halorgium-actionpack 3.0.pre

data/lib/action_controller/metal/rack_convenience.rb

@@ -0,0 +1,27 @@
+module ActionController
+  module RackConvenience
+    extend ActiveSupport::Concern
+
+    included do
+      delegate :headers, :status=, :location=, :content_type=,
+               :status, :location, :content_type, :to => "@_response"
+      attr_internal :request
+    end
+
+    def dispatch(action, env)
+      @_request = ActionDispatch::Request.new(env)
+      @_response = ActionDispatch::Response.new
+      @_response.request = request
+      super
+    end
+
+    def params
+      @_params ||= @_request.parameters
+    end
+
+    def response_body=(body)
+      response.body = body if response
+      super
+    end
+  end
+end

data/lib/action_controller/metal/redirector.rb

@@ -0,0 +1,22 @@
+module ActionController
+  class RedirectBackError < AbstractController::Error #:nodoc:
+    DEFAULT_MESSAGE = 'No HTTP_REFERER was set in the request to this action, so redirect_to :back could not be called successfully. If this is a test, make sure to specify request.env["HTTP_REFERER"].'
+
+    def initialize(message = nil)
+      super(message || DEFAULT_MESSAGE)
+    end
+  end
+
+  module Redirector
+    extend ActiveSupport::Concern
+    include AbstractController::Logger
+
+    def redirect_to(url, status) #:doc:
+      raise AbstractController::DoubleRenderError if response_body
+      logger.info("Redirected to #{url}") if logger && logger.info?
+      self.status = status
+      self.location = url.gsub(/[\r\n]/, '')
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(url)}\">redirected</a>.</body></html>"
+    end
+  end
+end

data/lib/action_controller/metal/render_options.rb

@@ -0,0 +1,103 @@
+module ActionController
+  module RenderOptions
+    extend ActiveSupport::Concern
+
+    included do
+      extlib_inheritable_accessor :_renderers
+      self._renderers = []
+    end
+
+    module ClassMethods
+      def _write_render_options
+        renderers = _renderers.map do |r|
+          <<-RUBY_EVAL
+            if options.key?(:#{r})
+              _process_options(options)
+              return render_#{r}(options[:#{r}], options)
+            end
+          RUBY_EVAL
+        end
+
+        class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
+          def _handle_render_options(options)
+            #{renderers.join}
+          end
+        RUBY_EVAL
+      end
+
+      def _add_render_option(name)
+        _renderers << name
+        _write_render_options
+      end
+    end
+
+    def render_to_body(options)
+      _handle_render_options(options) || super
+    end
+  end
+
+  module RenderOption #:nodoc:
+    def self.extended(base)
+      base.extend ActiveSupport::Concern
+      base.send :include, ::ActionController::RenderOptions
+
+      def base.register_renderer(name)
+        included { _add_render_option(name) }
+      end
+    end
+  end
+
+  module RenderOptions
+    module Json
+      extend RenderOption
+      register_renderer :json
+
+      def render_json(json, options)
+        json = ActiveSupport::JSON.encode(json) unless json.respond_to?(:to_str)
+        json = "#{options[:callback]}(#{json})" unless options[:callback].blank?
+        self.content_type ||= Mime::JSON
+        self.response_body = json
+      end
+    end
+
+    module Js
+      extend RenderOption
+      register_renderer :js
+
+      def render_js(js, options)
+        self.content_type ||= Mime::JS
+        self.response_body  = js.respond_to?(:to_js) ? js.to_js : js
+      end
+    end
+
+    module Xml
+      extend RenderOption
+      register_renderer :xml
+
+      def render_xml(xml, options)
+        self.content_type ||= Mime::XML
+        self.response_body  = xml.respond_to?(:to_xml) ? xml.to_xml : xml
+      end
+    end
+
+    module RJS
+      extend RenderOption
+      register_renderer :update
+
+      def render_update(proc, options)
+        generator = ActionView::Helpers::PrototypeHelper::JavaScriptGenerator.new(view_context, &proc)
+        self.content_type = Mime::JS
+        self.response_body = generator.to_s
+      end
+    end
+
+    module All
+      extend ActiveSupport::Concern
+
+      include ActionController::RenderOptions::Json
+      include ActionController::RenderOptions::Js
+      include ActionController::RenderOptions::Xml
+      include ActionController::RenderOptions::RJS
+    end
+  end
+end

