diff options
Diffstat (limited to 'actionpack/lib/action_controller/metal')
19 files changed, 216 insertions, 363 deletions
diff --git a/actionpack/lib/action_controller/metal/benchmarking.rb b/actionpack/lib/action_controller/metal/benchmarking.rb index d4cb1e122d..e58df69172 100644 --- a/actionpack/lib/action_controller/metal/benchmarking.rb +++ b/actionpack/lib/action_controller/metal/benchmarking.rb @@ -1,4 +1,4 @@ -require 'benchmark' +require 'active_support/core_ext/benchmark' module ActionController #:nodoc: # The benchmarking module times the performance of actions and reports to the logger. If the Active Record @@ -6,25 +6,6 @@ module ActionController #:nodoc: module Benchmarking #:nodoc: extend ActiveSupport::Concern - module ClassMethods - # Log and benchmark the workings of a single block and silence whatever logging that may have happened inside it - # (unless <tt>use_silence</tt> is set to false). - # - # The benchmark is only recorded if the current level of the logger matches the <tt>log_level</tt>, which makes it - # easy to include benchmarking statements in production software that will remain inexpensive because the benchmark - # will only be conducted if the log level is low enough. - def benchmark(title, log_level = Logger::DEBUG, use_silence = true) - if logger && logger.level == log_level - result = nil - ms = Benchmark.ms { result = use_silence ? silence { yield } : yield } - logger.add(log_level, "#{title} (#{('%.1f' % ms)}ms)") - result - else - yield - end - end - end - protected def render(*args, &block) if logger @@ -45,7 +26,7 @@ module ActionController #:nodoc: else super end - end + end private def process_action(*args) diff --git a/actionpack/lib/action_controller/metal/compatibility.rb b/actionpack/lib/action_controller/metal/compatibility.rb index 22f9ab219c..c251d79f4e 100644 --- a/actionpack/lib/action_controller/metal/compatibility.rb +++ b/actionpack/lib/action_controller/metal/compatibility.rb @@ -25,9 +25,11 @@ module ActionController # cattr_reader :protected_instance_variables cattr_accessor :protected_instance_variables - self.protected_instance_variables = %w(@assigns @performed_redirect @performed_render @variables_added @request_origin @url @parent_controller - @action_name @before_filter_chain_aborted @action_cache_path @_headers @_params - @_flash @_response) + self.protected_instance_variables = %w(@assigns @performed_redirect @performed_render + @variables_added @request_origin @url + @parent_controller @action_name + @before_filter_chain_aborted @_headers @_params + @_flash @_response) # Indicates whether or not optimise the generated named # route helper methods diff --git a/actionpack/lib/action_controller/metal/conditional_get.rb b/actionpack/lib/action_controller/metal/conditional_get.rb index 8575d30335..5156fbc1d5 100644 --- a/actionpack/lib/action_controller/metal/conditional_get.rb +++ b/actionpack/lib/action_controller/metal/conditional_get.rb @@ -3,6 +3,7 @@ module ActionController extend ActiveSupport::Concern include RackConvenience + include Head # Sets the etag, last_modified, or both on the response and renders a # "304 Not Modified" response if the request is already fresh. @@ -27,43 +28,9 @@ module ActionController response.etag = options[:etag] if options[:etag] response.last_modified = options[:last_modified] if options[:last_modified] + response.cache_control[:public] = true if options[:public] - if options[:public] - response.cache_control[:public] = true - end - - if request.fresh?(response) - head :not_modified - end - end - - # Return a response that has no content (merely headers). The options - # argument is interpreted to be a hash of header names and values. - # This allows you to easily return a response that consists only of - # significant headers: - # - # head :created, :location => person_path(@person) - # - # It can also be used to return exceptional conditions: - # - # return head(:method_not_allowed) unless request.post? - # return head(:bad_request) unless valid_request? - # render - def head(*args) - if args.length > 2 - raise ArgumentError, "too many arguments to head" - elsif args.empty? - raise ArgumentError, "too few arguments to head" - end - options = args.extract_options! - status = args.shift || options.delete(:status) || :ok - location = options.delete(:location) - - options.each do |key, value| - headers[key.to_s.dasherize.split(/-/).map { |v| v.capitalize }.join("-")] = value.to_s - end - - render :nothing => true, :status => status, :location => location + head :not_modified if request.fresh?