Merge branch 'master' into laurocaetano-fix_send_file

* master: (536 commits)
  doc, API example on how to use `Model#exists?` with multiple IDs. [ci skip]
  Restore DATABASE_URL even if it's nil in connection_handler test
  [ci skip] - error_messages_for has been deprecated since 2.3.8 - lets reduce any confusion for users
  Ensure Active Record connection consistency
  Revert "ask the fixture set for the sql statements"
  Check `respond_to` before delegation due to: https://github.com/ruby/ruby/commit/d781caaf313b8649948c107bba277e5ad7307314
  Adding Hash#compact and Hash#compact! methods
  MySQL version 4.1 was EOL on December 31, 2009 We should at least recommend modern versions of MySQL to users.
  clear cache on body close so that cache remains during rendering
  add a more restricted codepath for templates fixes #13390
  refactor generator tests to use block form of Tempfile
  Fix typo [ci skip]
  Move finish_template as the last public method in the generator
  Minor typos fix [ci skip]
  make `change_column_null` reversible. Closes #13576.
  create/drop test and development databases only if RAILS_ENV is nil
  Revert "Speedup String#to"
  typo fix in test name. [ci skip].
  `core_ext/string/access.rb` test what we are documenting.
  Fix typo in image_tag documentation
  ...

Conflicts:
	actionpack/CHANGELOG.md

12 files changed, 378 insertions, 49 deletions

diff --git a/actionpack/test/controller/action_pack_assertions_test.rb b/actionpack/test/controller/action_pack_assertions_test.rb
index ba4cffcd3e..b6b5a218cc 100644
--- a/actionpack/test/controller/action_pack_assertions_test.rb
+++ b/actionpack/test/controller/action_pack_assertions_test.rb
@@ -444,22 +444,18 @@ class ActionPackAssertionsControllerTest < ActionController::TestCase
 
   def test_assert_response_uses_exception_message
     @controller = AssertResponseWithUnexpectedErrorController.new
-    get :index
+    e = assert_raise RuntimeError, 'Expected non-success response' do
+      get :index
+    end
     assert_response :success
-    flunk 'Expected non-success response'
-  rescue RuntimeError => e
-    assert e.message.include?('FAIL')
+    assert_includes 'FAIL', e.message
   end
 
   def test_assert_response_failure_response_with_no_exception
     @controller = AssertResponseWithUnexpectedErrorController.new
     get :show
-    assert_response :success
-    flunk 'Expected non-success response'
-  rescue ActiveSupport::TestCase::Assertion
-    # success
-  rescue
-    flunk "assert_response failed to handle failure response with missing, but optional, exception."
+    assert_response 500
+    assert_equal 'Boom', response.body
   end
 end
 
diff --git a/actionpack/test/controller/filters_test.rb b/actionpack/test/controller/filters_test.rb
index 3b5d7ef446..d3efca5b6f 100644
--- a/actionpack/test/controller/filters_test.rb
+++ b/actionpack/test/controller/filters_test.rb
@@ -893,17 +893,6 @@ class ControllerWithFilterInstance < PostsController
   around_filter YieldingFilter.new, :only => :raises_after
 end
 
-class ControllerWithFilterMethod < PostsController
-  class YieldingFilter < DefaultFilter
-    def around(controller)
-      yield
-      raise After
-    end
-  end
-
-  around_filter YieldingFilter.new.method(:around), :only => :raises_after
-end
-
 class ControllerWithProcFilter < PostsController
   around_filter(:only => :no_raise) do |c,b|
     c.instance_variable_set(:"@before", true)
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 9f1c168209..52a0bc9aa3 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -21,7 +21,7 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
 
