padrino-core 0.12.1 → 0.12.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f503cfe1974ffddc13bc280ad2abfbe7a47f397b
-  data.tar.gz: 9d7b43288edeb327d60848ac5a7f539e05f5ec0b
+  metadata.gz: dec1c7a3513869018c0576596a7888261759d25c
+  data.tar.gz: 6ba616394f122fc4bf166facc114554cbddf2331
 SHA512:
-  metadata.gz: 5503c652282579166fbafe304e349f97b8956555eaabb7edfae2952daaec2e18c5656f742055fb98a5e3386f3e0d47183ef00ea294a8eafe5a9c1cdc4ea6b14f
-  data.tar.gz: a250c8dc4dc33f17a6f5c3072f918733b9de07005753c1a8efc55662a6f9ba2db1d2c31a53c988283ac3c45f098a25ffdbcf2b5881006ddd20fff493c58f18a9
+  metadata.gz: 6507e1e6ae0a0d2ca472e740928b548d7d9340d5d046725c8c049ece42e595db33018b1f551c148c846a1618e5cc2dd583bca65d202b49e8e86aa669eb770c85
+  data.tar.gz: bc2666c168ba2678e3045db54803ddcec24fd9c486a8b77e03e01c7eb0a01785ed15ac95c487955723f5b7ed864cbd5939a67d4252a5aff5a622ba3c1ba760e0

data/lib/padrino-core/application/application_setup.rb

@@ -151,6 +151,15 @@ module Padrino
         I18n.reload!
       end
 
+      # allow custome session management
+      def setup_sessions(builder)
+        if sessions.kind_of?(Hash) && sessions[:use]
+          builder.use sessions[:use], sessions[:config] || {}
+        else
+          super
+        end
+      end
+
       # sets up csrf protection for the app
       def setup_csrf_protection(builder)
         check_csrf_protection_dependency

data/lib/padrino-core/application/params_protection.rb

@@ -0,0 +1,129 @@
+begin
+  require 'active_support/core_ext/object/deep_dup' # AS 4.1
+rescue LoadError => ex
+  require 'active_support/core_ext/hash/deep_dup' # AS >= 3.1
+end
+
+module Padrino
+  ##
+  # Padrino application module providing means for mass-assignment protection.
+  #
+  module ParamsProtection
+    class << self
+      def registered(app)
+        included(app)
+      end
+
+      def included(base)
+        base.send(:include, InstanceMethods)
+        base.extend(ClassMethods)
+      end
+    end
+
+    module ClassMethods
+      ##
+      # Implements filtering of url query params. Can prevent mass-assignment.
+      #
+      # @example
+      #   post :update, :params => [:name, :email]
+      #   post :update, :params => [:name, :id => Integer]
+      #   post :update, :params => [:name => proc{ |v| v.reverse }]
+      #   post :update, :params => [:name, :parent => [:name, :position]]
+      #   post :update, :params => false
+      #   post :update, :params => true
+      # @example
+      #   params :name, :email, :password => prox{ |v| v.reverse }
+      #   post :update
+      # @example
+      #   App.controller :accounts, :params => [:name, :position] do
+      #     post :create
+      #     post :update, :with => [ :id ], :params => [:name, :position, :addition]
+      #     get :show, :with => :id, :params => false
+      #     get :search, :params => true
+      #   end
+      #
+      def params(*allowed_params)
+        allowed_params = prepare_allowed_params(allowed_params)
+        condition do
+          @original_params = params.deep_dup