data/lib/action_controller/metal/rendering_controller.rb

@@ -0,0 +1,57 @@
+module ActionController
+  module RenderingController
+    extend ActiveSupport::Concern
+
+    included do
+      include AbstractController::RenderingController
+      include AbstractController::LocalizedCache
+    end
+
+    def process_action(*)
+      self.formats = request.formats.map {|x| x.to_sym}
+      super
+    end
+
+    def render(options)
+      super
+      self.content_type ||= options[:_template].mime_type.to_s
+      response_body
+    end
+
+    def render_to_body(options)
+      _process_options(options)
+
+      if options.key?(:partial)
+        options[:partial] = action_name if options[:partial] == true
+        options[:_details] = {:formats => formats}
+      end
+
+      super
+    end
+
+    private
+      def _prefix
+        controller_path
+      end
+
+      def _determine_template(options)
+        if (options.keys & [:partial, :file, :template, :text, :inline]).empty?
+          options[:_template_name] ||= options[:action]
+          options[:_prefix] = _prefix
+        end
+
+        super
+      end
+
+      def format_for_text
+        formats.first
+      end
+
+      def _process_options(options)
+        status, content_type, location = options.values_at(:status, :content_type, :location)
+        self.status = status if status
+        self.content_type = content_type if content_type
+        self.headers["Location"] = url_for(location) if location
+      end
+  end
+end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -0,0 +1,108 @@
+module ActionController #:nodoc:
+  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+  end
+
+  module RequestForgeryProtection
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers, Session
+
+    included do
+      # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
+      # sets it to <tt>:authenticity_token</tt> by default.
+      cattr_accessor :request_forgery_protection_token
+
+      # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+      class_inheritable_accessor :allow_forgery_protection
+      self.allow_forgery_protection = true
+
+      helper_method :form_authenticity_token
+      helper_method :protect_against_forgery?
+    end
+    
+    # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current 
+    # web application, not a forged link from another site, is done by embedding a token based on a random 
+    # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
+    # by Rails and then verifying the authenticity of that token in the controller.  Only HTML/JavaScript 
+    # requests are checked, so this will not protect your XML API (presumably you'll have a different 
+    # authentication scheme there anyway).  Also, GET requests are not protected as these should be 
+    # idempotent anyway.
+    #
+    # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
+    # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the 
+    # error message in production by editing public/422.html.  A call to this method in ApplicationController is
+    # generated by default in post-Rails 2.0 applications.
+    #
+    # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form 
+    # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to 
+    # include a hidden field named like that and set its value to what is returned by 
+    # <tt>form_authenticity_token</tt>.
+    #
+    # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails 
+    # 1.x, add this to config/environments/test.rb:
+    #
+    #   # Disable request forgery protection in test environment
+    #   config.action_controller.allow_forgery_protection = false
+    # 
+    # == Learn more about CSRF (Cross-Site Request Forgery) attacks
+    #
+    # Here are some resources:
+    # * http://isc.sans.org/diary.html?storyid=1750
+    # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+    # There are a few guidelines you should follow:
+    # 
+    # * Keep your GET requests safe and idempotent.  More reading material:
+    #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+    #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+    #   * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look 
+    #     for "Expires: at end of session"
+    #
+    module ClassMethods
+      # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
+      #
+      # Example:
+      #
+      #   class FooController < ApplicationController
+      #     protect_from_forgery :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
+      #   end
+      #
+      # Valid Options:
+      #
+      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, options
+      end
+    end
+
+    protected
+      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+      def verify_authenticity_token
+        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+      end
+
+      # Returns true or false if a request is verified.  Checks:
+      #
+      # * is the format restricted?  By default, only HTML requests are checked.
+      # * is it a GET request?  Gets should be safe and idempotent
+      # * Does the form_authenticity_token match the given token value from the params?
+      def verified_request?
+        !protect_against_forgery? || request.forgery_whitelisted? || 
+          form_authenticity_token == params[request_forgery_protection_token]
+      end
+
+      # Sets the token value for the current session.
+      def form_authenticity_token
+        session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
+      end
+
+      def protect_against_forgery?
+        allow_forgery_protection
+      end
+  end
+end

data/lib/action_controller/metal/rescuable.rb

@@ -0,0 +1,13 @@
+module ActionController #:nodoc:
+  module Rescue
+    extend ActiveSupport::Concern
+    include ActiveSupport::Rescuable
+
+    private
+      def process_action(*args)
+        super
+      rescue Exception => exception
+        rescue_with_handler(exception) || raise(exception)
+      end
+  end
+end

