roda 3.53.0 → 3.56.0

data/doc/release_notes/3.54.0.txt

@@ -0,0 +1,48 @@
+= New Features
+
+* You can now override the type attribute for script tags produced
+  by the assets plugin, by providing a :type attribute when calling
+  the assets method.
+
+= Other Improvements
+
+* Reloading the render plugin after the additional_view_directories
+  plugin no longer removes the additional view directories from
+  the allowed paths for templates.
+
+* When using Rack 3, Roda will now use an instance of Rack::Headers
+  instead of a plain hash for the headers, allowing for compliance
+  with the Rack 3 SPEC (which will require lowercase header keys).
+
+* The public, multi_public, and sinatra_helpers plugin now use
+  Rack::Files instead of Rack::File if available, as Rack::File will
+  be deprecated in Rack 3.0.
+
+* The json_parser plugin no longer rewinds the request body before
+  and after reading it when used with Rack 3.0, as Rack 3.0 has
+  dropped the requirement for rewindable input.
+
+* The run_handler plugin now closes bodies for upstream 404 responses
+  when using the not_found: :pass option.
+
+* The chunked plugin no longer uses Transfer-Encoding: chunked by
+  default.  Requiring the use of Transfer-Encoding: chunked made the
+  plugin only work on HTTP 1.1, and not older or newer versions. The
+  plugin still allows for streaming template bodies as they are being
+  rendered.  To get the previous behavior of forcing the use of
+  Transfer-Encoding: chunked, you can use the :force_chunked_encoding
+  plugin option
+
+* Roda now supports testing with Rack::Lint.  This found multiple
+  violations of the Rack SPEC which are fixed in this version, and
+  should ensure that Roda stays in compliance with the Rack SPEC going
+  forward.
+
+= Backwards Compatibility
+
+* Roda will no longer set the Content-Length header for 205 responses
+  when using Rack <2.0.2, as doing so violates the Rack SPEC for those
+  Rack versions.
+
+* The drop_body plugin now drops response bodies for all 1xx responses,
+  not just for 100 and 101 responses, in compliance with the Rack SPEC.

data/doc/release_notes/3.55.0.txt

@@ -0,0 +1,12 @@
+= New Features
+
+* A :forward_response_headers option has been added to the middleware
+  plugin, which uses the response headers added by the middleware
+  as default response headers even if the middleware does not handle
+  the response. Response headers set by the underlying application
+  take precedence over response headers set by the middleware.
+
+* The render plugin view method now accepts a block and will pass the
+  block to the underlying render method call.  This is useful for
+  rendering a template that yields inside of an existing layout.
+  Previously, you had to nest render calls to do that.

data/doc/release_notes/3.56.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* RodaRequest#http_version has been added for determining the HTTP
+  version the request was submitted with.  This will be a string
+  such as "HTTP/1.0", "HTTP/1.1", "HTTP/2", etc. This will use the
+  SERVER_PROTOCOL and HTTP_VERSION entries from the environment to
+  determine which HTTP version is in use.
+
+* The status_handler method in the status_handler plugin now supports
+  a :keep_headers option.  The value for this option should be an
+  array of header names to keep.  All other headers are removed. The
+  default behavior without the option is still to remove all headers.
+
+* A run_require_slash plugin has been added, which will skip
+  dispatching to another rack application if the remaining path is not
+  empty and does not start with a slash.
+
+= Other Improvements
+
+* The status_303 plugin will use 303 as the default redirect status
+  for non-GET requests for HTTP/2 and higher HTTP versions. Previously,
+  it only used 303 for HTTP/1.1.
+
+* The not_allowed plugin now overrides the r.root method to return
+  405 responses to non-GET requests to the root.
+
+* The not_allowed plugin no longer sets the body when returning 405
+  responses using methods such as r.get and r.post. Previously, the
+  body was unintentionally set to the same value as the Allow header.
+
+* When using the Rack master branch (what will become Rack 3), Roda
+  only requires the parts of rack that it uses, instead of requiring
+  rack and relying on autoload to load the parts of rack in use.