+          filter_params!(params, allowed_params)
+        end
+      end
+
+      private
+
+      def prepare_allowed_params(allowed_params)
+        param_filter = {}
+        allowed_params.each do |key,value|
+          case
+          when key.kind_of?(Hash) && !value
+            param_filter.update(prepare_allowed_params(key))
+          when value.kind_of?(Hash) || value.kind_of?(Array)
+            param_filter[key.to_s] = prepare_allowed_params(value)
+          else
+            param_filter[key.to_s] = value == false ? false : (value || true)
+          end
+        end
+        param_filter.freeze
+      end
+    end
+
+    module InstanceMethods
+      ##
+      # Filters a hash of parameters leaving only allowed ones and possibly
+      # typecasting and processing the others.
+      #
+      # @param [Hash] params
+      #   Parameters to filter.
+      #   Warning: this hash will be changed by deleting or replacing its values.
+      # @param [Hash] allowed_params
+      #   A hash of allowed keys and value classes or processing procs. Supported
+      #   scalar classes are: Integer (empty string is cast to nil).
+      #
+      # @example
+      #   filter_params!( { "a" => "1", "b" => "abc", "d" => "drop" },
+      #                   { "a" => Integer, "b" => true } )
+      #   # => { "a" => 1, "b" => "abc" }
+      #   filter_params!( { "id" => "", "child" => { "name" => "manny" } },
+      #                   { "id" => Integer, "child" => { "name" => proc{ |v| v.camelize } } } )
+      #   # => { "id" => nil, "child" => { "name" => "Manny" } }
+      #   filter_params!( { "a" => ["1", "2", "3"] },
+      #                   { "a" => true } )
+      #   # => { "a" => ["1", "2", "3"] }
+      #   filter_params!( { "persons" => {"p-1" => { "name" => "manny", "age" => "50" }, "p-2" => { "name" => "richard", "age" => "50" } } },
+      #                   { "persons" => { "name" => true } } )
+      #   # => { "persons" => {"p-1" => { "name" => "manny" }, "p-2" => { "name" => "richard" } } }
+      #
+      def filter_params!(params, allowed_params)
+        params.each do |key,value|
+          type = allowed_params[key]
+          next if value.kind_of?(Array) && type
+          case
+          when type.kind_of?(Hash)
+            if key == key.pluralize
+              value.each do |array_index,array_value|
+                value[array_index] = filter_params!(array_value, type)
+              end
+            else
+              params[key] = filter_params!(value, type)
+            end
+          when type == Integer
+            params[key] = value.empty? ? nil : value.to_i
+          when type.kind_of?(Proc)
+            params[key] = type.call(value)
+          when type == true
+          else
+            params.delete(key)
+          end
+        end
+      end
+
+      ##
+      # Returns the original unfiltered query parameters hash.
+      #
+      def original_params
+        @original_params || params
+      end
+    end
+  end
+end

