELOG.md

@@ -1,3 +1,198 @@
+## Rails 5.0.1.rc1 (December 01, 2016) ##
+
+*   Fixed error caused by `force_ssl_redirect` when `session_store` is
+    enabled.
+
+    Fixes #19679
+
+    *Taishi Kasuga*
+
+*   Use accept header in integration tests with `as: :json`
+
+    Instead of appending the `format` to the request path. Rails will figure
+    out the format from the header instead.
+
+    This allows devs to use `:as` on routes that don't have a format.
+
+    Fixes #27144.
+
+    *Kasper Timm Hansen*
+
+*   Fixed integration test requests appending and changing request paths.
+
+        #Before
+        post "/anything", params: params, headers: headers, as: :json
+
+    "/anything" would be converted to "/anything.json" based on format.
+    The path is now maintained and the format is respected based on `:as`
+    option.
+
+    Fixes #27144.
+
+*   Fixes incorrect output from rails routes when using singular resources.
+
+    Fixes #26606.
+
+    *Erick Reyna*
+
+*   Fixes multiple calls to `logger.fatal` instead of a single call,
+    for every line in an exception backtrace, when printing trace
+    from `DebugExceptions` middleware.
+
+    Fixes #26134.
+
+    *Vipul A M*
+
+*   Add `ActionController::Parameters#merge!`, which behaves the same as `Hash#merge!`.
+
+    *Yuji Yaginuma*
+
+*   Added `ActionController::Parameters#deep_dup` which actually creates
+    a params copy, instead of refereing to old references in params.
+
+    Fixes #26566.
+
+    *Pavel Evstigneev*, *Rafael Mendonça França*
+
+*   Make `fixture_file_upload` work in integration tests.
+
+    *Yuji Yaginuma*
+
+*   Add `to_param` to `ActionController::Parameters` deprecations.
+
+    In the future `ActionController::Parameters` are discouraged from being used
+    in URLs without explicit whitelisting. Go through `to_h` to use `to_param`.
+
+    *Kir Shatrov*
+
+*   Fix nested multiple roots
+
+    The PR #20940 enabled the use of multiple roots with different constraints
+    at the top level but unfortunately didn't work when those roots were inside
+    a namespace and also broke the use of root inside a namespace after a top
+    level root was defined because the check for the existence of the named route
+    used the global :root name and not the namespaced name.
+
+    This is fixed by using the name_for_action method to expand the :root name to
+    the full namespaced name. We can pass nil for the second argument as we're not
+    dealing with resource definitions so don't need to handle the cases for edit
+    and new routes.
+
+    Fixes #26148.
+
+    *Ryo Hashimoto*, *Andrew White*
+
+*   SSL: Changes redirect behavior for all non-GET and non-HEAD requests
+    (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://`
+    with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2).
+
+    307 status code instructs the HTTP clients to preserve the original
+    request method while redirecting. It has been part of HTTP RFC since
+    1999 and is implemented/recognized by most (if not all) user agents.
+
+        # Before
+        POST http://example.com/articles (i.e. ArticlesContoller#create)
+        redirects to
+        GET https://example.com/articles (i.e. ArticlesContoller#index)
+
+        # After
+        POST http://example.com/articles (i.e. ArticlesContoller#create)
