Fixed that a bunch of methods from ActionController::Base was accessible as actions (callable through a URL) when they shouldn't have been #644 [Nicholas Seckar]. Base#hide_actions(*names) to hide public methods from a controller that would otherwise have been callable through the URL. For the majority of cases, its preferred just to make the methods you don't want to expose protected or private (so they'll automatically be hidden) -- but if you must have a public method, this is a way to make it uncallable. Base#hidden_actions retrieve the list of all hidden actions for the controller #644 [Nicholas Seckar]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@646 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

2 files changed, 21 insertions, 3 deletions

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index ae7abe5e04..3453ae96be 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,11 @@
 *SVN*
 
+* Added Base#hide_actions(*names) to hide public methods from a controller that would otherwise have been callable through the URL. For the majority of cases, its preferred just to make the methods you don't want to expose protected or private (so they'll automatically be hidden) -- but if you must have a public method, this is a way to make it uncallable. Base#hidden_actions retrieve the list of all hidden actions for the controller #644 [Nicholas Seckar]
+
+* Fixed that a bunch of methods from ActionController::Base was accessible as actions (callable through a URL) when they shouldn't have been #644 [Nicholas Seckar]
+
+* Added UrlHelper#current_page?(options) method to check if the url_for options passed corresponds to the current page
+
 * Fixed https handling on other ports than 443 [Alan Gano]
 
 * Added follow_redirect method for functional tests that'll get-request the redirect that was made. Example:
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index 7883233e84..421438414d 100755
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -285,6 +285,19 @@ module ActionController #:nodoc:
         components.shift if components.first == 'controllers' # Transitional conditional to accomodate root Controllers module
         components.join('/')
       end
+
+      # Return an array containing the names of public methods that have been marked hidden from the action processor.
+      # By default, all methods defined in ActionController::Base and included modules are hidden.
+      # More methods can be hidden using +hide_actions+.
+      def hidden_actions
+        write_inheritable_attribute(:hidden_actions, ActionController::Base.public_instance_methods) unless read_inheritable_attribute(:hidden_actions)
+        read_inheritable_attribute(:hidden_actions)
+      end
+
+      # Hide each of the given methods from being callable as actions.
+      def hide_actions(*names)
+        write_inheritable_attribute(:hidden_actions, hidden_actions | names.collect {|n| n.to_s})
+      end
     end
 
     public
@@ -638,10 +651,9 @@ module ActionController #:nodoc:
       end
 
       def action_methods
-        action_controller_classes = self.class.ancestors.reject{ |a| [Object, Kernel].include?(a) }
-        action_controller_classes.inject([]) { |action_methods, klass| action_methods + klass.public_instance_methods(false) }
+        @action_methods ||= (self.class.public_instance_methods - self.class.hidden_actions)
       end
-
+      
       def add_variables_to_assigns
         add_instance_variables_to_assigns
         add_class_variables_to_assigns if view_controller_internals