data/lib/roda/plugins/additional_view_directories.rb

@@ -36,9 +36,7 @@ class Roda
       # is also added as an allowed path.
       def self.configure(app, view_dirs)
         view_dirs = app.opts[:additional_view_directories] = view_dirs.map{|f| app.expand_path(f, nil)}.freeze
-        opts = app.opts[:render]
-        app.opts[:render] = opts.merge(:allowed_paths=>(opts[:allowed_paths] + view_dirs).uniq.freeze)
-        opts.freeze
+        app.plugin :render, :allowed_paths=>(app.opts[:render][:allowed_paths] + view_dirs).uniq.freeze
       end
 
       module InstanceMethods

data/lib/roda/plugins/assets.rb

@@ -708,6 +708,9 @@ class Roda
         # To return the tags for a specific asset group, use an array for
         # the type, such as [:css, :frontend].
         #
+        # You can specify custom attributes for the tag by passing a hash
+        # as the attrs argument.
+        #
         # When the assets are not compiled, this will result in a separate
         # tag for each asset file.  When the assets are compiled, this will
         # result in a single tag to the compiled asset file.
@@ -720,13 +723,13 @@ class Roda
             attrs[:integrity] = "#{algo}-#{h([[hash].pack('H*')].pack('m').tr("\n", ''))}"
           end
 
-          attrs = attrs.map{|k,v| "#{k}=\"#{h(v)}\""}.join(' ')
+          attributes = attrs.map{|k,v| "#{k}=\"#{h(v)}\""}.join(' ')
 
           if ltype == :js
-            tag_start = "<script type=\"text/javascript\" #{attrs} src=\""
+            tag_start = "<script#{' type="text/javascript"' unless attrs[:type]} #{attributes} src=\""
             tag_end = "\"></script>"
           else
-            tag_start = "<link rel=\"stylesheet\" #{attrs} href=\""
+            tag_start = "<link rel=\"stylesheet\" #{attributes} href=\""
             tag_end = "\" />"
           end
 

data/lib/roda/plugins/chunked.rb

@@ -3,11 +3,11 @@
 #
 class Roda
   module RodaPlugins
-    # The chunked plugin allows you to stream responses to clients using
-    # Transfer-Encoding: chunked.  This can significantly improve performance
-    # of page rendering on the client, as it flushes the headers and top part
-    # of the layout template (generally containing references to the stylesheet
-    # and javascript assets) before rendering the content template.
+    # The chunked plugin allows you to stream rendered views to clients.
+    # This can significantly improve performance of page rendering on the
+    # client, as it flushes the headers and top part of the layout template
+    # (generally containing references to the stylesheet and javascript assets)
+    # before rendering the content template.
     #
     # This allows the client to fetch the assets while the template is still
     # being rendered.  Additionally, this plugin makes it easy to defer
@@ -17,11 +17,11 @@ class Roda
     # order to render the content template, such as retrieving values from a
     # database.
     #
-    # There are a couple disadvantages of streaming using chunked encoding.
-    # First is that the layout must be rendered before the content, so any state 
-    # changes made in your content template will not affect the layout template.
-    # Second, error handling is reduced, since if an error occurs while
-    # rendering a template, a successful response code has already been sent.
+    # There are a couple disadvantages of streaming.  First is that the layout
+    # must be rendered before the content, so any state changes made in your
+    # content template will not affect the layout template.  Second, error
+    # handling is reduced, since if an error occurs while rendering a template,
+    # a successful response code has already been sent.
     #
     # To use chunked encoding for a response, just call the chunked method
     # instead of view:
@@ -56,7 +56,6 @@ class Roda
     #     end
     #   end
     #
-    #
     # If you want to chunk all responses, pass the :chunk_by_default option
     # when loading the plugin:
     #
@@ -121,12 +120,7 @@ class Roda
     # flush to output the message to the client inside handle_chunk_error.
     #
     # In order for chunking to work, you must make sure that no proxies between
-    # the application and the client buffer responses.  Also, this
-    # plugin only works for HTTP/1.1 requests since Transfer-Encoding: chunked
-    # is not supported in HTTP/1.0.  If an HTTP/1.0 request is submitted, this
-    # plugin will automatically fallback to the normal template rendering.
-    # Note that some proxies including nginx default to HTTP/1.0 even if the
-    # client supports HTTP/1.1.  For nginx, set the proxy_http_version to 1.1.
+    # the application and the client buffer responses.
     #
     # If you are using nginx and have it set to buffer proxy responses by
     # default, you can turn this off on a per response basis using the
@@ -135,6 +129,15 @@ class Roda
     #
     #   plugin :chunked, headers: {'X-Accel-Buffering'=>'no'}
     #
+    # By default, this plugin does not use Transfer-Encoding: chunked, it only
+    # returns a body that will stream the response in chunks.  If you would like
+    # to force the use of Transfer-Encoding: chunked, you can use the
+    # :force_chunked_encoding plugin option.  If using the
+    # :force_chunked_encoding plugin option, chunking will only be used for 
+    # HTTP/1.1 requests since Transfer-Encoding: chunked is only supported
+    # in HTTP/1.1 (non-HTTP/1.1 requests will have behavior similar to
+    # calling no_chunk!).
+    #
     # The chunked plugin requires the render plugin, and only works for
     # template engines that store their template output variable in
     # @_out_buf.  Also, it only works if the content template is directly
@@ -155,12 +158,14 @@ class Roda
       # :headers :: Set default additional headers to use when calling view
       def self.configure(app, opts=OPTS)
         app.opts[:chunk_by_default] = opts[:chunk_by_default]
+        app.opts[:force_chunked_encoding] = opts[:force_chunked_encoding]
         if opts[:headers]
           app.opts[:chunk_headers] = (app.opts[:chunk_headers] || {}).merge(opts[:headers]).freeze
         end
       end
 
