omg-actionpack 8.0.0.alpha1

data/lib/action_controller/base.rb

@@ -0,0 +1,332 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "action_view"
+require "action_controller/log_subscriber"
+require "action_controller/metal/params_wrapper"
+
+module ActionController
+  # # Action Controller Base
+  #
+  # Action Controllers are the core of a web request in Rails. They are made up of
+  # one or more actions that are executed on request and then either it renders a
+  # template or redirects to another action. An action is defined as a public
+  # method on the controller, which will automatically be made accessible to the
+  # web-server through Rails Routes.
+  #
+  # By default, only the ApplicationController in a Rails application inherits
+  # from `ActionController::Base`. All other controllers inherit from
+  # ApplicationController. This gives you one class to configure things such as
+  # request forgery protection and filtering of sensitive request parameters.
+  #
+  # A sample controller could look like this:
+  #
+  #     class PostsController < ApplicationController
+  #       def index
+  #         @posts = Post.all
+  #       end
+  #
+  #       def create
+  #         @post = Post.create params[:post]
+  #         redirect_to posts_path
+  #       end
+  #     end
+  #
+  # Actions, by default, render a template in the `app/views` directory
+  # corresponding to the name of the controller and action after executing code in
+  # the action. For example, the `index` action of the PostsController would
+  # render the template `app/views/posts/index.html.erb` by default after
+  # populating the `@posts` instance variable.
+  #
+  # Unlike index, the create action will not render a template. After performing
+  # its main purpose (creating a new post), it initiates a redirect instead. This
+  # redirect works by returning an external `302 Moved` HTTP response that takes
+  # the user to the index action.
+  #
+  # These two methods represent the two basic action archetypes used in Action
+  # Controllers: Get-and-show and do-and-redirect. Most actions are variations on
+  # these themes.
+  #
+  # ## Requests
+  #
+  # For every request, the router determines the value of the `controller` and
+  # `action` keys. These determine which controller and action are called. The
+  # remaining request parameters, the session (if one is available), and the full
+  # request with all the HTTP headers are made available to the action through
+  # accessor methods. Then the action is performed.
+  #
+  # The full request object is available via the request accessor and is primarily
+  # used to query for HTTP headers:
+  #
+  #     def server_ip
+  #       location = request.env["REMOTE_ADDR"]
+  #       render plain: "This server hosted at #{location}"
+  #     end
+  #
+  # ## Parameters
+  #
+  # All request parameters, whether they come from a query string in the URL or
+  # form data submitted through a POST request are available through the `params`
+  # method which returns a hash. For example, an action that was performed through
+  # `/posts?category=All&limit=5` will include `{ "category" => "All", "limit" =>
+  # "5" }` in `params`.
+  #
+  # It's also possible to construct multi-dimensional parameter hashes by
+  # specifying keys using brackets, such as:
+  #
+  #     <input type="text" name="post[name]" value="david">
+  #     <input type="text" name="post[address]" value="hyacintvej">
+  #
+  # A request coming from a form holding these inputs will include `{ "post" => {
+  # "name" => "david", "address" => "hyacintvej" } }`. If the address input had
+  # been named `post[address][street]`, the `params` would have included `{ "post"
+  # => { "address" => { "street" => "hyacintvej" } } }`. There's no limit to the
+  # depth of the nesting.
+  #
+  # ## Sessions
+  #
+  # Sessions allow you to store objects in between requests. This is useful for
+  # objects that are not yet ready to be persisted, such as a Signup object
+  # constructed in a multi-paged process, or objects that don't change much and
+  # are needed all the time, such as a User object for a system that requires
+  # login. The session should not be used, however, as a cache for objects where
+  # it's likely they could be changed unknowingly. It's usually too much work to
+  # keep it all synchronized -- something databases already excel at.
+  #
+  # You can place objects in the session by using the `session` method, which
+  # accesses a hash:
+  #
+  #     session[:person] = Person.authenticate(user_name, password)
+  #
+  # You can retrieve it again through the same hash:
+  #
+  #     "Hello #{session[:person]}"
+  #
+  # For removing objects from the session, you can either assign a single key to
+  # `nil`:
+  #
+  #     # removes :person from session
+  #     session[:person] = nil
+  #
+  # or you can remove the entire session with `reset_session`.