data/lib/padrino-core/application/routing.rb

@@ -132,6 +132,19 @@ class HttpRouter
     @routes.sort!{ |a, b| a.order <=> b.order }
   end
 
+  class Node::Glob
+    def to_code
+      id = root.next_counter
+      "request.params << (globbed_params#{id} = [])
+       until request.path.empty?
+         globbed_params#{id} << request.path.shift
+         #{super}
+       end
+       request.path[0,0] = globbed_params#{id}
+       request.params.pop"
+    end
+  end
+
   class Node::SpanningRegex
     def to_code
       params_count = @ordered_indicies.size
@@ -386,6 +399,7 @@ module Padrino
           @_conditions, original_conditions = options.delete(:conditions), @_conditions
           @_defaults,   original_defaults   = options,                     @_defaults
           @_accepts,    original_accepts    = options.delete(:accepts),    @_accepts
+          @_params,     original_params     = options.delete(:params),     @_params
 
           # Application defaults.
           @filters,     original_filters    = { :before => @filters[:before].dup, :after => @filters[:after].dup }, @filters
@@ -401,6 +415,7 @@ module Padrino
           @_controller, @_parents,  @_cache     = original_controller, original_parent,   original_cache
           @_defaults,   @_provides, @_map       = original_defaults,   original_provides, original_map
           @_conditions, @_use_format, @_accepts = original_conditions, original_use_format, original_accepts
+          @_params                              = original_params
         else
           include(*args) if extensions.any?
         end
@@ -582,28 +597,32 @@ module Padrino
       ##
       # Instance method for url generation.
       #
+      # @option options [String] :fragment
+      #   An addition to url to identify a portion of requested resource (i.e #something).
+      # @option options [String] :anchor
+      #   Synonym for fragment.
+      #
       # @example
       #   url(:show, :id => 1)
       #   url(:show, :name => 'test', :id => 24)
       #   url(:show, 1)
       #   url(:controller_name, :show, :id => 21)
       #   url(:controller_show, :id => 29)
+      #   url(:index, :fragment => 'comments')
       #
       def url(*args)
-        params = args.extract_options!  # parameters is hash at end
+        params = args.extract_options!
         names, params_array = args.partition{|a| a.is_a?(Symbol)}
         name = names[0, 2].join(" ").to_sym    # route name is concatenated with underscores
-        if params.is_a?(Hash)
-          params[:format] = params[:format].to_s unless params[:format].nil?
-          params = value_to_param(params.symbolize_keys)
-        end
+        fragment = params.delete(:fragment) || params.delete(:anchor)
+        params = value_to_param(params.symbolize_keys)
         url =
           if params_array.empty?
             compiled_router.path(name, params)
           else
             compiled_router.path(name, *(params_array << params))
           end
-        rebase_url(url)
+        rebase_url(fragment ? url + '#' + fragment : url)
       rescue HttpRouter::InvalidRouteException
         route_error = "route mapping for url(#{name.inspect}) could not be found!"
         raise Padrino::Routing::UnrecognizedException.new(route_error)
@@ -621,8 +640,8 @@ module Padrino
       def rebase_url(url)
         if url.start_with?('/')
           new_url = ''
-          new_url << conform_uri(uri_root) if defined?(uri_root)
           new_url << conform_uri(ENV['RACK_BASE_URI']) if ENV['RACK_BASE_URI']
+          new_url << conform_uri(uri_root) if defined?(uri_root)
           new_url << url
         else
           url.blank? ? '/' : url
@@ -693,6 +712,7 @@ module Padrino
         route_options = options.dup
         route_options[:provides] = @_provides if @_provides
         route_options[:accepts]  = @_accepts if @_accepts
+        route_options[:params] = @_params unless @_params.nil? || route_options.include?(:params)
 
         # Add Sinatra condition to check rack-protection failure.
         if protect_from_csrf && (report_csrf_failure || allow_disabled_csrf)
@@ -767,6 +787,13 @@ module Padrino
       def parse_route(path, options, verb)
         route_options = {}
 
+        if options[:params] == true
+          options.delete(:params)
+        elsif options.include?(:params)
+          options[:params] ||= []
+          options[:params] += options[:with] if options[:with]
+        end
+
         # We need check if path is a symbol, if that it's a named route.
         map = options.delete(:map)
 

data/lib/padrino-core/application.rb

@@ -3,6 +3,7 @@ require 'padrino-core/application/routing'
 require 'padrino-core/application/show_exceptions'
 require 'padrino-core/application/authenticity_token'
 require 'padrino-core/application/application_setup'
+require 'padrino-core/application/params_protection'
 
 module Padrino
   ##
@@ -14,6 +15,7 @@ module Padrino
   class Application < Sinatra::Base
     register Padrino::ApplicationSetup
     register Padrino::Routing
+    register Padrino::ParamsProtection
 
     ##
     # Returns the logger for this application.

data/lib/padrino-core/logger.rb

@@ -101,7 +101,7 @@ module Padrino
         duration = Time.now - began_at
         color    = :red if duration > 1
         action   = colorize(action.to_s.upcase.rjust(@_pad), color)
-        duration = colorize('%0.4fs' % duration, :bold, color)
+        duration = colorize('%0.4fs' % duration, color, :bold)
         push "#{action} (#{duration}) #{message}", level
       end
 
@@ -203,11 +203,11 @@ module Padrino
       # Colors for levels
       ColoredLevels = {
         :fatal => [:bold, :red],
-        :error => [:red],
-        :warn  => [:yellow],
-        :info  => [:green],
-        :debug => [:cyan],
-        :devel => [:magenta]
+        :error => [:default, :red],
+        :warn  => [:default, :yellow],
+        :info  => [:default, :green],
+        :debug => [:default, :cyan],
+        :devel => [:default, :magenta]
       } unless defined?(ColoredLevels)
 