-      # Rack response body instance for chunked responses
+      # Rack response body instance for chunked responses using
+      # Transfer-Encoding: chunked.
       class Body
         # Save the scope of the current request handling.
         def initialize(scope)
@@ -184,6 +189,22 @@ class Roda
         end
       end
 
+      # Rack response body instance for chunked responses not
+      # using Transfer-Encoding: chunked.
+      class StreamBody
+        # Save the scope of the current request handling.
+        def initialize(scope)
+          @scope = scope
+        end
+
+        # Yield each non-empty chunk as the body.
+        def each(&block)
+          @scope.each_chunk do |chunk|
+            yield chunk if chunk && !chunk.empty?
+          end
+        end
+      end
+
       module InstanceMethods
         # Disable chunking for the current request.  Mostly useful when
         # chunking is turned on by default.
@@ -194,7 +215,7 @@ class Roda
         # If chunking by default, call chunked if it hasn't yet been
         # called and chunking is not specifically disabled.
         def view(*a)
-          if opts[:chunk_by_default] && !defined?(@_chunked)
+          if opts[:chunk_by_default] && !defined?(@_chunked) && !defined?(yield)
             chunked(*a)
           else
             super
@@ -205,7 +226,7 @@ class Roda
         # an overview.  If a block is given, it is passed to #delay.
         def chunked(template, opts=OPTS, &block)
           unless defined?(@_chunked)
-            @_chunked = env['HTTP_VERSION'] == "HTTP/1.1"
+            @_chunked = !self.opts[:force_chunked_encoding] || @_request.http_version == "HTTP/1.1" 
           end
 
           if block
@@ -235,9 +256,14 @@ class Roda
           if chunk_headers = self.opts[:chunk_headers]
             headers.merge!(chunk_headers)
           end
-          headers['Transfer-Encoding'] = 'chunked'
+          if self.opts[:force_chunked_encoding]
+            headers['Transfer-Encoding'] = 'chunked'
+            body = Body.new(self)
+          else
+            body = StreamBody.new(self)
+          end
 
-          throw :halt, res.finish_with_body(Body.new(self))
+          throw :halt, res.finish_with_body(body)
         end
 
         # Delay the execution of the block until right before the

data/lib/roda/plugins/common_logger.rb

@@ -53,7 +53,7 @@ class Roda
 
           env = @_request.env
 
-          opts[:common_logger_meth].call("#{env['HTTP_X_FORWARDED_FOR'] || env["REMOTE_ADDR"] || "-"} - #{env["REMOTE_USER"] || "-"} [#{Time.now.strftime("%d/%b/%Y:%H:%M:%S %z")}] \"#{env["REQUEST_METHOD"]} #{env["SCRIPT_NAME"]}#{env["PATH_INFO"]}#{"?#{env["QUERY_STRING"]}" if ((qs = env["QUERY_STRING"]) && !qs.empty?)} #{env["HTTP_VERSION"]}\" #{result[0]} #{((length = result[1]['Content-Length']) && (length unless length == '0')) || '-'} #{elapsed_time}\n")
+          opts[:common_logger_meth].call("#{env['HTTP_X_FORWARDED_FOR'] || env["REMOTE_ADDR"] || "-"} - #{env["REMOTE_USER"] || "-"} [#{Time.now.strftime("%d/%b/%Y:%H:%M:%S %z")}] \"#{env["REQUEST_METHOD"]} #{env["SCRIPT_NAME"]}#{env["PATH_INFO"]}#{"?#{env["QUERY_STRING"]}" if ((qs = env["QUERY_STRING"]) && !qs.empty?)} #{@_request.http_version}\" #{result[0]} #{((length = result[1]['Content-Length']) && (length unless length == '0')) || '-'} #{elapsed_time}\n")
         end
 