+  #
+  # By default, sessions are stored in an encrypted browser cookie (see
+  # ActionDispatch::Session::CookieStore). Thus the user will not be able to read
+  # or edit the session data. However, the user can keep a copy of the cookie even
+  # after it has expired, so you should avoid storing sensitive information in
+  # cookie-based sessions.
+  #
+  # ## Responses
+  #
+  # Each action results in a response, which holds the headers and document to be
+  # sent to the user's browser. The actual response object is generated
+  # automatically through the use of renders and redirects and requires no user
+  # intervention.
+  #
+  # ## Renders
+  #
+  # Action Controller sends content to the user by using one of five rendering
+  # methods. The most versatile and common is the rendering of a template.
+  # Included in the Action Pack is the Action View, which enables rendering of ERB
+  # templates. It's automatically configured. The controller passes objects to the
+  # view by assigning instance variables:
+  #
+  #     def show
+  #       @post = Post.find(params[:id])
+  #     end
+  #
+  # Which are then automatically available to the view:
+  #
+  #     Title: <%= @post.title %>
+  #
+  # You don't have to rely on the automated rendering. For example, actions that
+  # could result in the rendering of different templates will use the manual
+  # rendering methods:
+  #
+  #     def search
+  #       @results = Search.find(params[:query])
+  #       case @results.count
+  #         when 0 then render action: "no_results"
+  #         when 1 then render action: "show"
+  #         when 2..10 then render action: "show_many"
+  #       end
+  #     end
+  #
+  # Read more about writing ERB and Builder templates in ActionView::Base.
+  #
+  # ## Redirects
+  #
+  # Redirects are used to move from one action to another. For example, after a
+  # `create` action, which stores a blog entry to the database, we might like to
+  # show the user the new entry. Because we're following good DRY principles
+  # (Don't Repeat Yourself), we're going to reuse (and redirect to) a `show`
+  # action that we'll assume has already been created. The code might look like
+  # this:
+  #
+  #     def create
+  #       @entry = Entry.new(params[:entry])
+  #       if @entry.save
+  #         # The entry was saved correctly, redirect to show
+  #         redirect_to action: 'show', id: @entry.id
+  #       else
+  #         # things didn't go so well, do something else
+  #       end
+  #     end
+  #
+  # In this case, after saving our new entry to the database, the user is
+  # redirected to the `show` method, which is then executed. Note that this is an
+  # external HTTP-level redirection which will cause the browser to make a second
+  # request (a GET to the show action), and not some internal re-routing which
+  # calls both "create" and then "show" within one request.
+  #
+  # Learn more about `redirect_to` and what options you have in
+  # ActionController::Redirecting.
+  #
+  # ## Calling multiple redirects or renders
+  #
+  # An action may perform only a single render or a single redirect. Attempting to
+  # do either again will result in a DoubleRenderError:
+  #
+  #     def do_something
+  #       redirect_to action: "elsewhere"
+  #       render action: "overthere" # raises DoubleRenderError
+  #     end
+  #
+  # If you need to redirect on the condition of something, then be sure to add
+  # "return" to halt execution.
+  #
+  #     def do_something
+  #       if monkeys.nil?
+  #         redirect_to(action: "elsewhere")
+  #         return
+  #       end
+  #       render action: "overthere" # won't be called if monkeys is nil
+  #     end
+  #
+  class Base < Metal
+    abstract!
+
+    # Shortcut helper that returns all the modules included in
+    # ActionController::Base except the ones passed as arguments:
+    #
+    #     class MyBaseController < ActionController::Metal
+    #       ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
+    #         include left
+    #       end
+    #     end
+    #
+    # This gives better control over what you want to exclude and makes it easier to
+    # create a bare controller class, instead of listing the modules required
+    # manually.
