josevalim-inherited_resources 0.6.2 → 0.6.3

data/CHANGELOG

@@ -1,5 +1,18 @@
 # Version 0.6
 
+* Ensure that the default template is not rendered if the default_template_format
+  is not accepted. This is somehow related with the security breach report:
+
+  http://www.rorsecurity.info/journal/2009/4/24/hidden-actions-render-templates.html
+
+  IR forbids based on mime types. For example: respond_to :html, :except => :index
+  ensures that the index.html.erb view is not rendered, making your IR controllers
+  safer.
+
+* Fixed a bug that happens only when format.xml is given to blocks and then it
+  acts as default, instead of format.html.
+* Fixed a strange bug where when you have create.html.erb or update.html.erb,
+  it makes IE6 and IE7 return unprocessable entity (because they send Mime::ALL).
 * Stop rescueing any error when constantizing the resource class and allow
   route_prefix to be nil.
 * Cleaned up tests and responder structure. Whenever you pass a block to aliases

data/README

@@ -1,6 +1,6 @@
 Inherited Resources
 License: MIT
-Version: 0.6.2
+Version: 0.6.3
 
 You can also read this README in pretty html at the GitHub project Wiki page:
 
@@ -37,7 +37,7 @@ rspec-rails <= 1.1.12 known bug
 -------------------------------
 
 InheritedResources has a known bug with rspec-rails when using blocks inside
-actions. This will be fixed in the next rspec release, but until it comes out,
+actions. This is fixed in Rspec >= 1.2.0. But if you have to use 1.1.12, you
 InheritedResources ships with a patch. To apply it, just put the line below on
 your spec_helper.rb after loading rspec and rspec-rails:
 

data/lib/inherited_resources/base_helpers.rb

@@ -245,7 +245,7 @@ module InheritedResources #:nodoc:
           responder.respond_except_any
         end
 
-        respond_to(options.merge(:responder => responder), &block) unless performed?
+        respond_to(options.merge!(:responder => responder, :prioritize => :html), &block) unless performed?
       end
 
   end

data/lib/inherited_resources/respond_to.rb

@@ -118,14 +118,15 @@ module ActionController #:nodoc:
       def respond_with(object, options = {})
         attempt_to_respond = false
 
-        responder           = options.delete(:responder) || Responder.new(self)
-        skip_not_acceptable = options.delete(:skip_not_acceptable)
+        responder             = options.delete(:responder) || Responder.new(self)
+        skip_not_acceptable   = options.delete(:skip_not_acceptable)
+        skip_default_template = options.delete(:skip_default_template)
 
         mime_types = Array(options.delete(:to))
         mime_types.map!{ |mime| mime.to_sym }
 
         for priority in responder.mime_type_priority
-          if priority == Mime::ALL && template_exists?
+          if !skip_default_template && priority == Mime::ALL && respond_to_default_template?(responder)
             render options.merge(:action => action_name)
             return true
 
@@ -195,11 +196,16 @@ module ActionController #:nodoc:
       #     format.html { render :template => 'new' }
       #   end
       #
+      # It also accepts an option called prioritize. It allows you to put a
+      # format as first, and then when Mime::ALL is sent, it will be the one
+      # used as response.
+      #
       def respond_to(*types, &block)
         options = types.extract_options!
 
-        object              = options.delete(:with)
-        responder           = options.delete(:responder) || Responder.new(self)
+        object     = options.delete(:with)
+        responder  = options.delete(:responder) || Responder.new(self)
+        prioritize = options.delete(:prioritize)
 
         if object.nil?
           block ||= lambda { |responder| types.each { |type| responder.send(type) } }
@@ -215,11 +221,15 @@ module ActionController #:nodoc:
             return true if responder.respond_except_any
           end
 
-          options.merge!(:to => types, :responder => responder, :skip_not_acceptable => true)
+          # If the block includes the default template format, we don't render
+          # the default template (which uses the default_template_format).
+          options.merge!(:to => types, :responder => responder, :skip_not_acceptable => true,
+                         :skip_default_template => responder.order.include?(default_template_format))
 
           if respond_with(object, options)
             return true
           elsif block_given?
+            responder.prioritize(prioritize) if prioritize
             return true if responder.respond_any
           end
         end
@@ -229,6 +239,7 @@ module ActionController #:nodoc:
       end
 
     private
+
       # Define template_exists? for Rails 2.3
       unless ActionController::Base.private_instance_methods.include?('template_exists?') ||
              ActionController::Base.private_instance_methods.include?(:template_exists?)
@@ -240,20 +251,27 @@ module ActionController #:nodoc:
         end
       end
 
-    # If ApplicationController is already defined around here, we should call
-    # inherited_with_inheritable_attributes to insert formats_for_respond_to.
-    # This usually happens only on Rails 2.3.
-    #
-    if defined?(ApplicationController)
-      self.send(:inherited_with_inheritable_attributes, ApplicationController)
-    end
+      # We respond to the default template if it's a valid format AND the template
+      # exists.
+      #
+      def respond_to_default_template?(responder)
+        responder.action_respond_to_format?(default_template_format) && template_exists?
+      end
+
+      # If ApplicationController is already defined around here, we should call
+      # inherited_with_inheritable_attributes to insert formats_for_respond_to.
+      # This usually happens only on Rails 2.3.
+      #
+      if defined?(ApplicationController)
+        self.send(:inherited_with_inheritable_attributes, ApplicationController)
+      end
 
   end
 
   module MimeResponds #:nodoc:
     class Responder #:nodoc:
 
-      attr_reader :mime_type_priority
+      attr_reader :mime_type_priority, :order
 