     def authenticate
       authenticate_or_request_with_http_digest("SuperSecret") do |username|
-        # Return the password
+        # Returns the password
         USERS[username]
       end
     end
diff --git a/actionpack/test/controller/localized_templates_test.rb b/actionpack/test/controller/localized_templates_test.rb
index 6b02eedaed..c95ef8a0c7 100644
--- a/actionpack/test/controller/localized_templates_test.rb
+++ b/actionpack/test/controller/localized_templates_test.rb
@@ -34,4 +34,15 @@ class LocalizedTemplatesTest < ActionController::TestCase
     get :hello_world
     assert_equal "Gutten Tag", @response.body
   end
+
+  def test_localized_template_has_correct_header_with_no_format_in_template_name
+    old_locale = I18n.locale
+    I18n.locale = :it
+
+    get :hello_world
+    assert_equal "Ciao Mondo", @response.body
+    assert_equal "text/html",  @response.content_type
+  ensure
+    I18n.locale = old_locale
+  end
 end
diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb
index 774dabe105..84e4936f31 100644
--- a/actionpack/test/controller/mime/respond_to_test.rb
+++ b/actionpack/test/controller/mime/respond_to_test.rb
@@ -146,6 +146,106 @@ class RespondToController < ActionController::Base
     end
   end
 
+  def variant_with_implicit_rendering
+  end
+
+  def variant_with_format_and_custom_render
+    request.variant = :mobile
+
+    respond_to do |type|
+      type.html { render text: "mobile" }
+    end
+  end
+
+  def multiple_variants_for_format
+    respond_to do |type|
+      type.html do |html|
+        html.tablet { render text: "tablet" }
+        html.phone  { render text: "phone" }
+      end
+    end
+  end
+
+  def variant_plus_none_for_format
+    respond_to do |format|
+      format.html do |variant|
+        variant.phone { render text: "phone" }
+        variant.none
+      end
+    end
+  end
+
+  def variant_inline_syntax
+    respond_to do |format|
+      format.js         { render text: "js"    }
+      format.html.none  { render text: "none"  }
+      format.html.phone { render text: "phone" }
+    end
+  end
+
+  def variant_inline_syntax_without_block
+    respond_to do |format|
+      format.js
+      format.html.none
+      format.html.phone
+    end
+  end
+
+  def variant_any
+    respond_to do |format|
+      format.html do |variant|
+        variant.any(:tablet, :phablet){ render text: "any" }
+        variant.phone { render text: "phone" }
+      end
+    end
+  end
+
+  def variant_any_any
+    respond_to do |format|
+      format.html do |variant|
+        variant.any   { render text: "any"   }
+        variant.phone { render text: "phone" }
+      end
+    end
+  end
+
+  def variant_inline_any
+    respond_to do |format|
+      format.html.any(:tablet, :phablet){ render text: "any" }
+      format.html.phone { render text: "phone" }
+    end
+  end
+
+  def variant_inline_any_any
+    respond_to do |format|
+      format.html.phone { render text: "phone" }
+      format.html.any   { render text: "any"   }
+    end
+  end
+
+  def variant_any_implicit_render
+    respond_to do |format|
+      format.html.phone
+      format.html.any(:tablet, :phablet)
+    end
+  end
+
+  def variant_any_with_none
+    respond_to do |format|
+      format.html.any(:none, :phone){ render text: "none or phone" }
+    end
+  end
+
+  def format_any_variant_any
+    respond_to do |format|
+      format.html { render text: "HTML" }
+      format.any(:js, :xml) do |variant|
+        variant.phone{ render text: "phone" }
+        variant.any(:tablet, :phablet){ render text: "tablet" }
+      end
+    end
+  end
+
   protected
     def set_layout
       case action_name
@@ -490,4 +590,154 @@ class RespondToControllerTest < ActionController::TestCase
       get :using_defaults, :format => "invalidformat"
     end
   end
+
+  def test_invalid_variant
+    @request.variant = :invalid
+    assert_raises(ActionView::MissingTemplate) do
+      get :variant_with_implicit_rendering
+    end
+  end
+
+  def test_variant_not_set_regular_template_missing
+    assert_raises(ActionView::MissingTemplate) do
+      get :variant_with_implicit_rendering
+    end
+  end
+
+  def test_variant_with_implicit_rendering
+    @request.variant = :mobile
+    get :variant_with_implicit_rendering
+    assert_equal "text/html", @response.content_type
+    assert_equal "mobile", @response.body
+  end
+
+  def test_variant_with_format_and_custom_render
+    @request.variant = :phone
+    get :variant_with_format_and_custom_render
+    assert_equal "text/html", @response.content_type
+    assert_equal "mobile", @response.body
+  end
+
+  def test_multiple_variants_for_format
+    @request.variant = :tablet
+    get :multiple_variants_for_format
+    assert_equal "text/html", @response.content_type
+    assert_equal "tablet", @response.body
+  end
+
+  def test_no_variant_in_variant_setup
+    get :variant_plus_none_for_format
+    assert_equal "text/html", @response.content_type
+    assert_equal "none", @response.body
+  end
+
+  def test_variant_inline_syntax
+    get :variant_inline_syntax, format: :js
+    assert_equal "text/javascript", @response.content_type
+    assert_equal "js", @response.body
+
+    get :variant_inline_syntax
+    assert_equal "text/html", @response.content_type
+    assert_equal "none", @response.body
+
+    @request.variant = :phone
+    get :variant_inline_syntax
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+  end
+
+  def test_variant_inline_syntax_without_block
+    @request.variant = :phone
+    get :variant_inline_syntax_without_block
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+  end
+
+  def test_variant_any
+    @request.variant = :phone
+    get :variant_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+
+    @request.variant = :tablet
+    get :variant_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+
+    @request.variant = :phablet
+    get :variant_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+  end
+
+  def test_variant_any_any
+    @request.variant = :phone
+    get :variant_any_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+
+    @request.variant = :yolo
+    get :variant_any_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+  end
+
+  def test_variant_inline_any
+    @request.variant = :phone
+    get :variant_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+
+    @request.variant = :tablet
+    get :variant_inline_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+
+    @request.variant = :phablet
+    get :variant_inline_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+  end
+
+  def test_variant_inline_any_any
+    @request.variant = :phone
+    get :variant_inline_any_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "phone", @response.body
+
+    @request.variant = :yolo
+    get :variant_inline_any_any
+    assert_equal "text/html", @response.content_type
+    assert_equal "any", @response.body
+  end
+
+  def test_variant_any_implicit_render
+    @request.variant = :tablet
+    get :variant_any_implicit_render
+    assert_equal "text/html", @response.content_type
+    assert_equal "tablet", @response.body
+
+    @request.variant = :phablet
+    get :variant_any_implicit_render
+    assert_equal "text/html", @response.content_type
+    assert_equal "phablet", @response.body
+  end
+
+  def test_variant_any_with_none
+    get :variant_any_with_none
+    assert_equal "text/html", @response.content_type
+    assert_equal "none or phone", @response.body
+
+    @request.variant = :phone
+    get :variant_any_with_none
+    assert_equal "text/html", @response.content_type
+    assert_equal "none or phone", @response.body
+  end
+
+  def test_format_any_variant_any
+    @request.variant = :tablet
+    get :format_any_variant_any, format: :js
+    assert_equal "text/javascript", @response.content_type
+    assert_equal "tablet", @response.body
+  end
 end
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index b60c5f058d..33a91d72d9 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -8,9 +8,16 @@ class ParametersPermitTest < ActiveSupport::TestCase
   end
 