+    def self.without_modules(*modules)
+      modules = modules.map do |m|
+        m.is_a?(Symbol) ? ActionController.const_get(m) : m
+      end
+
+      MODULES - modules
+    end
+
+    MODULES = [
+      AbstractController::Rendering,
+      AbstractController::Translation,
+      AbstractController::AssetPaths,
+      Helpers,
+      UrlFor,
+      Redirecting,
+      ActionView::Layouts,
+      Rendering,
+      Renderers::All,
+      ConditionalGet,
+      EtagWithTemplateDigest,
+      EtagWithFlash,
+      Caching,
+      MimeResponds,
+      ImplicitRender,
+      StrongParameters,
+      ParameterEncoding,
+      Cookies,
+      Flash,
+      FormBuilder,
+      RequestForgeryProtection,
+      ContentSecurityPolicy,
+      PermissionsPolicy,
+      RateLimiting,
+      AllowBrowser,
+      Streaming,
+      DataStreaming,
+      HttpAuthentication::Basic::ControllerMethods,
+      HttpAuthentication::Digest::ControllerMethods,
+      HttpAuthentication::Token::ControllerMethods,
+      DefaultHeaders,
+      Logging,
+      AbstractController::Callbacks,
+      Rescue,
+      Instrumentation,
+      ParamsWrapper
+    ]
+
+    # Note: Documenting these severely degrates the performance of rdoc
+    # :stopdoc:
+    include AbstractController::Rendering
+    include AbstractController::Translation
+    include AbstractController::AssetPaths
+    include Helpers
+    include UrlFor
+    include Redirecting
+    include ActionView::Layouts
+    include Rendering
+    include Renderers::All
+    include ConditionalGet
+    include EtagWithTemplateDigest
+    include EtagWithFlash
+    include Caching
+    include MimeResponds
+    include ImplicitRender
+    include StrongParameters
+    include ParameterEncoding
+    include Cookies
+    include Flash
+    include FormBuilder
+    include RequestForgeryProtection
+    include ContentSecurityPolicy
+    include PermissionsPolicy
+    include RateLimiting
+    include AllowBrowser
+    include Streaming
+    include DataStreaming
+    include HttpAuthentication::Basic::ControllerMethods
+    include HttpAuthentication::Digest::ControllerMethods
+    include HttpAuthentication::Token::ControllerMethods
+    include DefaultHeaders
+    include Logging
+    # Before callbacks should also be executed as early as possible, so also include
+    # them at the bottom.
+    include AbstractController::Callbacks
+    # Append rescue at the bottom to wrap as much as possible.
+    include Rescue
+    # Add instrumentations hooks at the bottom, to ensure they instrument all the
+    # methods properly.
+    include Instrumentation
+    # Params wrapper should come before instrumentation so they are properly showed
+    # in logs
+    include ParamsWrapper
+    # :startdoc:
+    setup_renderer!
+
+    # Define some internal variables that should not be propagated to the view.
+    PROTECTED_IVARS = AbstractController::Rendering::DEFAULT_PROTECTED_INSTANCE_VARIABLES + %i(
+      @_params @_response @_request @_config @_url_options @_action_has_layout @_view_context_class
+      @_view_renderer @_lookup_context @_routes @_view_runtime @_db_runtime @_helper_proxy
+      @_marked_for_same_origin_verification @_rendered_format
+    )
+
+    def _protected_ivars
+      PROTECTED_IVARS
+    end
+    private :_protected_ivars
+
+    ActiveSupport.run_load_hooks(:action_controller_base, self)
+    ActiveSupport.run_load_hooks(:action_controller, self)
+  end
+end

data/lib/action_controller/caching.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  # # Action Controller Caching
+  #
+  # Caching is a cheap way of speeding up slow applications by keeping the result
+  # of calculations, renderings, and database calls around for subsequent
+  # requests.
+  #
+  # You can read more about each approach by clicking the modules below.
+  #
+  # Note: To turn off all caching provided by Action Controller, set
+  #     config.action_controller.perform_caching = false
+  #
+  # ## Caching stores
+  #
+  # All the caching stores from ActiveSupport::Cache are available to be used as
+  # backends for Action Controller caching.