       ##
@@ -218,14 +218,11 @@ module Padrino
       # @see Padrino::Logging::ColorizedLogger::ColoredLevels
       #
       def colorize(string, *colors)
-        colors.each do |c|
-          string = string.colorize(c)
-        end
-        string
+        string.colorize(:color => colors[0], :mode => colors[1])
       end
 
       def stylized_level(level)
-        style = ColoredLevels[level].map { |c| "\e[%dm" % String::Colorizer.colors[c] } * ''
+        style = "\e[%d;%dm" % ColoredLevels[level].map{|color| String::Colorizer.modes[color] || String::Colorizer.colors[color] }
         [style, super, "\e[0m"] * ''
       end
     end
@@ -437,7 +434,7 @@ module Padrino
             env["PATH_INFO"],
             env["QUERY_STRING"].empty? ? "" : "?" + env["QUERY_STRING"],
             ' - ',
-            logger.colorize(status.to_s[0..3], :bold),
+            logger.colorize(status.to_s[0..3], :default, :bold),
             ' ',
             code_to_name(status)
           ] * '',

data/lib/padrino-core/reloader/storage.rb

@@ -6,7 +6,7 @@ module Padrino
       def clear!
         files.each_key do |file|
           remove(file)
-          $LOADED_FEATURES.delete(file)
+          Reloader.remove_feature(file)
         end
         @files = {}
       end
@@ -14,7 +14,7 @@ module Padrino
       def remove(name)
         file = files[name] || return
         file[:constants].each{ |constant| Reloader.remove_constant(constant) }
-        file[:features].each{ |feature| $LOADED_FEATURES.delete(feature) }
+        file[:features].each{ |feature| Reloader.remove_feature(feature) }
         files.delete(name)
       end
 
@@ -27,7 +27,7 @@ module Padrino
         }
         features = file && file[:features] || []
         features.each{ |feature| Reloader.safe_load(feature, :force => true) }
-        $LOADED_FEATURES.delete(name) if old_features.include?(name)
+        Reloader.remove_feature(name) if old_features.include?(name)
       end
 
       def commit(name)

data/lib/padrino-core/reloader.rb

@@ -87,6 +87,7 @@ module Padrino
       began_at = Time.now
       file     = figure_path(file)
       return unless options[:force] || file_changed?(file)
+      return require(file) if external_feature?(file)
 
       Storage.prepare(file) # might call #safe_load recursively
       logger.devel(file_new?(file) ? :loading : :reload, began_at, file)
@@ -116,6 +117,13 @@ module Padrino
     rescue NameError
     end
 
+    ##
+    # Remove a feature from $LOADED_FEATURES so it can be required again.
+    #
+    def remove_feature(file)
+      $LOADED_FEATURES.delete(file) unless external_feature?(file)
+    end
+
     ##
     # Returns the list of special tracked files for Reloader.
     #
@@ -229,6 +237,13 @@ module Padrino
       files + special_files
     end
 
+    ##
+    # Tells if a feature is internal or external for Padrino project.
+    #
+    def external_feature?(file)
+      !file.start_with?(Padrino.root)
+    end
+
     def constant_excluded?(const)
       (exclude_constants - include_constants).any?{ |c| const._orig_klass_name.start_with?(c) }
     end

data/lib/padrino-core/router.rb

@@ -79,13 +79,17 @@ module Padrino
 
         rest = "/" if rest.empty?
 
-        last_result = app.call(env.merge('SCRIPT_NAME' => script_name + path, 'PATH_INFO' => rest))
+        env['SCRIPT_NAME'] = script_name + path
+        env['PATH_INFO'] = rest
+        last_result = app.call(env)
 
         cascade_setting = app.respond_to?(:cascade) ? app.cascade : true
         cascade_statuses = cascade_setting.respond_to?(:include?) ? cascade_setting : Mounter::DEFAULT_CASCADE
         break unless cascade_setting && cascade_statuses.include?(last_result[0])
       end
       last_result || begin
+        env['SCRIPT_NAME'] = script_name
+        env['PATH_INFO'] = path_info
         Padrino::Logger::Rack.new(nil,'/').send(:log, env, 404, {}, began_at) if logger.debug?
         [404, {"Content-Type" => "text/plain", "X-Cascade" => "pass"}, ["Not Found: #{path_info}"]]
       end

data/lib/padrino-core/server.rb

@@ -44,6 +44,8 @@ module Padrino
       options.update(detect_address(options))
       options[:pid] = prepare_pid(options[:pid]) if options[:daemonize]
       options[:server] = detect_rack_handler if options[:server].blank?
+      # disable Webrick AccessLog
+      options[:AccessLog] = []
       new(options, app).start
     end
 

data/lib/padrino-core/version.rb

@@ -6,7 +6,7 @@
 #
 module Padrino
   # The version constant for the current version of Padrino.
-  VERSION = '0.12.1' unless defined?(Padrino::VERSION)
+  VERSION = '0.12.2' unless defined?(Padrino::VERSION)
 
