Merge commit 'rails/master'

5 files changed, 70 insertions, 57 deletions

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index 46a175d2fa..1dfc240029 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -2,48 +2,59 @@ module ActionController
   class Base < Metal
     abstract!
 
-    include AbstractController::Layouts
-    include AbstractController::Translation
+    def self.without_modules(*modules)
+      modules = modules.map do |m|
+        m.is_a?(Symbol) ? ActionController.const_get(m) : m
+      end
 
-    include ActionController::Helpers
-    
-    include ActionController::HideActions
-    include ActionController::UrlFor
-    include ActionController::Redirecting
-    include ActionController::Rendering
-    include ActionController::Renderers::All
-    include ActionController::ConditionalGet
-    include ActionController::RackDelegation
+      MODULES - modules
+    end
 
-    # Legacy modules
-    include SessionManagement
-    include ActionController::Caching
-    include ActionController::MimeResponds
-    include ActionController::PolymorphicRoutes
+    MODULES = [
+      AbstractController::Layouts,
+      AbstractController::Translation,
 
-    # Rails 2.x compatibility
-    include ActionController::Compatibility
-    include ActionController::ImplicitRender
+      Helpers,
+      HideActions,
+      UrlFor,
+      Redirecting,
+      Rendering,
+      Renderers::All,
+      ConditionalGet,
+      RackDelegation,
+      SessionManagement,
+      Caching,
+      MimeResponds,
+      PolymorphicRoutes,
+      ImplicitRender,
+
+      Cookies,
+      Flash,
+      Verification,
+      RequestForgeryProtection,
+      Streaming,
+      RecordIdentifier,
+      HttpAuthentication::Basic::ControllerMethods,
+      HttpAuthentication::Digest::ControllerMethods,
+
+      # Add instrumentations hooks at the bottom, to ensure they instrument
+      # all the methods properly.
+      Instrumentation,
 
-    include ActionController::Cookies
-    include ActionController::Flash
-    include ActionController::Verification
-    include ActionController::RequestForgeryProtection
-    include ActionController::Streaming
-    include ActionController::RecordIdentifier
-    include ActionController::HttpAuthentication::Basic::ControllerMethods
-    include ActionController::HttpAuthentication::Digest::ControllerMethods
+      # Before callbacks should also be executed the earliest as possible, so
+      # also include them at the bottom.
+      AbstractController::Callbacks,
 
-    # Add instrumentations hooks at the bottom, to ensure they instrument
-    # all the methods properly.
-    include ActionController::Instrumentation
+      # The same with rescue, append it at the end to wrap as much as possible.
+      Rescue
+    ]
 
-    # Before callbacks should also be executed the earliest as possible, so
-    # also include them at the bottom.
-    include AbstractController::Callbacks
+    MODULES.each do |mod|
+      include mod
+    end
 
-    # The same with rescue, append it at the end to wrap as much as possible.
-    include ActionController::Rescue
+    # Rails 2.x compatibility
+    include ActionController::Compatibility
 
     def self.inherited(klass)
       ::ActionController::Base.subclasses << klass.to_s
@@ -55,15 +66,6 @@ module ActionController
       @subclasses ||= []
     end
 
-    # This method has been moved to ActionDispatch::Request.filter_parameters
-    def self.filter_parameter_logging(*args, &block)
-      ActiveSupport::Deprecation.warn("Setting filter_parameter_logging in ActionController is deprecated and has no longer effect, please set 'config.filter_parameters' in config/application.rb instead", caller)
-      filter = Rails.application.config.filter_parameters
-      filter.concat(args)
-      filter << block if block
-      filter
-    end
-
     ActiveSupport.run_load_hooks(:action_controller, self)
   end
 end
diff --git a/actionpack/lib/action_controller/deprecated/base.rb b/actionpack/lib/action_controller/deprecated/base.rb
index 2fd60aacc7..05551ffee4 100644
--- a/actionpack/lib/action_controller/deprecated/base.rb
+++ b/actionpack/lib/action_controller/deprecated/base.rb
@@ -6,6 +6,15 @@ module ActionController
         deprecated_config_writer(option, message)
       end
 