   setup do
-    @params = ActionController::Parameters.new({ person: {
-      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
-    }})
+    @params = ActionController::Parameters.new(
+      person: {
+        age: '32',
+        name: {
+          first: 'David',
+          last: 'Heinemeier Hansson'
+        },
+        addresses: [{city: 'Chicago', state: 'Illinois'}]
+      }
+    )
 
     @struct_fields = []
     %w(0 1 12).each do |number|
@@ -153,6 +160,18 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal nil, params[:foo]
   end
 
+  test 'hashes in array values get wrapped' do
+    params = ActionController::Parameters.new(foo: [{}, {}])
+    params[:foo].each do |hash|
+      assert !hash.permitted?
+    end
+  end
+
+  test 'arrays are converted at most once' do
+    params = ActionController::Parameters.new(foo: [{}])
+    assert params[:foo].equal?(params[:foo])
+  end
+
   test "fetch doesnt raise ParameterMissing exception if there is a default" do
     assert_equal "monkey", @params.fetch(:foo, "monkey")
     assert_equal "monkey", @params.fetch(:foo) { "monkey" }
@@ -221,6 +240,7 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert @params.permitted?
     assert @params[:person].permitted?
     assert @params[:person][:name].permitted?
+    assert @params[:person][:addresses][0].permitted?
   end
 