(response) end # Sets the etag and/or last_modified on the response and checks it against @@ -113,7 +80,7 @@ module ActionController # Sets a HTTP 1.1 Cache-Control header of "no-cache" so no caching should occur by the browser or # intermediate caches (like caching proxy servers). def expires_now #:doc: - response.headers["Cache-Control"] = "no-cache" + response.cache_control.replace(:no_cache => true) end end end diff --git a/actionpack/lib/action_controller/metal/configuration.rb b/actionpack/lib/action_controller/metal/configuration.rb new file mode 100644 index 0000000000..5c829853b7 --- /dev/null +++ b/actionpack/lib/action_controller/metal/configuration.rb @@ -0,0 +1,28 @@ +module ActionController + module Configuration + extend ActiveSupport::Concern + + def config + @config ||= self.class.config + end + + def config=(config) + @config = config + end + + module ClassMethods + def default_config + @default_config ||= {} + end + + def config + self.config ||= default_config + end + + def config=(config) + @config = ActiveSupport::OrderedHash.new + @config.merge!(config) + end + end + end +end
\ No newline at end of file diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index d4806623c3..6855ca1478 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -44,24 +44,31 @@ module ActionController #:nodoc: # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or # only HTTP. Defaults to +false+. module Cookies - def self.included(base) - base.helper_method :cookies + extend ActiveSupport::Concern + + include RackConvenience + + included do + helper_method :cookies end - protected - # Returns the cookie container, which operates as described above. - def cookies - @cookies ||= CookieJar.new(self) - end + protected + # Returns the cookie container, which operates as described above. + def cookies + @cookies ||= CookieJar.build(request, response) + end end class CookieJar < Hash #:nodoc: - def initialize(controller) - @controller, @cookies = controller, controller.request.cookies - super() - update(@cookies) + def self.build(request, response) + new.tap do |hash| + hash.update(request.cookies) + hash.response = response + end end + attr_accessor :response + # Returns the value of the cookie by +name+, or +nil+ if no such cookie exists. def [](name) super(name.to_s) @@ -72,13 +79,16 @@ module ActionController #:nodoc: def []=(key, options) if options.is_a?(Hash) options.symbolize_keys! + value = options[:value] else - options = { :value => options } + value = options + options = { :value => value } end - options[:path] = "/" unless options.has_key?(:path) - super(key.to_s, options[:value]) - @controller.response.set_cookie(key, options) + super(key.to_s, value) + + options[:path] ||= "/" + response.set_cookie(key, options) end # Removes the cookie on the client machine by setting the value to an empty string @@ -86,9 +96,10 @@ module ActionController #:nodoc: # an options hash to delete cookies with extra data such as a <tt>:path</tt>. def delete(key, options = {}) options.symbolize_keys! - options[:path] = "/" unless options.has_key?