   #
   # The current Padrino version.

data/test/fixtures/apps/helpers/support.rb

@@ -0,0 +1 @@
+require 'active_support/logger_silence'

data/test/test_application.rb

@@ -65,6 +65,36 @@ describe "Application" do
       assert_equal 'shared', body
     end
 
+    it 'should able to set custome session management' do
+      class PadrinoTestApp3 < Padrino::Application
+        set :sessions, :use => Rack::Session::Pool
+      end
+      Padrino.mount("PadrinoTestApp3").to("/")
+      PadrinoTestApp3.get('/write') { session[:foo] = "pool" }
+      PadrinoTestApp3.get('/read') { session[:foo] }
+      @app = Padrino.application
+      get '/write'
+      get '/read'
+      assert_equal 'pool', body
+    end
+
+    it 'should have different session values in different session management' do
+      class PadrinoTestApp3 < Padrino::Application
+        enable :sessions
+      end
+      class PadrinoTestApp4 < Padrino::Application
+        set :sessions, :use => Rack::Session::Pool
+      end
+      Padrino.mount("PadrinoTestApp3").to("/write")
+      Padrino.mount("PadrinoTestApp4").to("/read")
+      PadrinoTestApp3.get('/') { session[:foo] = "cookie" }
+      PadrinoTestApp4.get('/') { session[:foo] }
+      @app = Padrino.application
+      get '/write'
+      get '/read'
+      assert_equal '', body
+    end
+
     # compare to: test_routing: allow global provides
     it 'should set content_type to nil if none can be determined' do
       mock_app do

data/test/test_csrf_protection.rb

@@ -27,6 +27,17 @@ describe "Application" do
         post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}
         assert_equal 403, status
       end
+
+      it 'should allow requests with correct X-CSRF-TOKEN' do
+        post "/", {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a"
+        assert_equal 200, status
+      end
+
+      it 'should not allow requests with incorrect X-CSRF-TOKEN' do
+        post "/", {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b"
+        assert_equal 403, status
+      end
+
     end
 
     describe "without CSRF protection on" do
@@ -45,13 +56,23 @@ describe "Application" do
 
       it 'should allow requests with correct tokens' do
         post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"}
-        assert_equal 200, status        
+        assert_equal 200, status
       end
 
       it 'should allow requests with incorrect tokens' do
         post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}
         assert_equal 200, status
       end
+
+      it 'should allow requests with correct X-CSRF-TOKEN' do
+        post "/", {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a"
+        assert_equal 200, status
+      end
+
+      it 'should allow requests with incorrect X-CSRF-TOKEN' do
+        post "/", {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b"
+        assert_equal 200, status
+      end
     end
 
     describe "with optional CSRF protection" do

data/test/test_logger.rb

@@ -71,7 +71,7 @@ describe "PadrinoLogger" do
         get("/"){ "Foo" }
       end
       get "/"
-      assert_match /\e\[1m200\e\[0m OK/, Padrino.logger.log.string
+      assert_match /\e\[1;9m200\e\[0m OK/, Padrino.logger.log.string
     end
 
     describe "static asset logging" do
@@ -110,11 +110,11 @@ describe "PadrinoLogger" do
       it 'should output under debug level' do
         Padrino.logger.instance_eval{ @level = Padrino::Logger::Levels[:debug] }
         access_to_mock_app
-        assert_match /\e\[36m  DEBUG\e\[0m/, Padrino.logger.log.string
+        assert_match /\e\[0;36m  DEBUG\e\[0m/, Padrino.logger.log.string
 
         Padrino.logger.instance_eval{ @level = Padrino::Logger::Levels[:devel] }
         access_to_mock_app
-        assert_match /\e\[36m  DEBUG\e\[0m/, Padrino.logger.log.string
+        assert_match /\e\[0;36m  DEBUG\e\[0m/, Padrino.logger.log.string
       end
       it 'should not output over debug level' do
         Padrino.logger.instance_eval{ @level = Padrino::Logger::Levels[:info] }
@@ -164,7 +164,7 @@ describe "alternate logger" do
     end
     get "/"
 
