omg-actionpack 8.0.0.alpha1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d33d474bea49cdb46669b68c6760931543882ecf8e71a763115450ad027e8c6e
+  data.tar.gz: 411bc4578648aff7ce836bf341dbcac37c2b1430627c2b462b694a191913fc37
+SHA512:
+  metadata.gz: 861232c9ddecbe87551fe6cf00b464cedba542bdb6c8be84be424ae3c082985ea1c84b8e5404b5d0be71137250582434df802774f1359e7626df1bdb415974df
+  data.tar.gz: c670f13c1bfc3a8ea58e3f7be5abbb986406d0c3f404bbe0f41c9f5dc01df2ccd301e1155f69d37dad4ff63648b4c108646b139cf70e9023c3593421702fdbe5

data/CHANGELOG.md

@@ -0,0 +1,129 @@
+*   Update `ActionController::Live` to use a thread-pool to reuse threads across requests.
+
+    *Adam Renberg Tamm*
+
+*   Introduce safer, more explicit params handling method with `params#expect` such that
+    `params.expect(table: [ :attr ])` replaces `params.require(:table).permit(:attr)`
+
+    Ensures params are filtered with consideration for the expected
+    types of values, improving handling of params and avoiding ignorable
+    errors caused by params tampering.
+
+    ```ruby
+    # If the url is altered to ?person=hacked
+    # Before
+    params.require(:person).permit(:name, :age, pets: [:name])
+    # raises NoMethodError, causing a 500 and potential error reporting
+
+    # After
+    params.expect(person: [ :name, :age, pets: [[:name]] ])
+    # raises ActionController::ParameterMissing, correctly returning a 400 error
+    ```
+
+    You may also notice the new double array `[[:name]]`. In order to
+    declare when a param is expected to be an array of parameter hashes,
+    this new double array syntax is used to explicitly declare an array.
+    `expect` requires you to declare expected arrays in this way, and will
+    ignore arrays that are passed when, for example, `pet: [:name]` is used.
+
+    In order to preserve compatibility, `permit` does not adopt the new
+    double array syntax and is therefore more permissive about unexpected
+    types. Using `expect` everywhere is recommended.
+
+    We suggest replacing `params.require(:person).permit(:name, :age)`
+    with the direct replacement `params.expect(person: [:name, :age])`
+    to prevent external users from manipulating params to trigger 500
+    errors. A 400 error will be returned instead, using public/400.html
+
+    Usage of `params.require(:id)` should likewise be replaced with
+    `params.expect(:id)` which is designed to ensure that `params[:id]`
+    is a scalar and not an array or hash, also requiring the param.
+
+    ```ruby
+    # Before
+    User.find(params.require(:id)) # allows an array, altering behavior
+
+    # After
+    User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
+    ```
+
+    *Martin Emde*
+
+*   System Testing: Disable Chrome's search engine choice by default in system tests.
+
+    *glaszig*
+
+*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
+
+    *Hartley McGuire*
+
+*   Remove `racc` dependency by manually writing `ActionDispatch::Journey::Scanner`.
+
+    *Gannon McGibbon*
+
+*   Speed up `ActionDispatch::Routing::Mapper::Scope#[]` by merging frame hashes.
+
+    *Gannon McGibbon*
+
+*   Allow bots to ignore `allow_browser`.
+
+    *Matthew Nguyen*
+
+*   Deprecate drawing routes with multiple paths to make routing faster.
+    You may use `with_options` or a loop to make drawing multiple paths easier.
+
+    ```ruby
+    # Before
+    get "/users", "/other_path", to: "users#index"
+
+    # After
+    get "/users", to: "users#index"
+    get "/other_path", to: "users#index"
+    ```
+
+    *Gannon McGibbon*
+
+*   Make `http_cache_forever` use `immutable: true`
+
+    *Nate Matykiewicz*
+
+*   Add `config.action_dispatch.strict_freshness`.
+
+    When set to `true`, the `ETag` header takes precedence over the `Last-Modified` header when both are present,
+    as specified by RFC 7232, Section 6.
+
+    Defaults to `false` to maintain compatibility with previous versions of Rails, but is enabled as part of
+    Rails 8.0 defaults.
