eactionpack 2.1.2

data/lib/action_controller/cgi_ext/stdinput.rb

@@ -0,0 +1,24 @@
+require 'cgi'
+
+module ActionController
+  module CgiExt
+    # Publicize the CGI's internal input stream so we can lazy-read
+    # request.body. Make it writable so we don't have to play $stdin games.
+    module Stdinput
+      def self.included(base)
+        base.class_eval do
+          remove_method :stdinput
+          attr_accessor :stdinput
+        end
+
+        base.alias_method_chain :initialize, :stdinput
+      end
+
+      def initialize_with_stdinput(type = nil, stdinput = $stdin)
+        @stdinput = stdinput
+        @stdinput.set_encoding(Encoding::BINARY) if @stdinput.respond_to?(:set_encoding)
+        initialize_without_stdinput(type || 'query')
+      end
+    end
+  end
+end

data/lib/action_controller/cgi_process.rb

@@ -0,0 +1,223 @@
+require 'action_controller/cgi_ext'
+require 'action_controller/session/cookie_store'
+
+module ActionController #:nodoc:
+  class Base
+    # Process a request extracted from a CGI object and return a response. Pass false as <tt>session_options</tt> to disable
+    # sessions (large performance increase if sessions are not needed). The <tt>session_options</tt> are the same as for CGI::Session:
+    #
+    # * <tt>:database_manager</tt> - standard options are CGI::Session::FileStore, CGI::Session::MemoryStore, and CGI::Session::PStore
+    #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
+    #   lib/action_controller/session.
+    # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
+    # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or 
+    #   automatically generated for a new session.
+    # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
+    #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
+    #   an ArgumentError is raised.
+    # * <tt>:session_expires</tt> - the time the current session expires, as a Time object.  If not set, the session will continue
+    #   indefinitely.
+    # * <tt>:session_domain</tt> - the hostname domain for which this session is valid. If not set, defaults to the hostname of the
+    #   server.
+    # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
+    # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
+    # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
+    #   the query string or POST parameters. This protects against session fixation attacks.
+    def self.process_cgi(cgi = CGI.new, session_options = {})
+      new.process_cgi(cgi, session_options)
+    end
+
+    def process_cgi(cgi, session_options = {}) #:nodoc:
+      process(CgiRequest.new(cgi, session_options), CgiResponse.new(cgi)).out
+    end
+  end
+
+  class CgiRequest < AbstractRequest #:nodoc:
+    attr_accessor :cgi, :session_options
+    class SessionFixationAttempt < StandardError #:nodoc:
+    end
+
+    DEFAULT_SESSION_OPTIONS = {
+      :database_manager => CGI::Session::CookieStore, # store data in cookie
+      :prefix           => "ruby_sess.",    # prefix session file names
+      :session_path     => "/",             # available to all paths in app
+      :session_key      => "_session_id",
+      :cookie_only      => true
+    } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
+
+    def initialize(cgi, session_options = {})
+      @cgi = cgi
+      @session_options = session_options
+      @env = @cgi.send!(:env_table)
+      super()
+    end
+
+    def query_string
+      qs = @cgi.query_string if @cgi.respond_to?(:query_string)
+      if !qs.blank?
+        qs
+      else
+        super
+      end
+    end
+
+    # The request body is an IO input stream. If the RAW_POST_DATA environment
+    # variable is already set, wrap it in a StringIO.
+    def body
+      if raw_post = env['RAW_POST_DATA']
+        raw_post.force_encoding(Encoding::BINARY) if raw_post.respond_to?(:force_encoding)
+        StringIO.new(raw_post)
+      else
+        @cgi.stdinput
+      end
+    end
+
+    def query_parameters
+      @query_parameters ||= self.class.parse_query_parameters(query_string)
+    end
+
+    def request_parameters
+      @request_parameters ||= parse_formatted_request_parameters
+    end
+
+    def cookies
+      @cgi.cookies.freeze
+    end
+
