railties 3.0.0.beta2 → 3.0.0.beta3

data/guides/source/security.textile

@@ -611,7 +611,7 @@ h4. SQL Injection
 
 -- _Thanks to clever methods, this is hardly a problem in most Rails applications. However, this is a very devastating and common attack in web applications, so it is important to understand the problem._
 
-h5. Introduction
+h5(#sql-injection-introduction). Introduction
 
 SQL injection attacks aim at influencing database queries by manipulating web application parameters. A popular goal of SQL injection attacks is to bypass authorization. Another goal is to carry out data manipulation or reading arbitrary data. Here is an example of how not to use user input data in a query:
 
@@ -668,7 +668,7 @@ The result won't be a list of projects (because there is no project with an empt
 
 Also, the second query renames some columns with the AS statement so that the web application displays the values from the user table. Be sure to update your Rails "to at least 2.1.1":http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/.
 
-h5. Countermeasures
+h5(#sql-injection-countermeasures). Countermeasures
 
 Ruby on Rails has a built in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. <em class="highlight">Using +Model.find(id)+ or +Model.find_by_some thing(something)+ automatically applies this countermeasure</em>. But in SQL fragments, especially <em class="highlight">in conditions fragments (+:conditions => "..."+), the +connection.execute()+ or +Model.find_by_sql()+ methods, it has to be applied manually</em>.
 
@@ -760,7 +760,7 @@ http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode
   <script src=http://www.securitylab.ru/test/sc.js></script><!--
 </plain>
 
-h6. Countermeasures
+h6(#html-injection-countermeasures). Countermeasures
 
 _(highlight)It is very important to filter malicious input, but it is also important to escape the output of the web application_.
 
@@ -850,7 +850,7 @@ In the end, he got a 4 KB worm, which he injected into his profile page.
 
 The "moz-binding":http://www.securiteam.com/securitynews/5LP051FHPE.html CSS property proved to be another way to introduce JavaScript in CSS in Gecko-based browsers (Firefox, for example).
 
-h5. Countermeasures
+h5(#css-injection-countermeasures). Countermeasures
 
 This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colours or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one.
 
@@ -879,7 +879,7 @@ RedCloth.new("<a href='javascript:alert(1)'>hello</a>", [:filter_html]).to_html
 # => "<p><a href="javascript:alert(1)">hello</a></p>"
 </ruby>
 
-h5. Countermeasures
+h5(#textile-injection-countermeasures). Countermeasures
 
 It is recommended to _(highlight)use RedCloth in combination with a whitelist input filter_, as described in the countermeasures against XSS section.
 

data/guides/source/testing.textile

@@ -84,7 +84,7 @@ h5. ERb'in It Up
 ERb allows you embed ruby code within templates. Both the YAML and CSV fixture formats are pre-processed with ERb when you load fixtures. This allows you to use Ruby to help you generate some sample data.
 
 <erb>
-<% earth_size = 20 -%>
+<% earth_size = 20 %>
 mercury:
   size: <%= earth_size / 50 %>
   brightest_on: <%= 113.days.ago.to_s(:db) %>
@@ -411,7 +411,7 @@ NOTE: +assert_valid(record)+ has been deprecated. Please use +assert(record.vali
 |_.Assertion                                                                        |_.Purpose|
 |+assert_valid(record)+                                                             |Ensures that the passed record is valid by Active Record standards and returns any error messages if it is not.|
 |+assert_difference(expressions, difference = 1, message = nil) {...}+           |Test numeric difference between the return value of an expression as a result of what is evaluated in the yielded block.|
-|+assert_no_difference(expressions, message = nil, &block)+                         |Asserts that the numeric result of evaluating an expression is not changed before and after invoking the passed in block.|
+|+assert_no_difference(expressions, message = nil, &amp;block)+                         |Asserts that the numeric result of evaluating an expression is not changed before and after invoking the passed in block.|
 |+assert_recognizes(expected_options, path, extras={}, message=nil)+                |Asserts that the routing of the given path was handled correctly and that the parsed options (given in the expected_options hash) match path. Basically, it asserts that Rails recognizes the route given by expected_options.|
 |+assert_generates(expected_path, options, defaults={}, extras = {}, message=nil)+  |Asserts that the provided options can be used to generate the provided path. This is the inverse of assert_recognizes. The extras parameter is used to tell the request the names and values of additional request parameters that would be in a query string. The message parameter allows you to specify a custom error message for assertion failures.|
 |+assert_response(type, message = nil)+                                             |Asserts that the response comes with a specific status code. You can specify +:success+ to indicate 200,  +:redirect+ to indicate 300-399, +:missing+ to indicate 404, or +:error+ to match the 500-599 range|
@@ -940,6 +940,7 @@ h3. Changelog
 