+
+    *heka1024*
+
+*   Support `immutable` directive in Cache-Control
+
+    ```ruby
+    expires_in 1.minute, public: true, immutable: true
+    # Cache-Control: public, max-age=60, immutable
+    ```
+
+    *heka1024*
+
+*   Add `:wasm_unsafe_eval` mapping for `content_security_policy`
+
+    ```ruby
+    # Before
+    policy.script_src "'wasm-unsafe-eval'"
+
+    # After
+    policy.script_src :wasm_unsafe_eval
+    ```
+
+    *Joe Haig*
+
+*   Add `display_capture` and `keyboard_map` in `permissions_policy`
+
+    *Cyril Blaecke*
+
+*   Add `connect` route helper.
+
+    *Samuel Williams*
+
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionpack/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.rdoc

@@ -0,0 +1,57 @@
+= Action Pack -- From request to response
+
+Action Pack is a framework for handling and responding to web requests. It
+provides mechanisms for *routing* (mapping request URLs to actions), defining
+*controllers* that implement actions, and generating responses. In short, Action Pack
+provides the controller layer in the MVC paradigm.
+
+It consists of several modules:
+
+* Action Dispatch, which parses information about the web request, handles
+  routing as defined by the user, and does advanced processing related to HTTP
+  such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies,
+  handling HTTP caching logic, cookies and sessions.
+
+* Action Controller, which provides a base controller class that can be
+  subclassed to implement filters and actions to handle requests. The result
+  of an action is typically content generated from views.
+
+With the Ruby on \Rails framework, users only directly interface with the
+Action Controller module. Necessary Action Dispatch functionality is activated
+by default and Action View rendering is implicitly triggered by Action
+Controller. However, these modules are designed to function on their own and
+can be used outside of \Rails.
+
+You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.
+
+== Download and installation
+
+The latest version of Action Pack can be installed with RubyGems:
+
+  $ gem install actionpack
+
+Source code can be downloaded as part of the \Rails project on GitHub:
+
+* https://github.com/rails/rails/tree/main/actionpack
+
+
+== License
+
+Action Pack is released under the MIT license:
+
+* https://opensource.org/licenses/MIT
+
+
+== Support
+
+API documentation is at:
+
+* https://api.rubyonrails.org
+
+Bug reports for the Ruby on \Rails project can be filed here:
+
+* https://github.com/rails/rails/issues
+
+Feature requests should be discussed on the rails-core mailing list here:
+
+* https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/abstract_controller/asset_paths.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module AbstractController
+  module AssetPaths # :nodoc:
+    extend ActiveSupport::Concern
+
+    included do
+      config_accessor :asset_host, :assets_dir, :javascripts_dir,
+        :stylesheets_dir, :default_asset_host_protocol, :relative_url_root
+    end
+  end
+end

data/lib/abstract_controller/base.rb

@@ -0,0 +1,299 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "abstract_controller/error"
+require "active_support/configurable"
+require "active_support/descendants_tracker"
+require "active_support/core_ext/module/anonymous"
+require "active_support/core_ext/module/attr_internal"
+
+module AbstractController
+  # Raised when a non-existing controller action is triggered.
+  class ActionNotFound < StandardError
+    attr_reader :controller, :action # :nodoc:
+
+    def initialize(message = nil, controller = nil, action = nil) # :nodoc:
+      @controller = controller
+      @action = action
+      super(message)
+    end
+
+    if defined?(DidYouMean::Correctable) && defined?(DidYouMean::SpellChecker)
+      include DidYouMean::Correctable # :nodoc:
+
+      def corrections # :nodoc:
+        @corrections ||= DidYouMean::SpellChecker.new(dictionary: controller.class.action_methods).correct(action)
+      end
+    end
+  end
+
+  # # Abstract Controller Base
+  #
+  # AbstractController::Base is a low-level API. Nobody should be using it
+  # directly, and subclasses (like ActionController::Base) are expected to provide
+  # their own `render` method, since rendering means different things depending on
+  # the context.
+  class Base
+    ##
+    # Returns the body of the HTTP response sent by the controller.
+    attr_internal :response_body
+
+    ##
+    # Returns the name of the action this controller is processing.
+    attr_internal :action_name
+
+    ##
+    # Returns the formats that can be processed by the controller.