+    def host_with_port_without_standard_port_handling
+      if forwarded = env["HTTP_X_FORWARDED_HOST"]
+        forwarded.split(/,\s?/).last
+      elsif http_host = env['HTTP_HOST']
+        http_host
+      elsif server_name = env['SERVER_NAME']
+        server_name
+      else
+        "#{env['SERVER_ADDR']}:#{env['SERVER_PORT']}"
+      end
+    end
+
+    def host
+      host_with_port_without_standard_port_handling.sub(/:\d+$/, '')
+    end
+
+    def port
+      if host_with_port_without_standard_port_handling =~ /:(\d+)$/
+        $1.to_i
+      else
+        standard_port
+      end
+    end
+
+    def session
+      unless defined?(@session)
+        if @session_options == false
+          @session = Hash.new
+        else
+          stale_session_check! do
+            if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
+              raise SessionFixationAttempt
+            end
+            case value = session_options_with_string_keys['new_session']
+              when true
+                @session = new_session
+              when false
+                begin
+                  @session = CGI::Session.new(@cgi, session_options_with_string_keys)
+                # CGI::Session raises ArgumentError if 'new_session' == false
+                # and no session cookie or query param is present.
+                rescue ArgumentError
+                  @session = Hash.new
+                end
+              when nil
+                @session = CGI::Session.new(@cgi, session_options_with_string_keys)
+              else
+                raise ArgumentError, "Invalid new_session option: #{value}"
+            end
+            @session['__valid_session']
+          end
+        end
+      end
+      @session
+    end
+
+    def reset_session
+      @session.delete if defined?(@session) && @session.is_a?(CGI::Session)
+      @session = new_session
+    end
+
+    def method_missing(method_id, *arguments)
+      @cgi.send!(method_id, *arguments) rescue super
+    end
+
+    private
+      # Delete an old session if it exists then create a new one.
+      def new_session
+        if @session_options == false
+          Hash.new
+        else
+          CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => false)).delete rescue nil
+          CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => true))
+        end
+      end
+
+      def cookie_only?
+        session_options_with_string_keys['cookie_only']
+      end
+
+      def stale_session_check!
+        yield
+      rescue ArgumentError => argument_error
+        if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
+          begin
+            # Note that the regexp does not allow $1 to end with a ':'
+            $1.constantize
+          rescue LoadError, NameError => const_error
+            raise ActionController::SessionRestoreError, <<-end_msg
+Session contains objects whose class definition isn\'t available.
+Remember to require the classes for all objects kept in the session.
+(Original exception: #{const_error.message} [#{const_error.class}])
+end_msg
+          end
+
+          retry
+        else
+          raise
+        end
+      end
+
+      def session_options_with_string_keys
+        @session_options_with_string_keys ||= DEFAULT_SESSION_OPTIONS.merge(@session_options).stringify_keys
+      end
+  end
+
+  class CgiResponse < AbstractResponse #:nodoc:
+    def initialize(cgi)
+      @cgi = cgi
+      super()
+    end
+
+    def out(output = $stdout)
+      output.binmode      if output.respond_to?(:binmode)
+      output.sync = false if output.respond_to?(:sync=)
+
+      begin
+        output.write(@cgi.header(@headers))
+
+        if @cgi.send!(:env_table)['REQUEST_METHOD'] == 'HEAD'
+          return
+        elsif @body.respond_to?(:call)
+          # Flush the output now in case the @body Proc uses
+          # #syswrite.
+          output.flush if output.respond_to?(:flush)
+          @body.call(self, output)
+        else
+          output.write(@body)
+        end
+
+        output.flush if output.respond_to?(:flush)
+      rescue Errno::EPIPE, Errno::ECONNRESET
+        # lost connection to parent process, ignore output
+      end
+    end
+  end
+end