+  #
+  # Configuration examples (FileStore is the default):
+  #
+  #     config.action_controller.cache_store = :memory_store
+  #     config.action_controller.cache_store = :file_store, '/path/to/cache/directory'
+  #     config.action_controller.cache_store = :mem_cache_store, 'localhost'
+  #     config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
+  #     config.action_controller.cache_store = MyOwnStore.new('parameter')
+  module Caching
+    extend ActiveSupport::Concern
+
+    included do
+      include AbstractController::Caching
+    end
+
+    private
+      def instrument_payload(key)
+        {
+          controller: controller_name,
+          action: action_name,
+          key: key
+        }
+      end
+
+      def instrument_name
+        "action_controller"
+      end
+  end
+end

data/lib/action_controller/deprecator.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  def self.deprecator # :nodoc:
+    AbstractController.deprecator
+  end
+end

data/lib/action_controller/form_builder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  # # Action Controller Form Builder
+  #
+  # Override the default form builder for all views rendered by this controller
+  # and any of its descendants. Accepts a subclass of
+  # ActionView::Helpers::FormBuilder.
+  #
+  # For example, given a form builder:
+  #
+  #     class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #       def special_field(name)
+  #       end
+  #     end
+  #
+  # The controller specifies a form builder as its default:
+  #
+  #     class AdminAreaController < ApplicationController
+  #       default_form_builder AdminFormBuilder
+  #     end
+  #
+  # Then in the view any form using `form_for` will be an instance of the
+  # specified form builder:
+  #
+  #     <%= form_for(@instance) do |builder| %>
+  #       <%= builder.special_field(:name) %>
+  #     <% end %>
+  module FormBuilder
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_default_form_builder, instance_accessor: false
+    end
+
+    module ClassMethods
+      # Set the form builder to be used as the default for all forms in the views
+      # rendered by this controller and its subclasses.
+      #
+      # #### Parameters
+      # *   `builder` - Default form builder, an instance of
+      #     ActionView::Helpers::FormBuilder
+      def default_form_builder(builder)
+        self._default_form_builder = builder
+      end
+    end
+
+    # Default form builder for the controller
+    def default_form_builder
+      self.class._default_form_builder
+    end
+  end
+end

data/lib/action_controller/log_subscriber.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    INTERNAL_PARAMS = %w(controller action format _method only_path)
+
+    def start_processing(event)
+      return unless logger.info?
+
+      payload = event.payload
+      params = {}
+      payload[:params].each_pair do |k, v|
+        params[k] = v unless INTERNAL_PARAMS.include?(k)
+      end
+      format  = payload[:format]
+      format  = format.to_s.upcase if format.is_a?(Symbol)
+      format  = "*/*" if format.nil?
+
+      info "Processing by #{payload[:controller]}##{payload[:action]} as #{format}"
+      info "  Parameters: #{params.inspect}" unless params.empty?
+    end
+    subscribe_log_level :start_processing, :info
+
+    def process_action(event)
+      info do
+        payload = event.payload
+        additions = ActionController::Base.log_process_action(payload)
+        status = payload[:status]
+
+        if status.nil? && (exception_class_name = payload[:exception]&.first)
+          status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+        end
+
+        additions << "GC: #{event.gc_time.round(1)}ms"
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms" \
+                   " (#{additions.join(" | ")})"
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
+        message
+      end
+    end
+    subscribe_log_level :process_action, :info
+
+    def halted_callback(event)
+      info { "Filter chain halted as #{event.payload[:filter].inspect} rendered or redirected" }
+    end
+    subscribe_log_level :halted_callback, :info
+
+    def send_file(event)
+      info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
+    end
+    subscribe_log_level :send_file, :info
+
+    def redirect_to(event)
+      info { "Redirected to #{event.payload[:location]}" }
+    end
+    subscribe_log_level :redirect_to, :info
+
+    def send_data(event)
+      info { "Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)" }
+    end
+    subscribe_log_level :send_data, :info
+
+    def unpermitted_parameters(event)
+      debug do
+        unpermitted_keys = event.payload[:keys]
+        display_unpermitted_keys = unpermitted_keys.map { |e| ":#{e}" }.join(", ")
+        context = event.payload[:context].map { |k, v| "#{k}: #{v}" }.join(", ")
+        color("Unpermitted parameter#{'s' if unpermitted_keys.size > 1}: #{display_unpermitted_keys}. Context: { #{context} }", RED)
+      end
+    end
+    subscribe_log_level :unpermitted_parameters, :debug
+
+    %w(write_fragment read_fragment exist_fragment? expire_fragment).each do |method|
+      class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        # frozen_string_literal: true
+        def #{method}(event)
+          return unless ActionController::Base.enable_fragment_cache_logging
+          key         = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
+          human_name  = #{method.to_s.humanize.inspect}
+          info("\#{human_name} \#{key} (\#{event.duration.round(1)}ms)")
+        end
+        subscribe_log_level :#{method}, :info
+      METHOD
+    end
+
+    def logger
+      ActionController::Base.logger
+    end
+  end
+end
+
+ActionController::LogSubscriber.attach_to :action_controller

data/lib/action_controller/metal/allow_browser.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module AllowBrowser
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Specify the browser versions that will be allowed to access all actions (or
+      # some, as limited by `only:` or `except:`). Only browsers matched in the hash
+      # or named set passed to `versions:` will be blocked if they're below the
+      # versions specified. This means that all other browsers, as well as agents that
+      # aren't reporting a user-agent header, will be allowed access.