+        redirects to
+        POST https://example.com/articles (i.e. ArticlesContoller#create)
+
+    *Chirag Singhal*
+
+*   Add `:as` option to `ActionController:TestCase#process` and related methods.
+
+    Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified
+    in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`.
+
+    *Everest Stefan Munro-Zeisberger*
+
+*   Prevent autoload from deadlocking while ActionController::Live is streaming.
+
+    *Alex Chinn*
+
+*   Don't override the `Accept` header in integration tests when called with `xhr: true`.
+
+    Fixes #25859.
+
+    *David Chen*
+
+*   Fix 'defaults' option for root route.
+
+    A regression from some refactoring for the 5.0 release, this change
+    fixes the use of 'defaults' (default parameters) in the 'root' routing method.
+
+    *Chris Arcand*
+
+*   Check `request.path_parameters` encoding at the point they're set.
+
+    Check for any non-UTF8 characters in path parameters at the point they're
+    set in `env`. Previously they were checked for when used to get a controller
+    class, but this meant routes that went directly to a Rack app, or skipped
+    controller instantiation for some other reason, had to defend against
+    non-UTF8 characters themselves.
+
+    *Grey Baker*
+
+*   Don't raise ActionController::UnknownHttpMethod from ActionDispatch::Static
+
+    Pass `Rack::Request` objects to `ActionDispatch::FileHandler` to avoid it
+    raising `ActionController::UnknownHttpMethod`. If an unknown method is
+    passed, it should exception higher in the stack instead, once we've had a
+    chance to define exception handling behaviour.
+
+    *Grey Baker*
+
+*   Handle `Rack::QueryParser` errors in `ActionDispatch::ExceptionWrapper`
+
+    Updated `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0 namespace
+    for `ParameterTypeError` and `InvalidParameterError` errors.
+
+    *Grey Baker*
+
+*   Deprecated omitting the route path.
+    Specify the path with a String or a Symbol instead.
+
+        # Before
+        get action: :show, as: :show
+        # After
+        get "", action: :show, as: :show
+
+    *Volmer*
+
+*   Added new `ActionDispatch::DebugLocks` middleware that can be used
+    to diagnose deadlocks in the autoload interlock.
+    To use it, insert it near the top of the middleware stack, using
+    `config/application.rb`:
+
+        config.middleware.insert_before Rack::Sendfile, ActionDispatch::DebugLocks
+
+    After adding, visiting `/rails/locks` will show a summary of all
+    threads currently known to the interlock.
+
+    *Matthew Draper*
+
+*   Fix request encoding in Integration tests when string literals are
+    frozen using `--enable-frozen-string-literal` or `# frozen_string_literal: true`.
+
+    *Volmer*
+
+*   Since long keys are truncated when passed to ciphers, Ruby 2.4
+    doesn't accept keys greater than their max length.
+    Fixed default key length on cipher for `ActiveSupport::MessageEncryptor`,
+    which was causing errors on Ruby 2.4.
+
+    *Vipul A M*
+
+*   Fixed adding implicitly rendered template digests to ETags.
+    Properly ignore implicit template cache option to ETag, if `template: false`
+    is passed when rendering.
+
+    *Javan Makhmali*
+
+
 ## Rails 5.0.0 (June 30, 2016) ##
 