         # Create timer instance used for timing

data/lib/roda/plugins/cookies.rb

@@ -1,5 +1,7 @@
 # frozen-string-literal: true
 
+require 'rack/utils'
+
 #
 class Roda
   module RodaPlugins

data/lib/roda/plugins/drop_body.rb

@@ -15,22 +15,23 @@ class Roda
         DROP_BODY_STATUSES = [100, 101, 102, 204, 205, 304].freeze
         RodaPlugins.deprecate_constant(self, :DROP_BODY_STATUSES)
 
+        DROP_BODY_RANGE = 100..199
+        private_constant :DROP_BODY_RANGE
+
         # If the response status indicates a body should not be
         # returned, use an empty body and remove the Content-Length
         # and Content-Type headers.
         def finish
           r = super
           case r[0]
-          when 100, 101, 102, 204, 304
+          when DROP_BODY_RANGE, 204, 304
             r[2] = EMPTY_ARRAY
             h = r[1]
             h.delete("Content-Length")
             h.delete("Content-Type")
           when 205
             r[2] = EMPTY_ARRAY
-            h = r[1]
-            h["Content-Length"] = '0'
-            h.delete("Content-Type")
+            empty_205_headers(r[1])
           end
           r
         end

data/lib/roda/plugins/heartbeat.rb

@@ -14,6 +14,11 @@ class Roda
     #
     #   plugin :heartbeat, path: '/status'
     module Heartbeat
+      # :nocov:
+      HEADER_CLASS = (defined?(Rack::Headers) && Rack::Headers.is_a?(Class)) ? Rack::Headers : Hash
+      # :nocov:
+      private_constant :HEADER_CLASS
+
       HEARTBEAT_RESPONSE = [200, {'Content-Type'=>'text/plain'}.freeze, ['OK'.freeze].freeze].freeze
 
       # Set the heartbeat path to the given path.
@@ -28,7 +33,7 @@ class Roda
         def _roda_before_20__heartbeat
           if env['PATH_INFO'] == opts[:heartbeat_path]
             response = HEARTBEAT_RESPONSE.dup
-            response[1] = Hash[response[1]]
+            response[1] = HEADER_CLASS[response[1]]
             throw :halt, response
           end
         end

data/lib/roda/plugins/json_parser.rb

@@ -4,12 +4,16 @@ require 'json'
 
 class Roda
   module RodaPlugins
-    # The json_parser plugin parses request bodies in json format
+    # The json_parser plugin parses request bodies in JSON format
     # if the request's content type specifies json. This is mostly
     # designed for use with JSON API sites.
     #
     # This only parses the request body as JSON if the Content-Type
     # header for the request includes "json".
+    #
+    # The parsed JSON body will be available in +r.POST+, just as a
+    # parsed HTML form body would be. It will also be available in
+    # +r.params+ (which merges +r.GET+ with +r.POST+).
     module JsonParser
       DEFAULT_ERROR_HANDLER = proc{|r| r.halt [400, {}, []]}
 
@@ -25,7 +29,7 @@ class Roda
       #                     object as the second argument, so the parser needs
       #                     to respond to +call(str, request)+.
       # :wrap :: Whether to wrap uploaded JSON data in a hash with a "_json"
-      #          key.  Without this, calls to r.params will fail if a non-Hash
+      #          key.  Without this, calls to +r.params+ will fail if a non-Hash
       #          (such as an array) is uploaded in JSON format.  A value of
       #          :always will wrap all values, and a value of :unless_hash will
       #          only wrap values that are not already hashes.
@@ -52,9 +56,7 @@ class Roda
           if post_params = (env["roda.json_params"] || env["rack.request.form_hash"])
             post_params
           elsif (input = env["rack.input"]) && content_type =~ /json/
-            input.rewind
-            str = input.read
-            input.rewind
+            str = _read_json_input(input)
             return super if str.empty?
             begin
               json_params = parse_json(str)
@@ -81,6 +83,23 @@ class Roda
           args << self if roda_class.opts[:json_parser_include_request]
           roda_class.opts[:json_parser_parser].call(*args)
         end
+
+        
+        # Rack 3 dropped requirement that input be rewindable
+        if Rack.release >= '2.3'
+          # :nocov:
+          def _read_json_input(input)
+            input.read
+          end
+          # :nocov:
+        else
+          def _read_json_input(input)
+            input.rewind
+            str = input.read
+            input.rewind
+            str
+          end
+        end
       end
     end
 