data/lib/action_controller/metal/responder.rb

@@ -0,0 +1,200 @@
+module ActionController #:nodoc:
+  # Responder is responsible to expose a resource for different mime requests,
+  # usually depending on the HTTP verb. The responder is triggered when
+  # respond_with is called. The simplest case to study is a GET request:
+  #
+  #   class PeopleController < ApplicationController
+  #     respond_to :html, :xml, :json
+  #
+  #     def index
+  #       @people = Person.find(:all)
+  #       respond_with(@people)
+  #     end
+  #   end
+  #
+  # When a request comes, for example with format :xml, three steps happen:
+  #
+  #   1) respond_with searches for a template at people/index.xml;
+  #
+  #   2) if the template is not available, it will create a responder, passing
+  #      the controller and the resource and invoke :to_xml on it;
+  #
+  #   3) if the responder does not respond_to :to_xml, call to_format on it.
+  #
+  # === Builtin HTTP verb semantics
+  #
+  # Rails default responder holds semantics for each HTTP verb. Depending on the
+  # content type, verb and the resource status, it will behave differently.
+  #
+  # Using Rails default responder, a POST request for creating an object could
+  # be written as:
+  #
+  #   def create
+  #     @user = User.new(params[:user])
+  #     flash[:notice] = 'User was successfully created.' if @user.save
+  #     respond_with(@user)
+  #   end
+  #
+  # Which is exactly the same as:
+  #
+  #   def create
+  #     @user = User.new(params[:user])
+  #
+  #     respond_to do |format|
+  #       if @user.save
+  #         flash[:notice] = 'User was successfully created.'
+  #         format.html { redirect_to(@user) }
+  #         format.xml { render :xml => @user, :status => :created, :location => @user }
+  #       else
+  #         format.html { render :action => "new" }
+  #         format.xml { render :xml => @user.errors, :status => :unprocessable_entity }
+  #       end
+  #     end
+  #   end
+  #
+  # The same happens for PUT and DELETE requests.
+  #
+  # === Nested resources
+  #
+  # You can given nested resource as you do in form_for and polymorphic_url.
+  # Consider the project has many tasks example. The create action for
+  # TasksController would be like:
+  #
+  #   def create
+  #     @project = Project.find(params[:project_id])
+  #     @task = @project.comments.build(params[:task])
+  #     flash[:notice] = 'Task was successfully created.' if @task.save
+  #     respond_with(@project, @task)
+  #   end
+  #
+  # Giving an array of resources, you ensure that the responder will redirect to
+  # project_task_url instead of task_url.
+  #
+  # Namespaced and singleton resources requires a symbol to be given, as in
+  # polymorphic urls. If a project has one manager which has many tasks, it
+  # should be invoked as:
+  #
+  #   respond_with(@project, :manager, @task)
+  #
+  # Check polymorphic_url documentation for more examples.
+  #
+  class Responder
+    attr_reader :controller, :request, :format, :resource, :resources, :options
+
+    def initialize(controller, resources, options={})
+      @controller = controller
+      @request = controller.request
+      @format = controller.formats.first
+      @resource = resources.is_a?(Array) ? resources.last : resources
+      @resources = resources
+      @options = options
+      @default_response = options.delete(:default_response)
+    end
+
+    delegate :head, :render, :redirect_to,   :to => :controller
+    delegate :get?, :post?, :put?, :delete?, :to => :request
+
+    # Undefine :to_json since it's defined on Object
+    undef_method(:to_json) if method_defined?(:to_json)
+
+    # Initializes a new responder an invoke the proper format. If the format is
+    # not defined, call to_format.
+    #
+    def self.call(*args)
+      responder = new(*args)
+      method = :"to_#{responder.format}"
+      responder.respond_to?(method) ? responder.send(method) : responder.to_format
+    end
+
+    # HTML format does not render the resource, it always attempt to render a
+    # template.
+    #
+    def to_html
+      default_render
+    rescue ActionView::MissingTemplate
+      if get?
+        raise
+      elsif has_errors?
+        render :action => default_action
+      else
+        redirect_to resource_location
+      end
+    end
+
+    # All others formats follow the procedure below. First we try to render a
+    # template, if the template is not available, we verify if the resource
+    # responds to :to_format and display it.
+    #
+    def to_format
+      default_render
+    rescue ActionView::MissingTemplate
+      raise unless resourceful?
+
+      if get?
+        display resource
+      elsif has_errors?
+        display resource.errors, :status => :unprocessable_entity
+      elsif post?
+        display resource, :status => :created, :location => resource_location
+      else
+        head :ok
+      end
+    end
+
+  protected
+
+    # Checks whether the resource responds to the current format or not.
+    #
+    def resourceful?
+      resource.respond_to?(:"to_#{format}")
+    end
+
+    # Returns the resource location by retrieving it from the options or
+    # returning the resources array.
+    #
+    def resource_location
+      options[:location] || resources
+    end
+
+    # If a given response block was given, use it, otherwise call render on
+    # controller.
+    #
+    def default_render
+      @default_response.call
+    end
+
+    # display is just a shortcut to render a resource with the current format.
+    #
+    #   display @user, :status => :ok
+    #
+    # For xml request is equivalent to:
+    #
+    #   render :xml => @user, :status => :ok
+    #
+    # Options sent by the user are also used:
+    #
+    #   respond_with(@user, :status => :created)
+    #   display(@user, :status => :ok)
+    #
+    # Results in:
+    #
+    #   render :xml => @user, :status => :created
+    #
+    def display(resource, given_options={})
+      controller.render given_options.merge!(options).merge!(format => resource)
+    end
+
+    # Check if the resource has errors or not.
+    #
+    def has_errors?
+      resource.respond_to?(:errors) && !resource.errors.empty?
+    end
+
+    # By default, render the :edit action for html requests with failure, unless
+    # the verb is post.
+    #
+    def default_action
+      request.post? ? :new : :edit
+    end
+  end
+end