(:path) - super(key.to_s) - @controller.response.delete_cookie(key, options) + options[:path] ||= "/" + value = super(key.to_s) + response.delete_cookie(key, options) + value end end end diff --git a/actionpack/lib/action_controller/metal/filter_parameter_logging.rb b/actionpack/lib/action_controller/metal/filter_parameter_logging.rb index 4259d9de19..a53c052075 100644 --- a/actionpack/lib/action_controller/metal/filter_parameter_logging.rb +++ b/actionpack/lib/action_controller/metal/filter_parameter_logging.rb @@ -4,10 +4,6 @@ module ActionController include AbstractController::Logger - included do - include InstanceMethodsForNewBase - end - module ClassMethods # Replace sensitive parameter data from the request log. # Filters parameters that have any of the arguments as a substring. @@ -17,8 +13,6 @@ module ActionController # can be replaced using String#replace or similar method. # # Examples: - # filter_parameter_logging - # => Does nothing, just slows the logging process down # # filter_parameter_logging :password # => replaces the value to all keys matching /password/i with "[FILTERED]" @@ -33,64 +27,51 @@ module ActionController # => reverses the value to all keys matching /secret/i, and # replaces the value to all keys matching /foo|bar/i with "[FILTERED]" def filter_parameter_logging(*filter_words, &block) - parameter_filter = Regexp.new(filter_words.collect{ |s| s.to_s }.join('|'), true) if filter_words.length > 0 + raise "You must filter at least one word from logging" if filter_words.empty? + + parameter_filter = Regexp.new(filter_words.join('|'), true) - define_method(:filter_parameters) do |unfiltered_parameters| - filtered_parameters = {} + define_method(:filter_parameters) do |original_params| + filtered_params = {} - unfiltered_parameters.each do |key, value| + original_params.each do |key, value| if key =~ parameter_filter - filtered_parameters[key] = '[FILTERED]' + value = '[FILTERED]' elsif value.is_a?(Hash) - filtered_parameters[key] = filter_parameters(value) + value = filter_parameters(value) elsif value.is_a?(Array) - filtered_parameters[key] = value.collect do |item| - filter_parameters(item) - end + value = value.map { |item| filter_parameters(item) } elsif block_given? key = key.dup value = value.dup if value.duplicable? yield key, value - filtered_parameters[key] = value - else - filtered_parameters[key] = value end + + filtered_params[key] = value end - filtered_parameters + filtered_params end protected :filter_parameters end end - module InstanceMethodsForNewBase - # TODO : Fix the order of information inside such that it's exactly same as the old base - def process(*) - ret = super - - if logger - parameters = respond_to?(:filter_parameters) ? filter_parameters(params) : params.dup - parameters = parameters.except!(:controller, :action, :format, :_method, :only_path) + INTERNAL_PARAMS = [:controller, :action, :format, :_method, :only_path] - unless parameters.empty? - # TODO : Move DelayedLog to AS - log = AbstractController::Logger::DelayedLog.new { " Parameters: #{parameters.inspect}" } - logger.info(log) - end - end - - ret + def process(*) + response = super + if logger + parameters = filter_parameters(params).except!(*INTERNAL_PARAMS) + logger.info { " Parameters: #{parameters.inspect}" } unless parameters.empty? end + response end - private + protected - # TODO : This method is not needed for the new base - def log_processing_for_parameters - parameters = respond_to?(:filter_parameters) ? filter_parameters(params) : params.dup - parameters = parameters.except!(:controller, :action, :format, :_method) - - logger.info " Parameters: #{parameters.inspect}" unless parameters.empty? + def filter_parameters(params) + params.dup end + end end diff --git a/actionpack/lib/action_controller/metal/flash.rb b/actionpack/lib/action_controller/metal/flash.rb index 8753253dc6..feb066a6f6 100644 --- a/actionpack/lib/action_controller/metal/flash.rb +++ b/actionpack/lib/action_controller/metal/flash.rb @@ -49,7 +49,7 @@ module ActionController #:nodoc: class FlashHash < Hash def initialize #:nodoc: super - @used = {} + @used = Set.new end def []=(k, v) #:nodoc: @@ -65,7 +65,7 @@ module ActionController #:nodoc: alias :merge! :update def replace(h) #:nodoc: - @used = {} + @used = Set.new super end @@ -104,8 +104,8 @@ module ActionController #:nodoc: # This method is called automatically by filters, so you generally don't need to care about it. def sweep #:nodoc: keys.each do |k| - unless @used[k] - use(k) + unless @used.include?