 "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/8
 
+* April 4, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":http://jaimeiniesta.com
 * November 13, 2008: Revised based on feedback from Pratik Naik by "Akshay Surve":credits.html#asurve (not yet approved for publication)
 * October 14, 2008: Edit and formatting pass by "Mike Gunderloy":credits.html#mgunderloy (not yet approved for publication)
 * October 12, 2008: First draft by "Akshay Surve":credits.html#asurve (not yet approved for publication)

data/lib/rails.rb

@@ -79,6 +79,10 @@ module Rails
       @_env ||= ActiveSupport::StringInquirer.new(ENV["RAILS_ENV"] || ENV["RACK_ENV"] || "development")
     end
 
+    def env=(environment)
+      @_env = ActiveSupport::StringInquirer.new(environment)
+    end
+
     def cache
       RAILS_CACHE
     end
@@ -88,11 +92,12 @@ module Rails
     end
 
     def public_path
-      @@public_path ||= self.root ? File.join(self.root, "public") : "public"
+      application && application.paths.public.to_a.first
     end
 
     def public_path=(path)
-      @@public_path = path
+      ActiveSupport::Deprecation.warn "Setting Rails.public_path= is deprecated. " <<
+        "Please set paths.public = in config/application.rb instead.", caller
     end
   end
 end

data/lib/rails/application.rb

@@ -1,3 +1,4 @@
+require 'active_support/core_ext/hash/reverse_merge'
 require 'fileutils'
 require 'rails/plugin'
 require 'rails/engine'
@@ -128,8 +129,14 @@ module Rails
     end
 
     def call(env)
-      env["action_dispatch.parameter_filter"] = config.filter_parameters
-      app.call(env)
+      app.call(env.reverse_merge!(env_defaults))
+    end
+
+    def env_defaults
+      @env_defaults ||= {
+        "action_dispatch.parameter_filter" => config.filter_parameters,
+        "action_dispatch.secret_token" => config.secret_token
+      }
     end
 
     def initializers

data/lib/rails/application/configuration.rb

@@ -6,21 +6,29 @@ module Rails
       include ::Rails::Configuration::Deprecated
 
       attr_accessor :allow_concurrency, :cache_classes, :cache_store,
-                    :cookie_secret, :consider_all_requests_local, :dependency_loading,
+                    :encoding, :consider_all_requests_local, :dependency_loading,
                     :filter_parameters,  :log_level, :logger, :metals,
                     :plugins, :preload_frameworks, :reload_engines, :reload_plugins,
-                    :serve_static_assets, :time_zone, :whiny_nils
+                    :secret_token, :serve_static_assets, :time_zone, :whiny_nils
 
       def initialize(*)
         super
-        @allow_concurrency   = false
-        @filter_parameters   = []
-        @dependency_loading  = true
+        @allow_concurrency = false
+        @consider_all_requests_local = false
+        @encoding = "utf-8"
+        @filter_parameters = []
+        @dependency_loading = true
         @serve_static_assets = true
-        @time_zone           = "UTC"
-        @consider_all_requests_local = true
         @session_store = :cookie_store
         @session_options = {}
+        @time_zone = "UTC"
+      end
+
+      def encoding=(value)
+        @encoding = value
+        if defined?(Encoding) && Encoding.respond_to?(:default_external=)
+          Encoding.default_external = value
+        end
       end
 
       def middleware
@@ -37,6 +45,7 @@ module Rails
           paths.app.controllers << builtin_controller if builtin_controller
           paths.config.database    "config/database.yml"
           paths.config.environment "config/environments", :glob => "#{Rails.env}.rb"
+          paths.lib.templates      "lib/templates"
           paths.log                "log/#{Rails.env}.log"
           paths.tmp                "tmp"
           paths.tmp.cache          "tmp/cache"
@@ -123,16 +132,16 @@ module Rails
 
       def session_options
         return @session_options unless @session_store == :cookie_store
-        @session_options.merge(:secret => @cookie_secret)
+        @session_options.merge(:secret => @secret_token)
       end
 
       def default_middleware_stack
         ActionDispatch::MiddlewareStack.new.tap do |middleware|
-          middleware.use('::ActionDispatch::Static', lambda { Rails.public_path }, :if => lambda { serve_static_assets })
+          middleware.use('::ActionDispatch::Static', lambda { paths.public.to_a.first }, :if => lambda { serve_static_assets })
           middleware.use('::Rack::Lock', :if => lambda { !allow_concurrency })
           middleware.use('::Rack::Runtime')
           middleware.use('::Rails::Rack::Logger')
-          middleware.use('::ActionDispatch::ShowExceptions', lambda { consider_all_requests_local })
+          middleware.use('::ActionDispatch::ShowExceptions', lambda { consider_all_requests_local }, :if => lambda { action_dispatch.show_exceptions })
           middleware.use("::ActionDispatch::RemoteIp", lambda { action_dispatch.ip_spoofing_check }, lambda { action_dispatch.trusted_proxies })
           middleware.use('::Rack::Sendfile', lambda { action_dispatch.x_sendfile_header })
           middleware.use('::ActionDispatch::Callbacks', lambda { !cache_classes })