-    assert_match /\e\[1m200\e\[0m OK/, @log.string
+    assert_match /\e\[1;9m200\e\[0m OK/, @log.string
   end
 end
 
@@ -190,7 +190,7 @@ describe "alternate logger: stdlib logger" do
     end
     get "/"
 
-    assert_match /\e\[1m200\e\[0m OK/, @log.string
+    assert_match /\e\[1;9m200\e\[0m OK/, @log.string
   end
 end
 
@@ -207,7 +207,7 @@ describe "options :colorize_logging" do
       Padrino::Logger.setup!
 
       access_to_mock_app
-      assert_match /\e\[1m200\e\[0m OK/, Padrino.logger.log.string
+      assert_match /\e\[1;9m200\e\[0m OK/, Padrino.logger.log.string
     end
   end
   describe 'set value is false' do

data/test/test_params_protection.rb

@@ -0,0 +1,159 @@
+require File.expand_path(File.dirname(__FILE__) + '/helper')
+require 'active_support/core_ext/hash/conversions'
+
+describe "Padrino::ParamsProtection" do
+  before do
+    @teri = { 'name' => 'Teri Bauer', 'position' => 'baby' }
+    @kim = { 'name' => 'Kim Bauer', 'position' => 'daughter', 'child' => @teri }
+    @jack = { 'name' => 'Jack Bauer', 'position' => 'terrorist', 'child' => @kim }
+    @family = { 'name' => 'Bauer', 'persons' => { 1 => @teri, 2 => @kim, 3 => @jack } }
+  end
+
+  it 'should drop all parameters except allowed ones' do
+    result = nil
+    mock_app do
+      post :basic, :params => [ :name ] do
+        result = params
+        ''
+      end
+    end
+    post '/basic?' + @jack.to_query
+    assert_equal({ 'name' => @jack['name'] }, result)
+  end
+
+  it 'should preserve original params' do
+    result = nil
+    mock_app do
+      post :basic, :params => [ :name ] do
+        result = original_params
+        ''
+      end
+    end
+    post '/basic?' + @jack.to_query
+    assert_equal(@jack, result)
+  end
+
+  it 'should work with recursive data' do
+    result = nil
+    mock_app do
+      post :basic, :params => [ :name, :child => [ :name, :child => [ :name ] ] ] do
+        result = [params, original_params]
+        ''
+      end
+    end
+    post '/basic?' + @jack.to_query
+    assert_equal(
+      [
+        { 'name' => @jack['name'], 'child' => { 'name' => @kim['name'], 'child' => { 'name' => @teri['name'] } } },
+        @jack
+      ],
+      result
+    )
+  end
+
+  it 'should be able to process the data' do
+    result = nil
+    mock_app do
+      post :basic, :params => [ :name, :position => proc{ |v| 'anti-'+v } ] do
+        result = params
+        ''
+      end
+    end
+    post '/basic?' + @jack.to_query
+    assert_equal({ 'name' => @jack['name'], 'position' => 'anti-terrorist' }, result)
+  end
+
+  it 'should pass :with parameters' do
+    result = nil
+    mock_app do
+      post :basic, :with => [:id, :tag], :params => [ :name ] do
+        result = params
+        ''
+      end
+    end
+    post '/basic/24/42?' + @jack.to_query
+    assert_equal({ 'name' => @jack['name'], 'id' => '24', 'tag' => '42' }, result)
+  end
+
+  it 'should understand true or false values' do
+    result = nil
+    mock_app do
+      get :hide, :with => [ :id ], :params => false do
+        result = params
+        ''
+      end
+      get :show, :with => [ :id ], :params => true do
+        result = params
+        ''
+      end
+    end
+    get '/hide/1?' + @jack.to_query
+    assert_equal({"id"=>"1"}, result)
+    get '/show/1?' + @jack.to_query
+    assert_equal({"id"=>"1"}.merge(@jack), result)
+  end
+
+  it 'should be configurable with controller options' do
+    result = nil
+    mock_app do
+      controller :persons, :params => [ :name ] do
+        post :create, :params => [ :name, :position ] do
+          result = params
+          ''
+        end
+        post :update, :with => [ :id ] do
+          result = params
+          ''
+        end
+        post :delete, :params => true do
+          result = params
+          ''
+        end
+        post :destroy, :with => [ :id ], :params => false do
+          result = params
+          ''
+        end
+      end
+      controller :noparam, :params => false do
+        get :index do
+          result = params
+          ''
+        end
+      end
+    end
+    post '/persons/create?' + @jack.to_query
+    assert_equal({ 'name' => @jack['name'], 'position' => 'terrorist' }, result)
+    post '/persons/update/1?name=Chloe+O\'Brian&position=hacker'
+    assert_equal({ 'id' => '1', 'name' => 'Chloe O\'Brian' }, result)
+    post '/persons/delete?' + @jack.to_query
+    assert_equal(@jack, result)
+    post '/persons/destroy/1?' + @jack.to_query
+    assert_equal({"id"=>"1"}, result)
+    get '/noparam?a=1;b=2'
+    assert_equal({}, result)
+  end
+
+  it 'should successfully filter hashes' do
+    result = nil
+    mock_app do
+      post :family, :params => [ :persons => [ :name ] ] do
+        result = params
+        ''
+      end
+    end
+    post '/family?' + @family.to_query
+    assert_equal({"persons" => {"3" => {"name" => @jack["name"]}, "2" => {"name" => @kim["name"]}, "1" => {"name" => @teri["name"]}}}, result)
+  end
+
+  it 'should pass arrays' do
+    result = nil
+    mock_app do
+      post :family, :params => [ :names => [] ] do
+        result = params
+        ''
+      end
+    end
+    post '/family?names[]=Jack&names[]=Kim&names[]=Teri'
+    assert_equal({"names" => %w[Jack Kim Teri]}, result)
+  end
+end