+    attr_internal :formats
+
+    include ActiveSupport::Configurable
+    extend ActiveSupport::DescendantsTracker
+
+    class << self
+      attr_reader :abstract
+      alias_method :abstract?, :abstract
+
+      # Define a controller as abstract. See internal_methods for more details.
+      def abstract!
+        @abstract = true
+      end
+
+      def inherited(klass) # :nodoc:
+        # Define the abstract ivar on subclasses so that we don't get uninitialized ivar
+        # warnings
+        unless klass.instance_variable_defined?(:@abstract)
+          klass.instance_variable_set(:@abstract, false)
+        end
+        super
+      end
+
+      # A list of all internal methods for a controller. This finds the first abstract
+      # superclass of a controller, and gets a list of all public instance methods on
+      # that abstract class. Public instance methods of a controller would normally be
+      # considered action methods, so methods declared on abstract classes are being
+      # removed. (ActionController::Metal and ActionController::Base are defined as
+      # abstract)
+      def internal_methods
+        controller = self
+        methods = []
+
+        until controller.abstract?
+          methods += controller.public_instance_methods(false)
+          controller = controller.superclass
+        end
+
+        controller.public_instance_methods(true) - methods
+      end
+
+      # A list of method names that should be considered actions. This includes all
+      # public instance methods on a controller, less any internal methods (see
+      # internal_methods), adding back in any methods that are internal, but still
+      # exist on the class itself.
+      #
+      # #### Returns
+      # *   `Set` - A set of all methods that should be considered actions.
+      #
+      def action_methods
+        @action_methods ||= begin
+          # All public instance methods of this class, including ancestors except for
+          # public instance methods of Base and its ancestors.
+          methods = public_instance_methods(true) - internal_methods
+          # Be sure to include shadowed public instance methods of this class.
+          methods.concat(public_instance_methods(false))
+          methods.map!(&:to_s)
+          methods.to_set
+        end
+      end
+
+      # action_methods are cached and there is sometimes a need to refresh them.
+      # ::clear_action_methods! allows you to do that, so next time you run
+      # action_methods, they will be recalculated.
+      def clear_action_methods!
+        @action_methods = nil
+      end
+
+      # Returns the full controller name, underscored, without the ending Controller.
+      #
+      #     class MyApp::MyPostsController < AbstractController::Base
+      #
+      #     end
+      #
+      #     MyApp::MyPostsController.controller_path # => "my_app/my_posts"
+      #
+      # #### Returns
+      # *   `String`
+      #
+      def controller_path
+        @controller_path ||= name.delete_suffix("Controller").underscore unless anonymous?
+      end
+
+      # Refresh the cached action_methods when a new action_method is added.
+      def method_added(name)
+        super
+        clear_action_methods!
+      end
+
+      def eager_load! # :nodoc:
+        action_methods
+        nil
+      end
+    end
+
+    abstract!
+
+    # Calls the action going through the entire Action Dispatch stack.
+    #
+    # The actual method that is called is determined by calling #method_for_action.
+    # If no method can handle the action, then an AbstractController::ActionNotFound
+    # error is raised.
+    #
+    # #### Returns
+    # *   `self`
+    #
+    def process(action, ...)
+      @_action_name = action.to_s
+
+      unless action_name = _find_action_name(@_action_name)
+        raise ActionNotFound.new("The action '#{action}' could not be found for #{self.class.name}", self, action)
+      end
+
+      @_response_body = nil
+
+      process_action(action_name, ...)
+    end
+
+    # Delegates to the class's ::controller_path.
+    def controller_path
+      self.class.controller_path
+    end
+
+    # Delegates to the class's ::action_methods.
+    def action_methods
+      self.class.action_methods
+    end
+
+    # Returns true if a method for the action is available and can be dispatched,
+    # false otherwise.
+    #
+    # Notice that `action_methods.include?("foo")` may return false and
+    # `available_action?("foo")` returns true because this method considers actions
+    # that are also available through other means, for example, implicit render
+    # ones.
+    #
+    # #### Parameters
+    # *   `action_name` - The name of an action to be tested
+    #
+    def available_action?(action_name)
+      _find_action_name(action_name)
+    end
+
+    # Tests if a response body is set. Used to determine if the `process_action`
+    # callback needs to be terminated in AbstractController::Callbacks.