(k) + @used << k else delete(k) @used.delete(k) @@ -113,47 +113,45 @@ module ActionController #:nodoc: end # clean up after keys that could have been left over by calling reject! or shift on the flash - (@used.keys - keys).each{ |k| @used.delete(k) } + (@used - keys).each{ |k| @used.delete(k) } end - def store(session, key = "flash") + def store(session) return if self.empty? - session[key] = self + session["flash"] = self end - private - # Used internally by the <tt>keep</tt> and <tt>discard</tt> methods - # use() # marks the entire flash as used - # use('msg') # marks the "msg" entry as used - # use(nil, false) # marks the entire flash as unused (keeps it around for one more action) - # use('msg', false) # marks the "msg" entry as unused (keeps it around for one more action) - # Returns the single value for the key you asked to be marked (un)used or the FlashHash itself - # if no key is passed. - def use(key = nil, used = true) - Array(key || keys).each { |k| @used[k] = used } - return key ? self[key] : self - end + private + # Used internally by the <tt>keep</tt> and <tt>discard</tt> methods + # use() # marks the entire flash as used + # use('msg') # marks the "msg" entry as used + # use(nil, false) # marks the entire flash as unused (keeps it around for one more action) + # use('msg', false) # marks the "msg" entry as unused (keeps it around for one more action) + # Returns the single value for the key you asked to be marked (un)used or the FlashHash itself + # if no key is passed. + def use(key = nil, used = true) + Array(key || keys).each { |k| used ? @used << k : @used.delete(k) } + return key ? self[key] : self + end end protected def process_action(method_name) super - if defined? @_flash - @_flash.store(session) - remove_instance_variable(:@_flash) - end + @_flash.store(session) if @_flash + @_flash = nil end def reset_session super - remove_instance_variable(:@_flash) if defined?(@_flash) + @_flash = nil end # Access the contents of the flash. Use <tt>flash["notice"]</tt> to # read a notice you put there or <tt>flash["notice"] = "hello"</tt> # to put a new one. def flash #:doc: - if !defined?(@_flash) + unless @_flash @_flash = session["flash"] || FlashHash.new @_flash.sweep end diff --git a/actionpack/lib/action_controller/metal/head.rb b/actionpack/lib/action_controller/metal/head.rb new file mode 100644 index 0000000000..68fa0a0402 --- /dev/null +++ b/actionpack/lib/action_controller/metal/head.rb @@ -0,0 +1,27 @@ +module ActionController + module Head + # Return a response that has no content (merely headers). The options + # argument is interpreted to be a hash of header names and values. + # This allows you to easily return a response that consists only of + # significant headers: + # + # head :created, :location => person_path(@person) + # + # It can also be used to return exceptional conditions: + # + # return head(:method_not_allowed) unless request.post? + # return head(:bad_request) unless valid_request? + # render + def head(status, options = {}) + options, status = status, nil if status.is_a?(Hash) + status ||= options.delete(:status) || :ok + location = options.delete(:location) + + options.each do |key, value| + headers[key.to_s.dasherize.split(/-/).map { |v| v.capitalize }.join("-")] = value.to_s + end + + render :nothing => true, :status => status, :location => location + end + end +end
\ No newline at end of file diff --git a/actionpack/lib/action_controller/metal/helpers.rb b/actionpack/lib/action_controller/metal/helpers.rb index 7c52779064..b4325e24ad 100644 --- a/actionpack/lib/action_controller/metal/helpers.rb +++ b/actionpack/lib/action_controller/metal/helpers.rb @@ -1,5 +1,3 @@ -require 'active_support/dependencies' - module ActionController # The Rails framework provides a large number of helpers for working with +assets+, +dates+, +forms+, # +numbers+ and model objects, to name a few. These helpers are available to all templates @@ -54,7 +52,7 @@ module ActionController included do # Set the default directory for helpers extlib_inheritable_accessor(:helpers_dir) do - defined?