data/lib/roda/plugins/middleware.rb

@@ -73,11 +73,16 @@ class Roda
       #                   and rack response for all requests passing through the middleware,
       #                   after either the middleware or next app handles the request
       #                   and returns a response.
+      # :forward_response_headers :: Whether changes to the response headers made inside
+      #                              the middleware's route block should be applied to the
+      #                              final response when the request is forwarded to the app.
+      #                              Defaults to false.
       def self.configure(app, opts={}, &block)
         app.opts[:middleware_env_var] = opts[:env_var] if opts.has_key?(:env_var)
         app.opts[:middleware_env_var] ||= 'roda.forward_next'
         app.opts[:middleware_configure] = block if block
         app.opts[:middleware_handle_result] = opts[:handle_result]
+        app.opts[:middleware_forward_response_headers] = opts[:forward_response_headers]
       end
 
       # Forwarder instances are what is actually used as middleware.
@@ -108,6 +113,10 @@ class Roda
 
           if call_next
             res = @app.call(env)
+
+            if modified_headers = env.delete('roda.response_headers')
+              res[1] = modified_headers.merge(res[1])
+            end
           end
 
           if handle_result = @mid.opts[:middleware_handle_result]
@@ -135,7 +144,10 @@ class Roda
         def call(&block)
           super do |r|
             res = instance_exec(r, &block) # call Fallback
-            throw :next, true if r.forward_next
+            if r.forward_next
+              r.env['roda.response_headers'] = response.headers if opts[:middleware_forward_response_headers]
+              throw :next, true
+            end
             res
           end
         end
@@ -144,7 +156,10 @@ class Roda
         # that the next middleware is called.
         def _roda_run_main_route(r)
           res = super
-          throw :next, true if r.forward_next
+          if r.forward_next
+            r.env['roda.response_headers'] = response.headers if opts[:middleware_forward_response_headers]
+            throw :next, true
+          end
           res
         end
       end

data/lib/roda/plugins/multi_public.rb

@@ -1,5 +1,13 @@
 # frozen-string-literal: true
 
+begin
+  require 'rack/files'
+rescue LoadError
+  # :nocov:
+  require 'rack/file'
+  # :nocov:
+end
+
 #
 class Roda
   module RodaPlugins
@@ -58,6 +66,10 @@ class Roda
     #     end
     #   end
     module MultiPublic
+      # :nocov:
+      RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
+      # :nocov:
+
       def self.load_dependencies(app, _, opts=OPTS)
         app.plugin(:public, opts)
       end
@@ -67,7 +79,7 @@ class Roda
         roots = app.opts[:multi_public_servers] = (app.opts[:multi_public_servers] || {}).dup
         directories.each do |key, path|
           path, headers, mime = path
-          roots[key] = ::Rack::File.new(app.expand_path(path), headers||{}, mime||'text/plain')
+          roots[key] = RACK_FILES.new(app.expand_path(path), headers||{}, mime||'text/plain')
         end
         roots.freeze
       end

data/lib/roda/plugins/not_allowed.rb

@@ -17,6 +17,9 @@ class Roda
     # will return a 200 response for <tt>GET /</tt> and a 405
     # response for <tt>POST /</tt>.
     #
+    # This plugin changes the +r.root+ method to return a 405 status
+    # for non-GET requests to +/+.
+    #
     # This plugin also changes the +r.is+ method so that if you use
     # a verb method inside +r.is+, it returns a 405 status if none
     # of the verb methods match.  So this code:
@@ -100,6 +103,15 @@ class Roda
           end
         end
 
+        # Treat +r.root+ similar to <tt>r.get ''</tt>, using a 405
+        # response for non-GET requests.
+        def root
+          super
+          if @remaining_path == "/"  && !is_get?
+            always{method_not_allowed("GET")}
+          end
+        end
+
         # Setup methods for all verbs.  If inside an is block and not given
         # arguments, record the verb used.  If given an argument, add an is
         # check with the arguments.
@@ -129,6 +141,7 @@ class Roda
           res = response
           res.status = 405
           res['Allow'] = verbs
+          nil
         end
       end
     end

data/lib/roda/plugins/public.rb

@@ -2,6 +2,14 @@
 
 require 'uri'
 