+    def performed?
+      response_body
+    end
+
+    # Returns true if the given controller is capable of rendering a path. A
+    # subclass of `AbstractController::Base` may return false. An Email controller
+    # for example does not support paths, only full URLs.
+    def self.supports_path?
+      true
+    end
+
+    def inspect # :nodoc:
+      "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
+    end
+
+    private
+      # Returns true if the name can be considered an action because it has a method
+      # defined in the controller.
+      #
+      # #### Parameters
+      # *   `name` - The name of an action to be tested
+      #
+      def action_method?(name)
+        self.class.action_methods.include?(name)
+      end
+
+      # Call the action. Override this in a subclass to modify the behavior around
+      # processing an action. This, and not #process, is the intended way to override
+      # action dispatching.
+      #
+      # Notice that the first argument is the method to be dispatched which is **not**
+      # necessarily the same as the action name.
+      def process_action(...)
+        send_action(...)
+      end
+
+      # Actually call the method associated with the action. Override this method if
+      # you wish to change how action methods are called, not to add additional
+      # behavior around it. For example, you would override #send_action if you want
+      # to inject arguments into the method.
+      alias send_action send
+
+      # If the action name was not found, but a method called "action_missing" was
+      # found, #method_for_action will return "_handle_action_missing". This method
+      # calls #action_missing with the current action name.
+      def _handle_action_missing(*args)
+        action_missing(@_action_name, *args)
+      end
+
+      # Takes an action name and returns the name of the method that will handle the
+      # action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # #### Parameters
+      # *   `action_name` - An action name to find a method name for
+      #
+      #
+      # #### Returns
+      # *   `string` - The name of the method that handles the action
+      # *   false           - No valid method name could be found.
+      #
+      # Raise `AbstractController::ActionNotFound`.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
+      # Takes an action name and returns the name of the method that will handle the
+      # action. In normal cases, this method returns the same name as it receives. By
+      # default, if #method_for_action receives a name that is not an action, it will
+      # look for an #action_missing method and return "_handle_action_missing" if one
+      # is found.
+      #
+      # Subclasses may override this method to add additional conditions that should
+      # be considered an action. For instance, an HTTP controller with a template
+      # matching the action name is considered to exist.
+      #
+      # If you override this method to handle additional cases, you may also provide a
+      # method (like `_handle_method_missing`) to handle the case.
+      #
+      # If none of these conditions are true, and `method_for_action` returns `nil`,
+      # an `AbstractController::ActionNotFound` exception will be raised.
+      #
+      # #### Parameters
+      # *   `action_name` - An action name to find a method name for
+      #
+      #
+      # #### Returns
+      # *   `string` - The name of the method that handles the action
+      # *   `nil`    - No method name could be found.
+      #
+      def method_for_action(action_name)
+        if action_method?(action_name)
+          action_name
+        elsif respond_to?(:action_missing, true)
+          "_handle_action_missing"
+        end
+      end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        !action_name.to_s.include? File::SEPARATOR
+      end
+  end
+end

data/lib/abstract_controller/caching/fragments.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module AbstractController
+  module Caching
+    # # Abstract Controller Caching Fragments
+    #
+    # Fragment caching is used for caching various blocks within views without
+    # caching the entire action as a whole. This is useful when certain elements of
+    # an action change frequently or depend on complicated state while other parts
+    # rarely change or can be shared amongst multiple parties. The caching is done
+    # using the `cache` helper available in the Action View. See
+    # ActionView::Helpers::CacheHelper for more information.
+    #
+    # While it's strongly recommended that you use key-based cache expiration (see
+    # links in CacheHelper for more information), it is also possible to manually
+    # expire caches. For example:
+    #
+    #     expire_fragment('name_of_cache')
+    module Fragments
+      extend ActiveSupport::Concern
+
+      included do
+        if respond_to?(:class_attribute)
+          class_attribute :fragment_cache_keys
+        else
+          mattr_writer :fragment_cache_keys
+        end
+
+        self.fragment_cache_keys = []
+
+        if respond_to?(:helper_method)
+          helper_method :combined_fragment_cache_key
+        end
+      end
+
+      module ClassMethods
+        # Allows you to specify controller-wide key prefixes for cache fragments. Pass
+        # either a constant `value`, or a block which computes a value each time a cache
+        # key is generated.