data/lib/rails/application/finisher.rb

@@ -3,6 +3,10 @@ module Rails
     module Finisher
       include Initializable
 
+      initializer :add_generator_templates do
+        config.generators.templates.unshift(*paths.lib.templates.to_a)
+      end
+
       initializer :ensure_load_once_paths_as_subset do
         extra = ActiveSupport::Dependencies.load_once_paths -
                 ActiveSupport::Dependencies.load_paths

data/lib/rails/backtrace_cleaner.rb

@@ -13,7 +13,7 @@ module Rails
 
       add_gem_filters
 
-      add_silencer { |line| !APP_DIRS.any? { |dir| line =~ /^#{dir}/ } }
+      add_silencer { |line| !APP_DIRS.any? { |dir| line =~ /^\/?#{dir}/ } }
     end
 
     private

data/lib/rails/commands/runner.rb

@@ -18,7 +18,7 @@ ARGV.clone.options do |opts|
   opts.on("-h", "--help",
           "Show this help message.") { $stderr.puts opts; exit }
 
-  if RUBY_PLATFORM !~ /mswin/
+  if RUBY_PLATFORM !~ /mswin|mingw/
     opts.separator ""
     opts.separator "You can also use runner as a shebang line for your scripts like this:"
     opts.separator "-------------------------------------------------------------"

data/lib/rails/configuration.rb

@@ -104,6 +104,18 @@ module Rails
           "please do paths.app.controllers instead", caller
         paths.app.controllers.to_a.uniq
       end
+
+      def cookie_secret=(value)
+        ActiveSupport::Deprecation.warn "config.cookie_secret= is deprecated, " <<
+          "please use config.secret_token= instead", caller
+        self.secret_token = value
+      end
+
+      def cookie_secret
+        ActiveSupport::Deprecation.warn "config.cookie_secret is deprecated, " <<
+          "please use config.secret_token instead", caller
+        self.secret_token
+      end
     end
   end
 end

data/lib/rails/engine.rb

@@ -20,7 +20,6 @@ module Rails
   #   # lib/my_engine.rb
   #   module MyEngine
   #     class Engine < Rails::Engine
-  #       engine_name :my_engine
   #     end
   #   end
   #
@@ -38,11 +37,12 @@ module Rails
   # Example:
   #
   #   class MyEngine < Rails::Engine
-  #     # config.middleware is shared configururation
-  #     config.middleware.use MyEngine::Middleware
-  #
   #     # Add a load path for this specific Engine
   #     config.load_paths << File.expand_path("../lib/some/path", __FILE__)
+  #
+  #     initializer "my_engine.add_middleware" do |app|
+  #       app.middlewares.use MyEngine::Middleware
+  #     end
   #   end
   # 
   # == Paths
@@ -193,17 +193,13 @@ module Rails
       app.metal_loader.paths.unshift(*paths.app.metals.to_a)
     end
 
-    initializer :add_generator_templates do |app|
-      config.generators.templates.unshift(*paths.lib.templates.to_a)
-    end
-
-    initializer :load_application_initializers do
+    initializer :load_config_initializers do
       paths.config.initializers.to_a.sort.each do |initializer|
         load(initializer)
       end
     end
 
-    initializer :load_application_classes do |app|
+    initializer :load_app_classes do |app|
       next if $rails_rake_task
 
       if app.config.cache_classes

data/lib/rails/engine/configuration.rb

@@ -20,10 +20,9 @@ module Rails
           paths.app.models          "app/models",          :eager_load => true
           paths.app.mailers         "app/mailers",         :eager_load => true
           paths.app.metals          "app/metal",           :eager_load => true
-          paths.app.views           "app/views",           :eager_load => true
+          paths.app.views           "app/views"
           paths.lib                 "lib",                 :load_path => true
           paths.lib.tasks           "lib/tasks",           :glob => "**/*.rake"
-          paths.lib.templates       "lib/templates"
           paths.config              "config"
           paths.config.initializers "config/initializers", :glob => "**/*.rb"
           paths.config.locales      "config/locales",      :glob => "*.{rb,yml}"
@@ -44,7 +43,7 @@ module Rails
       end
 
       def load_once_paths
-        @eager_load_paths ||= paths.load_once
+        @load_once_paths ||= paths.load_once
       end
 
       def load_paths

data/lib/rails/generators.rb

@@ -3,7 +3,7 @@ $:.unshift(activesupport_path) if File.directory?(activesupport_path) && !$:.inc
 
 require 'active_support'
 require 'active_support/core_ext/object/blank'
-require 'active_support/core_ext/object/singleton_class'
+require 'active_support/core_ext/kernel/singleton_class'
 require 'active_support/core_ext/array/extract_options'
 require 'active_support/core_ext/hash/deep_merge'
 require 'active_support/core_ext/module/attribute_accessors'
@@ -42,14 +42,9 @@ module Rails
     }
 