data/lib/action_controller/components.rb

@@ -0,0 +1,166 @@
+module ActionController #:nodoc:
+  # Components allow you to call other actions for their rendered response while executing another action. You can either delegate
+  # the entire response rendering or you can mix a partial response in with your other content.
+  #
+  #   class WeblogController < ActionController::Base
+  #     # Performs a method and then lets hello_world output its render
+  #     def delegate_action
+  #       do_other_stuff_before_hello_world
+  #       render_component :controller => "greeter",  :action => "hello_world", :params => { :person => "david" }
+  #     end
+  #   end
+  #
+  #   class GreeterController < ActionController::Base
+  #     def hello_world
+  #       render :text => "#{params[:person]} says, Hello World!"
+  #     end
+  #   end
+  #
+  # The same can be done in a view to do a partial rendering:
+  #
+  #   Let's see a greeting:
+  #   <%= render_component :controller => "greeter", :action => "hello_world" %>
+  #
+  # It is also possible to specify the controller as a class constant, bypassing the inflector
+  # code to compute the controller class at runtime:
+  #
+  # <%= render_component :controller => GreeterController, :action => "hello_world" %>
+  #
+  # == When to use components
+  #
+  # Components should be used with care. They're significantly slower than simply splitting reusable parts into partials and
+  # conceptually more complicated. Don't use components as a way of separating concerns inside a single application. Instead,
+  # reserve components to those rare cases where you truly have reusable view and controller elements that can be employed
+  # across many applications at once.
+  #
+  # So to repeat: Components are a special-purpose approach that can often be replaced with better use of partials and filters.
+  module Components
+    def self.included(base) #:nodoc:
+      base.class_eval do
+        include InstanceMethods
+        extend ClassMethods
+        helper HelperMethods
+
+        # If this controller was instantiated to process a component request,
+        # +parent_controller+ points to the instantiator of this controller.
+        attr_accessor :parent_controller
+
+        alias_method_chain :process_cleanup, :components
+        alias_method_chain :set_session_options, :components
+        alias_method_chain :flash, :components
+
+        alias_method :component_request?, :parent_controller
+      end
+    end
+
+    module ClassMethods
+      # Track parent controller to identify component requests
+      def process_with_components(request, response, parent_controller = nil) #:nodoc:
+        controller = new
+        controller.parent_controller = parent_controller
+        controller.process(request, response)
+      end
+    end
+
+    module HelperMethods
+      def render_component(options)
+        @controller.send!(:render_component_as_string, options)
+      end
+    end
+
+    module InstanceMethods
+      # Extracts the action_name from the request parameters and performs that action.
+      def process_with_components(request, response, method = :perform_action, *arguments) #:nodoc:
+        flash.discard if component_request?
+        process_without_components(request, response, method, *arguments)
+      end
+
+      protected
+        # Renders the component specified as the response for the current method
+        def render_component(options) #:doc:
+          component_logging(options) do
+            render_for_text(component_response(options, true).body, response.headers["Status"])
+          end
+        end
+
+        # Returns the component response as a string
+        def render_component_as_string(options) #:doc:
+          component_logging(options) do
+            response = component_response(options, false)
+
+            if redirected = response.redirected_to
+              render_component_as_string(redirected)
+            else
+              response.body
+            end
+          end
+        end
+
+        def flash_with_components(refresh = false) #:nodoc:
+          if !defined?(@_flash) || refresh
+            @_flash =
+              if defined?(@parent_controller)
+                @parent_controller.flash
+              else
+                flash_without_components
+              end
+          end
+          @_flash
+        end
+
+      private
+        def component_response(options, reuse_response)
+          klass    = component_class(options)
+          request  = request_for_component(klass.controller_name, options)
+          new_response = reuse_response ? response : response.dup
+
+          klass.process_with_components(request, new_response, self)
+        end
+
+        # determine the controller class for the component request
+        def component_class(options)
+          if controller = options[:controller]
+            controller.is_a?(Class) ? controller : "#{controller.camelize}Controller".constantize
+          else
+            self.class
+          end
+        end
+
+        # Create a new request object based on the current request.
+        # The new request inherits the session from the current request,
+        # bypassing any session options set for the component controller's class
+        def request_for_component(controller_name, options)
+          new_request         = request.dup
+          new_request.session = request.session
+
+          new_request.instance_variable_set(
+            :@parameters,
+            (options[:params] || {}).with_indifferent_access.update(
+              "controller" => controller_name, "action" => options[:action], "id" => options[:id]
+            )
+          )
+
+          new_request
+        end
+
+        def component_logging(options)
+          if logger
+            logger.info "Start rendering component (#{options.inspect}): "
+            result = yield
+            logger.info "\n\nEnd of component rendering"
+            result
+          else
+            yield
+          end
+        end
+
+        def set_session_options_with_components(request)
+          set_session_options_without_components(request) unless component_request?
+        end
+
+        def process_cleanup_with_components
+          process_cleanup_without_components unless component_request?
+        end
+    end
+  end
+end