+        #
+        # For example, you may want to prefix all fragment cache keys with a global
+        # version identifier, so you can easily invalidate all caches.
+        #
+        #     class ApplicationController
+        #       fragment_cache_key "v1"
+        #     end
+        #
+        # When it's time to invalidate all fragments, simply change the string constant.
+        # Or, progressively roll out the cache invalidation using a computed value:
+        #
+        #     class ApplicationController
+        #       fragment_cache_key do
+        #         @account.id.odd? ? "v1" : "v2"
+        #       end
+        #     end
+        def fragment_cache_key(value = nil, &key)
+          self.fragment_cache_keys += [key || -> { value }]
+        end
+      end
+
+      # Given a key (as described in `expire_fragment`), returns a key array suitable
+      # for use in reading, writing, or expiring a cached fragment. All keys begin
+      # with `:views`, followed by `ENV["RAILS_CACHE_ID"]` or
+      # `ENV["RAILS_APP_VERSION"]` if set, followed by any controller-wide key prefix
+      # values, ending with the specified `key` value.
+      def combined_fragment_cache_key(key)
+        head = self.class.fragment_cache_keys.map { |k| instance_exec(&k) }
+        tail = key.is_a?(Hash) ? url_for(key).split("://").last : key
+
+        cache_key = [:views, ENV["RAILS_CACHE_ID"] || ENV["RAILS_APP_VERSION"], head, tail]
+        cache_key.flatten!(1)
+        cache_key.compact!
+        cache_key
+      end
+
+      # Writes `content` to the location signified by `key` (see `expire_fragment` for
+      # acceptable formats).
+      def write_fragment(key, content, options = nil)
+        return content unless cache_configured?
+
+        key = combined_fragment_cache_key(key)
+        instrument_fragment_cache :write_fragment, key do
+          content = content.to_str
+          cache_store.write(key, content, options)
+        end
+        content
+      end
+
+      # Reads a cached fragment from the location signified by `key` (see
+      # `expire_fragment` for acceptable formats).
+      def read_fragment(key, options = nil)
+        return unless cache_configured?
+
+        key = combined_fragment_cache_key(key)
+        instrument_fragment_cache :read_fragment, key do
+          result = cache_store.read(key, options)
+          result.respond_to?(:html_safe) ? result.html_safe : result
+        end
+      end
+
+      # Check if a cached fragment from the location signified by `key` exists (see
+      # `expire_fragment` for acceptable formats).
+      def fragment_exist?(key, options = nil)
+        return unless cache_configured?
+        key = combined_fragment_cache_key(key)
+
+        instrument_fragment_cache :exist_fragment?, key do
+          cache_store.exist?(key, options)
+        end
+      end
+
+      # Removes fragments from the cache.
+      #
+      # `key` can take one of three forms:
+      #
+      # *   String - This would normally take the form of a path, like
+      #     `pages/45/notes`.
+      # *   Hash - Treated as an implicit call to `url_for`, like `{ controller:
+      #     'pages', action: 'notes', id: 45}`
+      # *   Regexp - Will remove any fragment that matches, so `%r{pages/\d*/notes}`
+      #     might remove all notes. Make sure you don't use anchors in the regex (`^`
+      #     or `$`) because the actual filename matched looks like
+      #     `./cache/filename/path.cache`. Note: Regexp expiration is only supported
+      #     on caches that can iterate over all keys (unlike memcached).
+      #
+      #
+      # `options` is passed through to the cache store's `delete` method (or
+      # `delete_matched`, for Regexp keys).
+      def expire_fragment(key, options = nil)
+        return unless cache_configured?
+        key = combined_fragment_cache_key(key) unless key.is_a?(Regexp)
+
+        instrument_fragment_cache :expire_fragment, key do
+          if key.is_a?(Regexp)
+            cache_store.delete_matched(key, options)
+          else
+            cache_store.delete(key, options)
+          end
+        end
+      end
+
+      def instrument_fragment_cache(name, key, &block) # :nodoc:
+        ActiveSupport::Notifications.instrument("#{name}.#{instrument_name}", instrument_payload(key), &block)
+      end
+    end
+  end
+end