       # Similar as respond but if we can't find a valid mime type, we do not
       # send :not_acceptable message as head and it does not respond to
@@ -304,6 +322,15 @@ module ActionController #:nodoc:
         end
       end
 
+      # Makes a given format the first in the @order array.
+      #
+      def prioritize(format)
+        if index = @order.index(format)
+          @order.unshift(@order.delete_at(index))
+        end
+        @order
+      end
+
     end
   end
 end

data/test/aliases_test.rb

@@ -20,6 +20,7 @@ class StudentsController < InheritedResources::Base
   def create
     create! do |success, failure|
       success.html { render :text => "I won't redirect!" }
+      failure.xml { render :text => "I shouldn't be rendered" }
     end
   end
 
@@ -86,11 +87,21 @@ class AliasesTest < ActionController::TestCase
   end
 
   def test_dumb_responder_quietly_receives_everything_on_failure
+    @request.accept = 'text/html'
     Student.stubs(:new).returns(mock_student(:save => false, :errors => []))
     @controller.stubs(:resource_url).returns('http://test.host/')
     post :create
     assert_response :success
-    assert_template :edit
+    assert_equal "New HTML", @response.body.strip
+  end
+
+  def test_html_is_the_default_when_only_xml_is_overwriten
+    @request.accept = '*/*'
+    Student.stubs(:new).returns(mock_student(:save => false, :errors => []))
+    @controller.stubs(:resource_url).returns('http://test.host/')
+    post :create
+    assert_response :success
+    assert_equal "New HTML", @response.body.strip
   end
 
   def test_wont_render_edit_template_on_update_with_failure_if_failure_block_is_given

data/test/respond_to_test.rb

@@ -17,11 +17,12 @@ end
 class ProjectsController < ActionController::Base
   # Inherited respond_to definition is:
   # respond_to :html
-  respond_to :xml, :except => :edit
   respond_to :html
+  respond_to :xml, :except => :edit
   respond_to :rjs => :edit
   respond_to :rss,  :only => 'index'
   respond_to :json, :except => :index
+  respond_to :csv,  :except => :index
 
   def index
     respond_with(Project.new)
@@ -46,6 +47,16 @@ class ProjectsController < ActionController::Base
       format.rss  { render :text => 'Render RSS' }
     end
   end
+
+  # If the user request Mime::ALL and we have a template called action.html.erb,
+  # the html template should be rendered *unless* html is specified inside the
+  # block. This tests exactly this case.
+  #
+  def respond_to_skip_default_template
+    respond_to(:with => Project.new) do |format|
+      format.html { render :text => 'Render HTML' }
+    end
+  end
 end
 
 class SuperProjectsController < ProjectsController
@@ -149,6 +160,17 @@ class RespondToUnitTest < ActionController::TestCase
     @responder.respond_any
     assert !@performed
   end
+
+  def test_responder_prioritize
+    prepare_responder_to_respond!
+    assert_equal [Mime::HTML, Mime::XML], @responder.order
+
+    @responder.prioritize(:xml)
+    assert_equal [Mime::XML, Mime::HTML], @responder.order
+
+    @responder.prioritize(:js)
+    assert_equal [Mime::XML, Mime::HTML], @responder.order
+  end
  
   protected 
     def prepare_responder_to_respond!(content_type='*/*')
@@ -195,7 +217,7 @@ class RespondToFunctionalTest < ActionController::TestCase
   end
 
   def test_respond_with_renders_status_not_acceptable_if_mime_type_is_not_registered
-    @request.accept = 'application/json'
+    @request.accept = 'text/csv'
     get :index
     assert_equal '406 Not Acceptable', @response.status
   end
@@ -212,6 +234,13 @@ class RespondToFunctionalTest < ActionController::TestCase
     assert_equal 'Index HTML', @response.body.strip
   end
 
+  def test_default_template_is_not_rendered_if_template_format_is_not_accepted
+    @controller.stubs(:default_template_format).returns(:json)
+    @request.accept = '*/*'
+    get :index
+    assert_equal '406 Not Acceptable', @response.status
+  end
+
   def test_respond_with_sets_content_type_properly
     @request.accept = 'text/html'
     get :index
@@ -276,4 +305,10 @@ class RespondToFunctionalTest < ActionController::TestCase
     get :respond_to_with_resource_and_blocks
     assert_equal 'Render JSON', @response.body.strip
   end
+
+  def test_respond_to_skip_default_template_when_it_is_in_block
+    @request.accept = '*/*'
+    get :respond_to_skip_default_template
+    assert_equal 'Render HTML', @response.body.strip
+  end
 end

data/test/views/projects/index.json.erb

@@ -0,0 +1 @@
+Index JSON

data/test/views/projects/respond_to_skip_default_template.html.erb

@@ -0,0 +1 @@
+DefaultTemplate HTML

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: josevalim-inherited_resources
 version: !ruby/object:Gem::Version 
-  version: 0.6.2
+  version: 0.6.3
 platform: ruby
 authors: 
 - "Jos\xC3\xA9 Valim"
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-04-19 00:00:00 -07:00
+date: 2009-04-24 00:00:00 -07:00
 default_executable: 
 dependencies: []
 
@@ -110,6 +110,8 @@ test_files:
 - test/views/professors/new.html.erb
 - test/views/professors/show.html.erb
 - test/views/projects/index.html.erb
+- test/views/projects/index.json.erb
+- test/views/projects/respond_to_skip_default_template.html.erb
 - test/views/projects/respond_to_with_resource.html.erb
 - test/views/students/edit.html.erb
 - test/views/students/new.html.erb