data/test/test_reloader_simple.rb

@@ -84,7 +84,7 @@ describe "SimpleReloader" do
       assert_equal 2, @app.filters[:after].size # app + content-type + padrino-flash
       assert_equal 0, @app.middleware.size
       assert_equal 4, @app.routes.size # GET+HEAD of "/" + GET+HEAD of "/rand" = 4
-      assert_equal 3, @app.extensions.size # [Padrino::ApplicationSetup, Padrino::Routing, Padrino::Flash]
+      assert_equal 4, @app.extensions.size # [Padrino::ApplicationSetup, Padrino::ParamsProtection, Padrino::Routing, Padrino::Flash]
       assert_equal 0, @app.templates.size
       @app.reload!
       get "/rand"
@@ -94,7 +94,7 @@ describe "SimpleReloader" do
       assert_equal 2, @app.filters[:after].size
       assert_equal 0, @app.middleware.size
       assert_equal 4, @app.routes.size # GET+HEAD of "/" = 2
-      assert_equal 3, @app.extensions.size # [Padrino::ApplicationSetup, Padrino::Routing, Padrino::Flash]
+      assert_equal 4, @app.extensions.size # [Padrino::ApplicationSetup, Padrino::ParamsProtection, Padrino::Routing, Padrino::Flash]
       assert_equal 0, @app.templates.size
     end
   end

data/test/test_router.rb

@@ -262,4 +262,20 @@ describe "Router" do
     res = Rack::MockRequest.new(Padrino.application).get("/foo/", "HTTP_HOST" => "bar.padrino.org")
     assert res.ok?
   end
+
+  it 'should keep the same environment object' do
+    app = lambda { |env|
+      env['path'] = env['PATH_INFO']
+      [200, {'Content-Type' => 'text/plain'}, [""]]
+    }
+    map = Padrino::Router.new(
+      { :path => '/bar',     :to => app },
+      { :path => '/foo/bar', :to => app },
+      { :path => '/foo',     :to => app }
+    )
+
+    env = Rack::MockRequest.env_for("/bar/foo")
+    map.call(env)
+    assert_equal "/foo", env["path"]
+  end
 end

data/test/test_routing.rb

@@ -7,6 +7,7 @@ class FooError < RuntimeError; end
 describe "Routing" do
   before do
     Padrino.clear!
+    ENV['RACK_BASE_URI'] = nil
   end
 