 *   Add `ActionController#helpers` to get access to the view context at the controller

data/README.rdoc

@@ -32,7 +32,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub
 
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/5-0-stable/actionpack
 
 
 == License

data/lib/abstract_controller/callbacks.rb

@@ -70,7 +70,9 @@ module AbstractController
 
       def skip_filter(*names)
         ActiveSupport::Deprecation.warn("`skip_filter` is deprecated and will be removed in Rails 5.1. Use skip_before_action, skip_after_action or skip_around_action instead.")
-        skip_action_callback(*names)
+        skip_before_action(*names, raise: false)
+        skip_after_action(*names, raise: false)
+        skip_around_action(*names, raise: false)
       end
 
       # Take callback names and an optional callback proc, normalize them,

data/lib/action_controller/metal/data_streaming.rb

@@ -70,6 +70,7 @@ module ActionController #:nodoc:
         send_file_headers! options
 
         self.status = options[:status] || 200
+        self.content_type = options[:type] if options.key?(:type)
         self.content_type = options[:content_type] if options.key?(:content_type)
         response.send_file path
       end

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -39,8 +39,14 @@ module ActionController
       end
     end
 
+    # Pick the template digest to include in the ETag. If the +:template+ option
+    # is present, use the named template. If +:template+ is nil or absent, use
+    # the default controller/action template. If +:template+ is false, omit the
+    # template digest from the ETag.
     def pick_template_for_etag(options)
-      options.fetch(:template) { "#{controller_name}/#{action_name}" }
+      unless options[:template] == false
+        options[:template] || "#{controller_path}/#{action_name}"
+      end
     end
 
     def lookup_and_digest_template(template)

data/lib/action_controller/metal/force_ssl.rb

@@ -89,7 +89,7 @@ module ActionController
         end
 
         secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS))
-        flash.keep if respond_to?(:flash)
+        flash.keep if respond_to?(:flash) && request.respond_to?(:flash)
         redirect_to secure_url, options.slice(*REDIRECT_OPTIONS)
       end
     end

data/lib/action_controller/metal/implicit_render.rb

@@ -49,7 +49,7 @@ module ActionController
           "NOTE! For XHR/Ajax or API requests, this action would normally " \
           "respond with 204 No Content: an empty white screen. Since you're " \
           "loading it in a web browser, we assume that you expected to " \
-          "actually render a template, not… nothing, so we're showing an " \
+          "actually render a template, not nothing, so we're showing an " \
           "error to be extra-clear. If you expect 204 No Content, carry on. " \
           "That's what you'll get from an XHR or API request. Give it a shot."
 

data/lib/action_controller/metal/live.rb

@@ -206,7 +206,12 @@ module ActionController
       private
 
         def each_chunk(&block)
-          while str = @buf.pop
+          loop do
+            str = nil
+            ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
+              str = @buf.pop
+            end
+            break unless str
             yield str
           end
         end

data/lib/action_controller/metal/renderers.rb

@@ -71,8 +71,6 @@ module ActionController
     #       format.csv { render csv: @csvable, filename: @csvable.name }
     #     end
     #   end
-    # To use renderers and their mime types in more concise ways, see
-    # <tt>ActionController::MimeResponds::ClassMethods.respond_to</tt>
     def self.add(key, &block)
       define_method(_render_with_renderer_method_name(key), &block)
       RENDERERS << key.to_sym

data/lib/action_controller/metal/rendering.rb

@@ -90,7 +90,7 @@ module ActionController
           render as `text/plain`, `render html: '<strong>HTML</strong>'` to
           render as `text/html`, or `render body: 'raw'` to match the deprecated
           behavior and render with the default Content-Type, which is
-          `text/plain`.
+          `text/html`.
         WARNING
       end
 

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -109,10 +109,10 @@ module ActionController #:nodoc:
       # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
       # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
       # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
-      #    protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
-      #    when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
+      #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
+      #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
       #
-      #    If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
+      #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
       # Valid unverified request handling methods are:

data/lib/action_controller/metal/strong_parameters.rb

@@ -2,11 +2,13 @@ require 'active_support/core_ext/hash/indifferent_access'
 require 'active_support/core_ext/hash/transform_values'
 require 'active_support/core_ext/array/wrap'
 require 'active_support/core_ext/string/filters'
+require 'active_support/core_ext/object/to_query'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
 require 'rack/test'
 require 'stringio'
 require 'set'
+require 'yaml'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -571,28 +573,21 @@ module ActionController
       convert_value_to_parameters(@parameters.values_at(*keys))
     end
 
-    # Returns an exact copy of the <tt>ActionController::Parameters</tt>
-    # instance. +permitted+ state is kept on the duped object.
-    #
-    #   params = ActionController::Parameters.new(a: 1)
-    #   params.permit!
-    #   params.permitted?        # => true
-    #   copy_params = params.dup # => {"a"=>1}
-    #   copy_params.permitted?   # => true
-    def dup
-      super.tap do |duplicate|
-        duplicate.permitted = @permitted
-      end
-    end
-
     # Returns a new <tt>ActionController::Parameters</tt> with all keys from
     # +other_hash+ merges into current hash.
     def merge(other_hash)
       new_instance_with_inherited_permitted_status(
-        @parameters.merge(other_hash)
+        @parameters.merge(other_hash.to_h)
       )
     end
 