     DEFAULT_OPTIONS = {
-      :erb => {
-        :layout => true
-      },
-
       :rails => {
         :force_plural => false,
         :helper => true,
-        :layout => true,
         :orm => nil,
         :integration_tool => nil,
         :performance_tool => nil,

data/lib/rails/generators/erb/scaffold/scaffold_generator.rb

@@ -8,7 +8,6 @@ module Erb
 
       argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
 
-      class_option :layout,    :type => :boolean
       class_option :singleton, :type => :boolean, :desc => "Supply to skip index view"
 
       def create_root_folder
@@ -25,12 +24,6 @@ module Erb
         end
       end
 
-      def copy_layout_file
-        return unless options[:layout]
-        template filename_with_extensions(:layout),
-          File.join("app/views/layouts", controller_class_path, filename_with_extensions(controller_file_name))
-      end
-
     protected
 
       def available_views

data/lib/rails/generators/erb/scaffold/templates/_form.html.erb

@@ -1,5 +1,14 @@
 <%%= form_for(@<%= singular_name %>) do |f| %>
-  <%%= f.error_messages %>
+  <%% if @<%= singular_name %>.errors.any? %>
+  <div id="errorExplanation">
+    <h2><%%= pluralize(@<%= singular_name %>.errors.count, "error") %> prohibited this <%= singular_name %> from being saved:</h2>
+    <ul>
+    <%% @<%= singular_name %>.errors.full_messages.each do |msg| %>
+      <li><%%= msg %></li>
+    <%% end %>
+    </ul>
+  </div>
+  <%% end %>
 
 <% for attribute in attributes -%>
   <div class="field">

data/lib/rails/generators/erb/scaffold/templates/show.html.erb

@@ -1,3 +1,5 @@
+<p class="notice"><%%= notice %></p>
+
 <% for attribute in attributes -%>
 <p>
   <b><%= attribute.human_name %>:</b>

data/lib/rails/generators/migration.rb

@@ -2,7 +2,7 @@ module Rails
   module Generators
     # Holds common methods for migrations. It assumes that migrations has the
     # [0-9]*_name format and can be used by another frameworks (like Sequel)
-    # just by implementing the next migration number method.
+    # just by implementing the next migration version method.
     #
     module Migration
       attr_reader :migration_number, :migration_file_name, :migration_class_name
@@ -32,10 +32,10 @@ module Rails
       end
 
       # Creates a migration template at the given destination. The difference
-      # to the default template method is that the migration number is appended
+      # to the default template method is that the migration version is appended
       # to the destination file name.
       #
-      # The migration number, migration file name, migration class name are
+      # The migration version, migration file name, migration class name are
       # available as instance variables in the template to be rendered.
       #
       # ==== Examples

data/lib/rails/generators/rails/app/app_generator.rb

@@ -78,7 +78,7 @@ module Rails::Generators
     end
 
     def create_app_files
-      directory "app"
+      directory 'app'
     end
 
     def create_config_files

data/lib/rails/generators/rails/app/templates/Gemfile

@@ -2,8 +2,10 @@ source 'http://rubygems.org'
 
 <%- if options.dev? -%>
 gem 'rails', :path => '<%= Rails::Generators::RAILS_DEV_PATH %>'
+gem 'arel',  :git => 'git://github.com/rails/arel.git'
 <%- elsif options.edge? -%>
 gem 'rails', :git => 'git://github.com/rails/rails.git'
+gem 'arel',  :git => 'git://github.com/rails/arel.git'
 <%- else -%>
 gem 'rails', '<%= Rails::VERSION::STRING %>'
 

data/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb

@@ -1,3 +1,4 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
+  layout 'application'
 end

data/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title><%= app_const_base %></title>
+  <%%= stylesheet_link_tag :all %>
+  <%%= javascript_include_tag :defaults %>
+  <%%= csrf_meta_tag %>
+</head>
+<body>
+
+<%%= yield %>
+
+</body>
+</html>

data/lib/rails/generators/rails/app/templates/config/application.rb

@@ -46,7 +46,10 @@ module <%= app_const_base %>
     #   g.test_framework  :test_unit, :fixture => true
     # end
 
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters << :password
+    config.filter_parameters += [:password]
   end
 end