+      #
+      # A browser that's blocked will by default be served the file in
+      # public/406-unsupported-browser.html with a HTTP status code of "406 Not
+      # Acceptable".
+      #
+      # In addition to specifically named browser versions, you can also pass
+      # `:modern` as the set to restrict support to browsers natively supporting webp
+      # images, web push, badges, import maps, CSS nesting, and CSS :has. This
+      # includes Safari 17.2+, Chrome 120+, Firefox 121+, Opera 106+.
+      #
+      # You can use https://caniuse.com to check for browser versions supporting the
+      # features you use.
+      #
+      # You can use `ActiveSupport::Notifications` to subscribe to events of browsers
+      # being blocked using the `browser_block.action_controller` event name.
+      #
+      # Examples:
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
+      #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
+      #     end
+      #
+      #     class MessagesController < ApplicationController
+      #       # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
+      #       allow_browser versions: { opera: 104, chrome: 119 }, only: :show
+      #     end
+      def allow_browser(versions:, block: -> { render file: Rails.root.join("public/406-unsupported-browser.html"), layout: false, status: :not_acceptable }, **options)
+        before_action -> { allow_browser(versions: versions, block: block) }, **options
+      end
+    end
+
+    private
+      def allow_browser(versions:, block:)
+        require "useragent"
+
+        if BrowserBlocker.new(request, versions: versions).blocked?
+          ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
+            instance_exec(&block)
+          end
+        end
+      end
+
+      class BrowserBlocker
+        SETS = {
+          modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
+        }
+
+        attr_reader :request, :versions
+
+        def initialize(request, versions:)
+          @request, @versions = request, versions
+        end
+
+        def blocked?
+          user_agent_version_reported? && unsupported_browser?
+        end
+
+        private
+          def parsed_user_agent
+            @parsed_user_agent ||= UserAgent.parse(request.user_agent)
+          end
+
+          def user_agent_version_reported?
+            request.user_agent.present? && parsed_user_agent.version.to_s.present?
+          end
+
+          def unsupported_browser?
+            version_guarded_browser? && version_below_minimum_required? && !bot?
+          end
+
+          def version_guarded_browser?
+            minimum_browser_version_for_browser != nil
+          end
+
+          def bot?
+            parsed_user_agent.bot?
+          end
+
+          def version_below_minimum_required?
+            if minimum_browser_version_for_browser
+              parsed_user_agent.version < UserAgent::Version.new(minimum_browser_version_for_browser.to_s)
+            else
+              true
+            end
+          end
+
+          def minimum_browser_version_for_browser
+            expanded_versions[normalized_browser_name]
+          end
+
+          def expanded_versions
+            @expanded_versions ||= (SETS[versions] || versions).with_indifferent_access
+          end
+
+          def normalized_browser_name
+            case name = parsed_user_agent.browser.downcase
+            when "internet explorer" then "ie"
+            else name
+            end
+          end
+      end
+  end
+end

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  module BasicImplicitRender # :nodoc:
+    def send_action(method, *args)
+      ret = super
+      default_render unless performed?
+      ret
+    end
+
+    def default_render
+      head :no_content
+    end
+  end
+end