(RAILS_ROOT) ? "#{RAILS_ROOT}/app/helpers" : "app/helpers" + defined?(Rails) ? "#{Rails.root}/app/helpers" : "app/helpers" end end @@ -64,46 +62,6 @@ module ActionController super end - # The +helper+ class method can take a series of helper module names, a block, or both. - # - # ==== Parameters - # *args<Array[Module, Symbol, String, :all]> - # block<Block>:: A block defining helper methods - # - # ==== Examples - # When the argument is a string or symbol, the method will provide the "_helper" suffix, require the file - # and include the module in the template class. The second form illustrates how to include custom helpers - # when working with namespaced controllers, or other cases where the file containing the helper definition is not - # in one of Rails' standard load paths: - # helper :foo # => requires 'foo_helper' and includes FooHelper - # helper 'resources/foo' # => requires 'resources/foo_helper' and includes Resources::FooHelper - # - # When the argument is a module it will be included directly in the template class. - # helper FooHelper # => includes FooHelper - # - # When the argument is the symbol <tt>:all</tt>, the controller will include all helpers beneath - # <tt>ActionController::Base.helpers_dir</tt> (defaults to <tt>app/helpers/**/*.rb</tt> under RAILS_ROOT). - # helper :all - # - # Additionally, the +helper+ class method can receive and evaluate a block, making the methods defined available - # to the template. - # # One line - # helper { def hello() "Hello, world!" end } - # # Multi-line - # helper do - # def foo(bar) - # "#{bar} is the very best" - # end - # end - # - # Finally, all the above styles can be mixed together, and the +helper+ method can be invoked with a mix of - # +symbols+, +strings+, +modules+ and blocks. - # helper(:three, BlindHelper) { def mice() 'mice' end } - # - def helper(*args, &block) - super(*_modules_for_helpers(args), &block) - end - # Declares helper accessors for controller attributes. For example, the # following adds new +name+ and <tt>name=</tt> instance methods to a # controller and makes them available to the view: @@ -123,15 +81,8 @@ module ActionController end private - # Returns a list of modules, normalized from the acceptable kinds of - # helpers with the following behavior: - # String or Symbol:: :FooBar or "FooBar" becomes "foo_bar_helper", - # and "foo_bar_helper.rb" is loaded using require_dependency. - # :all:: Loads all modules in the #helpers_dir - # Module:: No further processing - # - # After loading the appropriate files, the corresponding modules - # are returned. + # Overwrite _modules_for_helpers to accept :all as argument, which loads + # all helpers in helpers_dir. # # ==== Parameters # args<Array[String, Symbol, Module, all]>:: A list of helpers @@ -140,20 +91,8 @@ module ActionController # Array[Module]:: A normalized list of modules for the list of # helpers provided. def _modules_for_helpers(args) - args.flatten.map! do |arg| - case arg - when :all - _modules_for_helpers all_application_helpers - when String, Symbol - file_name = "#{arg.to_s.underscore}_helper" - require_dependency(file_name, "Missing helper file helpers/%s.rb") - file_name.camelize.constantize - when Module - arg - else - raise ArgumentError, "helper must be a String, Symbol, or Module" - end - end + args += all_application_helpers if args.delete(:all) + super(args) end def default_helper_module! diff --git a/actionpack/lib/action_controller/metal/layouts.rb b/actionpack/lib/action_controller/metal/layouts.rb index cac529b1ae..cc7088248a 100644 --- a/actionpack/lib/action_controller/metal/layouts.rb +++ b/actionpack/lib/action_controller/metal/layouts.rb @@ -167,26 +167,5 @@ module ActionController controller_path end end - - private - def _determine_template(options) - super - - return if (options.key?(:text) || options.key?(:inline) || options.key?(:partial)) && !options.key?(:layout) - layout = options.key?