+    # Returns current <tt>ActionController::Parameters</tt> instance which
+    # +other_hash+ merges into current hash.
+    def merge!(other_hash)
+      @parameters.merge!(other_hash.to_h)
+      self
+    end
+
     # This is required by ActiveModel attribute assignment, so that user can
     # pass +Parameters+ to a mass assignment methods in a model. It should not
     # matter as we are using +HashWithIndifferentAccess+ internally.
@@ -604,6 +599,37 @@ module ActionController
       "<#{self.class} #{@parameters} permitted: #{@permitted}>"
     end
 
+    def self.hook_into_yaml_loading # :nodoc:
+      # Wire up YAML format compatibility with Rails 4.2 and Psych 2.0.8 and 2.0.9+.
+      # Makes the YAML parser call `init_with` when it encounters the keys below
+      # instead of trying its own parsing routines.
+      YAML.load_tags['!ruby/hash-with-ivars:ActionController::Parameters'] = name
+      YAML.load_tags['!ruby/hash:ActionController::Parameters'] = name
+    end
+    hook_into_yaml_loading
+
+    def init_with(coder) # :nodoc:
+      case coder.tag
+      when '!ruby/hash:ActionController::Parameters'
+        # YAML 2.0.8's format where hash instance variables weren't stored.
+        @parameters = coder.map.with_indifferent_access
+        @permitted  = false
+      when '!ruby/hash-with-ivars:ActionController::Parameters'
+        # YAML 2.0.9's Hash subclass format where keys and values
+        # were stored under an elements hash and `permitted` within an ivars hash.
+        @parameters = coder.map['elements'].with_indifferent_access
+        @permitted  = coder.map['ivars'][:@permitted]
+      when '!ruby/object:ActionController::Parameters'
+        # YAML's Object format. Only needed because of the format
+        # backwardscompability above, otherwise equivalent to YAML's initialization.
+        @parameters, @permitted = coder.map['parameters'], coder.map['permitted']
+      end
+    end
+
+    # Undefine `to_param` such that it gets caught in the `method_missing`
+    # deprecation cycle below.
+    undef_method :to_param
+
     def method_missing(method_sym, *args, &block)
       if @parameters.respond_to?(method_sym)
         message = <<-DEPRECATE.squish
@@ -622,6 +648,13 @@ module ActionController
       end
     end
 
+    # Returns duplicate of object including all parameters
+    def deep_dup
+      self.class.new(@parameters.deep_dup).tap do |duplicate|
+        duplicate.permitted = @permitted
+      end
+    end
+
     protected
       attr_reader :parameters
 
@@ -782,6 +815,11 @@ module ActionController
           end
         end
       end
+
+      def initialize_copy(source)
+        super
+        @parameters = @parameters.dup
+      end
   end
 
   # == Strong \Parameters

data/lib/action_controller/test_case.rb

@@ -7,7 +7,6 @@ require 'action_controller/template_assertions'
 require 'rails-dom-testing'
 
 module ActionController
-  # :stopdoc:
   class Metal
     include Testing::Functional
   end
@@ -50,7 +49,7 @@ module ActionController
       super(env)
 
       self.session = session
-      self.session_options = TestSession::DEFAULT_OPTIONS
+      self.session_options = TestSession::DEFAULT_OPTIONS.dup
       @custom_param_parsers = {
         xml: lambda { |raw_post| Hash.from_xml(raw_post)['hash'] }
       }
@@ -110,8 +109,9 @@ module ActionController
           end
         end
 
-        set_header 'CONTENT_LENGTH', data.length.to_s
-        set_header 'rack.input', StringIO.new(data)
+        data_stream = StringIO.new(data)
+        set_header "CONTENT_LENGTH", data_stream.length.to_s
+        set_header "rack.input", data_stream
       end
 
       fetch_header("PATH_INFO") do |k|
@@ -208,10 +208,18 @@ module ActionController
   end
 