   it 'should serve static files with simple cache control' do
@@ -215,6 +216,8 @@ describe "Routing" do
       get(:foo, :with => :id){ |id| "/foo/#{id}" }
       get([:foo, :id]){ |id| "/foo/#{id}" }
       get(:hash, :with => :id){ url(:hash, :id => 1) }
+      get(:anchor) { url(:anchor, :anchor => 'comments') }
+      get(:fragment) { url(:anchor, :fragment => 'comments') }
       get([:hash, :id]){ url(:hash, :id => 1) }
       get(:array, :with => :id){ url(:array, 23) }
       get([:array, :id]){ url(:array, 23) }
@@ -232,6 +235,10 @@ describe "Routing" do
     assert_equal "/foo/123", body
     get "/hash/2"
     assert_equal "/hash/1", body
+    get "/anchor"
+    assert_equal "/anchor#comments", body
+    get "/fragment"
+    assert_equal "/anchor#comments", body
     get "/array/23"
     assert_equal "/array/23", body
     get "/hash_with_extra/1"
@@ -858,6 +865,18 @@ describe "Routing" do
     ENV['RACK_BASE_URI'] = nil
   end
 
+  it 'should use uri_root and RACK_BASE_URI' do
+    mock_app do
+      controller :foo do
+        get(:bar){ "bar" }
+      end
+    end
+    ENV['RACK_BASE_URI'] = '/base'
+    @app.uri_root = 'testing'
+    assert_equal '/base/testing/foo/bar', @app.url(:foo, :bar)
+    ENV['RACK_BASE_URI'] = nil
+  end
+
   it 'should reset routes' do
     mock_app do
       get("/"){ "foo" }
@@ -898,6 +917,17 @@ describe "Routing" do
     assert_equal "hello", body
   end
 
+  it 'should set the params correctly even if using prioritized routes' do
+    mock_app do
+      get("*__sinatra__/:image.png"){}
+      get "/:primary/:secondary", :priority => :low do
+        "#{params[:primary]} #{params[:secondary]}"
+      end
+    end
+    get "/abc/def"
+    assert_equal "abc def", body
+  end
+
   it 'should catch all after controllers' do
     mock_app do
       get(:index, :with => :slug, :priority => :low) { "catch all" }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: padrino-core
 version: !ruby/object:Gem::Version
-  version: 0.12.1
+  version: 0.12.2
 platform: ruby
 authors:
 - Padrino Team
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-04 00:00:00.000000000 Z
+date: 2014-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: padrino-support
@@ -19,14 +19,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.12.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.12.2
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -117,6 +117,7 @@ files:
 - lib/padrino-core/application/application_setup.rb
 - lib/padrino-core/application/authenticity_token.rb
 - lib/padrino-core/application/flash.rb
+- lib/padrino-core/application/params_protection.rb
 - lib/padrino-core/application/routing.rb
 - lib/padrino-core/application/show_exceptions.rb
 - lib/padrino-core/caller.rb
@@ -148,6 +149,7 @@ files:
 - test/fixtures/apps/complex.rb
 - test/fixtures/apps/demo_app.rb
 - test/fixtures/apps/demo_demo.rb
+- test/fixtures/apps/helpers/support.rb
 - test/fixtures/apps/helpers/system_helpers.rb
 - test/fixtures/apps/kiq.rb
 - test/fixtures/apps/lib/myklass.rb
@@ -174,6 +176,7 @@ files:
 - test/test_locale.rb
 - test/test_logger.rb
 - test/test_mounter.rb
+- test/test_params_protection.rb
 - test/test_reloader_complex.rb
 - test/test_reloader_simple.rb
 - test/test_reloader_system.rb
@@ -214,6 +217,7 @@ test_files:
 - test/fixtures/apps/complex.rb
 - test/fixtures/apps/demo_app.rb
 - test/fixtures/apps/demo_demo.rb
+- test/fixtures/apps/helpers/support.rb
 - test/fixtures/apps/helpers/system_helpers.rb
 - test/fixtures/apps/kiq.rb
 - test/fixtures/apps/lib/myklass.rb
@@ -240,6 +244,7 @@ test_files:
 - test/test_locale.rb
 - test/test_logger.rb
 - test/test_mounter.rb
+- test/test_params_protection.rb
 - test/test_reloader_complex.rb
 - test/test_reloader_simple.rb
 - test/test_reloader_system.rb