+begin
+  require 'rack/files'
+rescue LoadError
+  # :nocov:
+  require 'rack/file'
+  # :nocov:
+end
+
 #
 class Roda
   module RodaPlugins
@@ -37,6 +45,9 @@ class Roda
     module Public
       SPLIT = Regexp.union(*[File::SEPARATOR, File::ALT_SEPARATOR].compact)
       PARSER = URI::DEFAULT_PARSER
+      # :nocov:
+      RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
+      # :nocov:
 
       # Use options given to setup a Rack::File instance for serving files. Options:
       # :default_mime :: The default mime type to use if the mime type is not recognized.
@@ -52,7 +63,7 @@ class Roda
         elsif !app.opts[:public_root]
           app.opts[:public_root] = app.expand_path("public")
         end
-        app.opts[:public_server] = ::Rack::File.new(app.opts[:public_root], opts[:headers]||{}, opts[:default_mime] || 'text/plain')
+        app.opts[:public_server] = RACK_FILES.new(app.opts[:public_root], opts[:headers]||{}, opts[:default_mime] || 'text/plain')
         app.opts[:public_gzip] = opts[:gzip]
         app.opts[:public_brotli] = opts[:brotli]
       end
@@ -99,7 +110,10 @@ class Roda
           public_serve_compressed(server, path, '.gz', 'gzip') if roda_opts[:public_gzip]
 
           if public_file_readable?(path)
-            halt public_serve(server, path)
+            s, h, b = public_serve(server, path)
+            headers = response.headers
+            headers.replace(h)
+            halt [s, headers, b]
           end
         end
 
@@ -108,21 +122,22 @@ class Roda
             compressed_path = path + suffix
 
             if public_file_readable?(compressed_path)
-              res = public_serve(server, compressed_path)
-              headers = res[1]
+              s, h, b = public_serve(server, compressed_path)
+              headers = response.headers
+              headers.replace(h)
 
-              unless res[0] == 304
+              unless s == 304
                 headers['Content-Type'] = ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
                 headers['Content-Encoding'] = encoding
               end
 
-              halt res
+              halt [s, headers, b]
             end
           end
         end
 
         if ::Rack.release > '2'
-          # Serve the given path using the given Rack::File server.
+          # Serve the given path using the given Rack::Files server.
           def public_serve(server, path)
             server.serving(self, path)
           end

data/lib/roda/plugins/render.rb

@@ -495,8 +495,10 @@ class Roda
 
         # Render the given template.  If there is a default layout
         # for the class, take the result of the template rendering
-        # and render it inside the layout.  See Render for details.
-        def view(template, opts = (content = _optimized_view_content(template); OPTS))
+        # and render it inside the layout.  Blocks passed to view
+        # are passed to render when rendering the template.
+        # See Render for details.
+        def view(template, opts = (content = _optimized_view_content(template) unless defined?(yield); OPTS), &block)
           if content
             # First, check if the optimized layout method has already been created,
             # and use it if so.  This way avoids the extra conditional and local variable
@@ -516,7 +518,7 @@ class Roda
             end
           else
             opts = parse_template_opts(template, opts)
-            content = opts[:content] || render_template(opts)
+            content = opts[:content] || render_template(opts, &block)
           end
 
           if layout_opts  = view_layout_opts(opts)

data/lib/roda/plugins/route_csrf.rb

@@ -4,6 +4,7 @@ require 'base64'
 require 'openssl'
 require 'securerandom'
 require 'uri'
+require 'rack/utils'
 
 class Roda
   module RodaPlugins
@@ -191,7 +192,9 @@ class Roda
             when :raise
               raise InvalidToken, msg
             when :empty_403
-              throw :halt, [403, {'Content-Type'=>'text/html', 'Content-Length'=>'0'}, []]
+              @_response.status = 403
+              @_response.headers.replace('Content-Type'=>'text/html', 'Content-Length'=>'0')
+              throw :halt, @_response.finish_with_body([])
             when :clear_session
               session.clear
             when :csrf_failure_method

data/lib/roda/plugins/run_append_slash.rb

@@ -34,7 +34,7 @@ class Roda
         # path internally, or a redirect is issued when configured with
         # <tt>use_redirects: true</tt>.
         def run(*)
-          if remaining_path.empty?
+          if @remaining_path.empty?
             if scope.opts[:run_append_slash_redirect]
               redirect("#{path}/")
             else