   # Superclass for ActionController functional tests. Functional tests allow you to
-  # test a single controller action per test method. This should not be confused with
-  # integration tests (see ActionDispatch::IntegrationTest), which are more like
-  # "stories" that can involve multiple controllers and multiple actions (i.e. multiple
-  # different HTTP requests).
+  # test a single controller action per test method.
+  #
+  # == Use integration style controller tests over functional style controller tests.
+  #
+  # Rails discourages the use of functional tests in favor of integration tests
+  # (use ActionDispatch::IntegrationTest).
+  #
+  # New Rails applications no longer generate functional style controller tests and they should
+  # only be used for backward compatibility. Integration style controller tests perform actual
+  # requests, whereas functional style controller tests merely simulate a request. Besides,
+  # integration tests are as fast as functional tests and provide lot of helpers such as +as+,
+  # +parsed_body+ for effective testing of controller actions including even API endpoints.
   #
   # == Basic example
   #
@@ -415,8 +423,8 @@ module ActionController
 
       def xml_http_request(*args)
         ActiveSupport::Deprecation.warn(<<-MSG.strip_heredoc)
-          xhr and xml_http_request methods are deprecated in favor of
-          `get :index, xhr: true` and `post :create, xhr: true`
+          `xhr` and `xml_http_request` are deprecated and will be removed in Rails 5.1.
+          Switch to e.g. `post :create, params: { comment: { body: 'Honey bunny' } }, xhr: true`.
         MSG
 
         @request.env['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
@@ -440,6 +448,8 @@ module ActionController
       # - +session+: A hash of parameters to store in the session. This may be +nil+.
       # - +flash+: A hash of parameters to store in the flash. This may be +nil+.
       # - +format+: Request format. Defaults to +nil+. Can be string or symbol.
+      # - +as+: Content type. Defaults to +nil+. Must be a symbol that corresponds
+      #   to a mime type.
       #
       # Example calling +create+ action and sending two params:
       #
@@ -460,7 +470,7 @@ module ActionController
         check_required_ivars
 
         if kwarg_request?(args)
-          parameters, session, body, flash, http_method, format, xhr = args[0].values_at(:params, :session, :body, :flash, :method, :format, :xhr)
+          parameters, session, body, flash, http_method, format, xhr, as = args[0].values_at(:params, :session, :body, :flash, :method, :format, :xhr, :as)
         else
           http_method, parameters, session, flash = args
           format = nil
@@ -487,10 +497,6 @@ module ActionController
 
         parameters ||= {}
 
-        if format
-          parameters[:format] = format
-        end
-
         @html_document = nil
 
         self.cookies.update @request.cookies
@@ -505,6 +511,15 @@ module ActionController
 
         @request.set_header 'REQUEST_METHOD', http_method
 
+        if as
+          @request.content_type = Mime[as].to_s
+          format ||= as
+        end
+
+        if format
+          parameters[:format] = format
+        end
+
         parameters = parameters.symbolize_keys
 
         generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action.to_s))
@@ -611,6 +626,7 @@ module ActionController
         include ActionDispatch::Assertions
         class_attribute :_controller_class
         setup :setup_controller_request_and_response
+        ActiveSupport.run_load_hooks(:action_controller_test_case, self)
       end
 
       private
@@ -620,6 +636,7 @@ module ActionController
         env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
         env.delete 'action_dispatch.request.query_parameters'
         env.delete 'action_dispatch.request.request_parameters'
+        env['rack.input'] = StringIO.new
         env
       end
 
@@ -645,13 +662,15 @@ module ActionController
 
       def non_kwarg_request_warning
         ActiveSupport::Deprecation.warn(<<-MSG.strip_heredoc)
-          ActionController::TestCase HTTP request methods will accept only
-          keyword arguments in future Rails versions.
+          Using positional arguments in functional tests has been deprecated,
+          in favor of keyword arguments, and will be removed in Rails 5.1.
 
-          Examples:
+          Deprecated style:
+          get :show, { id: 1 }, nil, { notice: "This is a flash message" }
 
-          get :show, params: { id: 1 }, session: { user_id: 1 }
-          process :update, method: :post, params: { id: 1 }
+          New keyword style:
+          get :show, params: { id: 1 }, flash: { notice: "This is a flash message" },
+            session: nil # Can safely be omitted.
         MSG
       end
 
@@ -677,5 +696,4 @@ module ActionController
 
     include Behavior
   end
-  # :startdoc:
 end