+      # This method has been moved to ActionDispatch::Request.filter_parameters
+      def filter_parameter_logging(*args, &block)
+        ActiveSupport::Deprecation.warn("Setting filter_parameter_logging in ActionController is deprecated and has no longer effect, please set 'config.filter_parameters' in config/application.rb instead", caller)
+        filter = Rails.application.config.filter_parameters
+        filter.concat(args)
+        filter << block if block
+        filter
+      end
+
       def deprecated_config_reader(option, message = nil)
         message ||= "Reading #{option} directly from ActionController::Base is deprecated. " \
                     "Please read it from config.#{option}"
@@ -68,14 +77,11 @@ module ActionController
 
       def cookie_verifier_secret=(value)
         ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret= is deprecated. " <<
-          "Please configure it on your application with config.cookie_secret=", caller
-        ActionController::Base.config.secret = value
+          "Please configure it on your application with config.secret_token=", caller
       end
 
       def cookie_verifier_secret
-        ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated. " <<
-          "Please use ActionController::Base.config.secret instead.", caller
-        ActionController::Base.config.secret
+        ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated.", caller
       end
 
       def trusted_proxies=(value)
diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb
index 4aaa705203..d787f014cd 100644
--- a/actionpack/lib/action_controller/metal/cookies.rb
+++ b/actionpack/lib/action_controller/metal/cookies.rb
@@ -10,8 +10,7 @@ module ActionController #:nodoc:
 
     private
       def cookies
-        raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
-        request.cookie_jar(:signing_secret => config.secret)
+        request.cookie_jar
       end
   end
 end
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 424828f7e8..6bd6c15990 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -159,7 +159,7 @@ module ActionController
 
         # Authenticate with HTTP Digest, returns true or false
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
-          HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure)
+          HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
         end
 
         # Render output including the HTTP Digest authentication header
@@ -169,14 +169,15 @@ module ActionController
       end
 
       # Returns false on a valid response, true otherwise
-      def authenticate(secret_key, request, realm, &password_procedure)
-        request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure)
+      def authenticate(request, realm, &password_procedure)
+        request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
 
       # Returns false unless the request credentials response value matches the expected value.
       # First try the password as a ha1 digest password. If this fails, then try it as a plain
       # text password.
-      def validate_digest_response(secret_key, request, realm, &password_procedure)
+      def validate_digest_response(request, realm, &password_procedure)
+        secret_key  = secret_token(request)
         credentials = decode_credentials_header(request)
         valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])
 
@@ -225,7 +226,7 @@ module ActionController
       end
 
       def authentication_header(controller, realm)
-        secret_key = controller.config.secret
+        secret_key = secret_token(controller.request)
         nonce = self.nonce(secret_key)
         opaque = opaque(secret_key)
         controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}")
@@ -238,6 +239,12 @@ module ActionController
         controller.status = 401
       end
 
+      def secret_token(request)
+        secret = request.env["action_dispatch.secret_token"]
+        raise "You must set config.secret_token in your app's config" if secret.blank?
+        secret
+      end
+
       # Uses an MD5 digest based on time to generate a value to be used only once.
       #
       # A server-specified data string which should be uniquely generated each time a 401 response is made.
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 29d8523ee1..030ba4ec48 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -51,7 +51,6 @@ module ActionController
       ac.assets_dir      = paths.public.to_a.first
       ac.javascripts_dir = paths.public.javascripts.to_a.first
       ac.stylesheets_dir = paths.public.stylesheets.to_a.first
-      ac.secret          = app.config.cookie_secret
 
       ActiveSupport.on_load(:action_controller) do
         self.config.merge!(ac)