   test "permitted takes a default value when Parameters.permit_all_parameters is set" do
diff --git a/actionpack/test/controller/render_js_test.rb b/actionpack/test/controller/render_js_test.rb
index f070109b27..d550422a2f 100644
--- a/actionpack/test/controller/render_js_test.rb
+++ b/actionpack/test/controller/render_js_test.rb
@@ -22,7 +22,7 @@ class RenderJSTest < ActionController::TestCase
   tests TestController
 
   def test_render_vanilla_js
-    get :render_vanilla_js_hello
+    xhr :get, :render_vanilla_js_hello
     assert_equal "alert('hello')", @response.body
     assert_equal "text/javascript", @response.content_type
   end
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
index 7c0a6bd67e..de8d1cbd9b 100644
--- a/actionpack/test/controller/render_json_test.rb
+++ b/actionpack/test/controller/render_json_test.rb
@@ -100,13 +100,13 @@ class RenderJsonTest < ActionController::TestCase
   end
 
   def test_render_json_with_callback
-    get :render_json_hello_world_with_callback
+    xhr :get, :render_json_hello_world_with_callback
     assert_equal 'alert({"hello":"world"})', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
 
   def test_render_json_with_custom_content_type
-    get :render_json_with_custom_content_type
+    xhr :get, :render_json_with_custom_content_type
     assert_equal '{"hello":"world"}', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index f41287381a..26806fb03f 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -529,4 +529,4 @@ class HeadRenderTest < ActionController::TestCase
     assert_equal "something", @response.headers["X-Custom-Header"]
     assert_response :forbidden
   end
-end
\ No newline at end of file
+end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 727db79241..1f5fc06410 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -52,18 +52,36 @@ module RequestForgeryProtectionActions
     render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>"
   end
 
+  def same_origin_js
+    render js: 'foo();'
+  end
+
+  def negotiate_same_origin
+    respond_to do |format|
+      format.js { same_origin_js }
+    end
+  end
+
+  def cross_origin_js
+    same_origin_js
+  end
+
+  def negotiate_cross_origin
+    negotiate_same_origin
+  end
+
   def rescue_action(e) raise e end
 end
 
 # sample controllers
 class RequestForgeryProtectionControllerUsingResetSession < ActionController::Base
   include RequestForgeryProtectionActions
-  protect_from_forgery :only => %w(index meta), :with => :reset_session
+  protect_from_forgery :only => %w(index meta same_origin_js negotiate_same_origin), :with => :reset_session
 end
 
 class RequestForgeryProtectionControllerUsingException < ActionController::Base
   include RequestForgeryProtectionActions
-  protect_from_forgery :only => %w(index meta), :with => :exception
+  protect_from_forgery :only => %w(index meta same_origin_js negotiate_same_origin), :with => :exception
 end
 
 class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
@@ -201,7 +219,7 @@ module RequestForgeryProtectionTests
   end
 
   def test_should_not_allow_post_without_token_irrespective_of_format
-    assert_blocked { post :index, :format=>'xml' }
+    assert_blocked { post :index, format: 'xml' }
   end
 
   def test_should_not_allow_patch_without_token
@@ -271,6 +289,48 @@ module RequestForgeryProtectionTests
     end
   end
 
+  def test_should_only_allow_same_origin_js_get_with_xhr_header
+    assert_cross_origin_blocked { get :same_origin_js }
+    assert_cross_origin_blocked { get :same_origin_js, format: 'js' }
+    assert_cross_origin_blocked do
+      @request.accept = 'text/javascript'
+      get :negotiate_same_origin
+    end
+
+    assert_cross_origin_not_blocked { xhr :get, :same_origin_js }
+    assert_cross_origin_not_blocked { xhr :get, :same_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      xhr :get, :negotiate_same_origin
+    end
+  end
+
+  # Allow non-GET requests since GET is all a remote <script> tag can muster.
+  def test_should_allow_non_get_js_without_xhr_header
+    assert_cross_origin_not_blocked { post :same_origin_js, custom_authenticity_token: @token }
+    assert_cross_origin_not_blocked { post :same_origin_js, format: 'js', custom_authenticity_token: @token }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      post :negotiate_same_origin, custom_authenticity_token: @token
+    end
+  end
+
+  def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled
+    assert_cross_origin_not_blocked { get :cross_origin_js }
+    assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      get :negotiate_cross_origin
+    end
+
+    assert_cross_origin_not_blocked { xhr :get, :cross_origin_js }
+    assert_cross_origin_not_blocked { xhr :get, :cross_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      xhr :get, :negotiate_cross_origin
+    end
+  end
+
   def assert_blocked
     session[:something_like_user_id] = 1
     yield
@@ -282,6 +342,16 @@ module RequestForgeryProtectionTests
     assert_nothing_raised { yield }
     assert_response :success
   end
+
+  def assert_cross_origin_blocked
+    assert_raises(ActionController::InvalidCrossOriginRequest) do
+      yield
+    end
+  end
+
+  def assert_cross_origin_not_blocked
+    assert_not_blocked { yield }
+  end
 end
 