data/lib/action_controller/cookies.rb

@@ -0,0 +1,96 @@
+module ActionController #:nodoc:
+  # Cookies are read and written through ActionController#cookies.
+  #
+  # The cookies being read are the ones received along with the request, the cookies
+  # being written will be sent out with the response. Reading a cookie does not get
+  # the cookie object itself back, just the value it holds.
+  #
+  # Examples for writing:
+  #
+  #   # Sets a simple session cookie.
+  #   cookies[:user_name] = "david"
+  #
+  #   # Sets a cookie that expires in 1 hour.
+  #   cookies[:login] = { :value => "XJ-122", :expires => 1.hour.from_now }
+  #
+  # Examples for reading:
+  #
+  #   cookies[:user_name] # => "david"
+  #   cookies.size        # => 2
+  #
+  # Example for deleting:
+  #
+  #   cookies.delete :user_name
+  #
+  # The option symbols for setting cookies are:
+  #
+  # * <tt>:value</tt> - The cookie's value or list of values (as an array).
+  # * <tt>:path</tt> - The path for which this cookie applies.  Defaults to the root
+  #   of the application.
+  # * <tt>:domain</tt> - The domain for which this cookie applies.
+  # * <tt>:expires</tt> - The time at which this cookie expires, as a Time object.
+  # * <tt>:secure</tt> - Whether this cookie is a only transmitted to HTTPS servers.
+  #   Default is +false+.
+  # * <tt>:http_only</tt> - Whether this cookie is accessible via scripting or
+  #   only HTTP. Defaults to +false+.
+  module Cookies
+    def self.included(base)
+      base.helper_method :cookies
+    end
+
+    protected
+      # Returns the cookie container, which operates as described above.
+      def cookies
+        CookieJar.new(self)
+      end
+  end
+
+  class CookieJar < Hash #:nodoc:
+    def initialize(controller)
+      @controller, @cookies = controller, controller.request.cookies
+      super()
+      update(@cookies)
+    end
+
+    # Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
+    def [](name)
+      cookie = @cookies[name.to_s]
+      if cookie && cookie.respond_to?(:value)
+        cookie.size > 1 ? cookie.value : cookie.value[0]
+      end
+    end
+
+    # Sets the cookie named +name+. The second argument may be the very cookie
+    # value, or a hash of options as documented above.
+    def []=(name, options)
+      if options.is_a?(Hash)
+        options = options.inject({}) { |options, pair| options[pair.first.to_s] = pair.last; options }
+        options["name"] = name.to_s
+      else
+        options = { "name" => name.to_s, "value" => options }
+      end
+
+      set_cookie(options)
+    end
+
+    # Removes the cookie on the client machine by setting the value to an empty string
+    # and setting its expiration date into the past. Like <tt>[]=</tt>, you can pass in
+    # an options hash to delete cookies with extra data such as a <tt>:path</tt>.
+    def delete(name, options = {})
+      options.stringify_keys!
+      set_cookie(options.merge("name" => name.to_s, "value" => "", "expires" => Time.at(0)))
+    end
+
+    private
+      # Builds a CGI::Cookie object and adds the cookie to the response headers.
+      #
+      # The path of the cookie defaults to "/" if there's none in +options+, and
+      # everything is passed to the CGI::Cookie constructor.
+      def set_cookie(options) #:doc:
+        options["path"] = "/" unless options["path"]
+        cookie = CGI::Cookie.new(options)
+        @controller.logger.info "Cookie set: #{cookie}" unless @controller.logger.nil?
+        @controller.response.headers["cookie"] << cookie
+      end
+  end
+end