 # OK let's get our test on
@@ -305,13 +375,13 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
   end
 end
 
-class NullSessionDummyKeyGenerator
-  def generate_key(secret)
-    '03312270731a2ed0d11ed091c2338a06'
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase
+  class NullSessionDummyKeyGenerator
+    def generate_key(secret)
+      '03312270731a2ed0d11ed091c2338a06'
+    end
   end
-end
 
-class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
   def setup
     @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
   end
@@ -375,8 +445,8 @@ end
 
 class CustomAuthenticityParamControllerTest < ActionController::TestCase
   def setup
-    ActionController::Base.request_forgery_protection_token = :custom_token_name
     super
+    ActionController::Base.request_forgery_protection_token = :custom_token_name
   end
 
   def teardown
diff --git a/actionpack/test/controller/routing_test.rb b/actionpack/test/controller/routing_test.rb
index 2c84e95c6e..df453a0251 100644
--- a/actionpack/test/controller/routing_test.rb
+++ b/actionpack/test/controller/routing_test.rb
@@ -1833,11 +1833,11 @@ class RackMountIntegrationTests < ActiveSupport::TestCase
     assert_equal({:controller => 'foo', :action => 'id_default', :id => 1 }, @routes.recognize_path('/id_default'))
     assert_equal({:controller => 'foo', :action => 'get_or_post'}, @routes.recognize_path('/get_or_post', :method => :get))
     assert_equal({:controller => 'foo', :action => 'get_or_post'}, @routes.recognize_path('/get_or_post', :method => :post))
-    assert_raise(ActionController::ActionControllerError) { @routes.recognize_path('/get_or_post', :method => :put) }
-    assert_raise(ActionController::ActionControllerError) { @routes.recognize_path('/get_or_post', :method => :delete) }
+    assert_raise(ActionController::RoutingError) { @routes.recognize_path('/get_or_post', :method => :put) }
+    assert_raise(ActionController::RoutingError) { @routes.recognize_path('/get_or_post', :method => :delete) }
 
     assert_equal({:controller => 'posts', :action => 'index', :optional => 'bar'}, @routes.recognize_path('/optional/bar'))
-    assert_raise(ActionController::ActionControllerError) { @routes.recognize_path('/optional') }
+    assert_raise(ActionController::RoutingError) { @routes.recognize_path('/optional') }
 
     assert_equal({:controller => 'posts', :action => 'show', :id => '1', :ws => true}, @routes.recognize_path('/ws/posts/show/1', :method => :get))
     assert_equal({:controller => 'posts', :action => 'list', :ws => true}, @routes.recognize_path('/ws/posts/list', :method => :get))
@@ -1916,11 +1916,4 @@ class RackMountIntegrationTests < ActiveSupport::TestCase
       end
       extras
     end
-
-    def assert_raise(e)
-      result = yield
-      flunk "Did not raise #{e}, but returned #{result.inspect}"
-    rescue e
-      assert true
-    end
 end
diff --git a/actionpack/test/controller/send_file_test.rb b/actionpack/test/controller/send_file_test.rb
index 0326bf4562..4df2f8b98d 100644
--- a/actionpack/test/controller/send_file_test.rb
+++ b/actionpack/test/controller/send_file_test.rb
@@ -148,7 +148,7 @@ class SendFileTest < ActionController::TestCase
     }
 
     @controller.headers = {}
-    assert !@controller.send(:send_file_headers!, options)
+    assert_raise(ArgumentError) { @controller.send(:send_file_headers!, options) }
   end
 
   def test_send_file_headers_guess_type_from_extension