(:layout) ? options[:layout] : :default - options[:_layout] = _layout_for_option(layout, options[:_template].details) - end - - def _layout_for_option(name, details) - case name - when String then _layout_for_name(name, details) - when true then _default_layout(details, true) - when :default then _default_layout(details, false) - when false, nil then nil - else - raise ArgumentError, - "String, true, or false, expected for `layout'; you passed #{name.inspect}" - end - end end end diff --git a/actionpack/lib/action_controller/metal/mime_responds.rb b/actionpack/lib/action_controller/metal/mime_responds.rb index 3026067868..468c5f4fae 100644 --- a/actionpack/lib/action_controller/metal/mime_responds.rb +++ b/actionpack/lib/action_controller/metal/mime_responds.rb @@ -3,7 +3,8 @@ module ActionController #:nodoc: extend ActiveSupport::Concern included do - class_inheritable_reader :mimes_for_respond_to + extlib_inheritable_accessor :responder, :mimes_for_respond_to, :instance_writer => false + self.responder = ActionController::Responder clear_respond_to end @@ -46,7 +47,7 @@ module ActionController #:nodoc: # Clear all mimes in respond_to. # def clear_respond_to - write_inheritable_attribute(:mimes_for_respond_to, ActiveSupport::OrderedHash.new) + self.mimes_for_respond_to = ActiveSupport::OrderedHash.new end end @@ -221,10 +222,6 @@ module ActionController #:nodoc: end end - def responder - ActionController::Responder - end - protected # Collect mimes declared in the class method respond_to valid for the diff --git a/actionpack/lib/action_controller/metal/rack_convenience.rb b/actionpack/lib/action_controller/metal/rack_convenience.rb index a80569c530..131d20114d 100644 --- a/actionpack/lib/action_controller/metal/rack_convenience.rb +++ b/actionpack/lib/action_controller/metal/rack_convenience.rb @@ -8,7 +8,7 @@ module ActionController attr_internal :request end - def call(name, env) + def dispatch(action, env) @_request = ActionDispatch::Request.new(env) @_response = ActionDispatch::Response.new @_response.request = request diff --git a/actionpack/lib/action_controller/metal/redirector.rb b/actionpack/lib/action_controller/metal/redirector.rb index f79fd54acd..b55f5e7bfc 100644 --- a/actionpack/lib/action_controller/metal/redirector.rb +++ b/actionpack/lib/action_controller/metal/redirector.rb @@ -16,7 +16,7 @@ module ActionController logger.info("Redirected to #{url}") if logger && logger.info? self.status = status self.location = url.gsub(/[\r\n]/, '') - self.response_body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(url)}\">redirected</a>.</body></html>" + self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(url)}\">redirected</a>.</body></html>" end end end diff --git a/actionpack/lib/action_controller/metal/rendering_controller.rb b/actionpack/lib/action_controller/metal/rendering_controller.rb index 4da32ca1b3..237299cd30 100644 --- a/actionpack/lib/action_controller/metal/rendering_controller.rb +++ b/actionpack/lib/action_controller/metal/rendering_controller.rb @@ -1,54 +1,18 @@ module ActionController - class HashKey - @hash_keys = Hash.new {|h,k| h[k] = Hash.new {|h,k| h[k] = {} } } - - def self.get(klass, formats, locale) - @hash_keys[klass][formats][locale] ||= new(klass, formats, locale) - end - - attr_accessor :hash - def initialize(klass, formats, locale) - @formats, @locale = formats, locale - @hash = [formats, locale].hash - end - - alias_method :eql?, :equal? - - def inspect - "#<HashKey -- formats: #{@formats} locale: #{@locale}>" - end - end - module RenderingController extend ActiveSupport::Concern - include AbstractController::RenderingController - - module ClassMethods - def clear_template_caches! - ActionView::Partials::PartialRenderer::TEMPLATES.clear - template_cache.clear - super - end - - def template_cache - @template_cache ||= Hash.new {|h,k| h[k] = {} } - end + included do + include AbstractController::RenderingController + include AbstractController::LocalizedCache end def process_action(*) self.formats = request.formats.map {|x| x.to_sym} - - super - end - - def _determine_template(*) super end def render(options) - Thread.current[:format_locale_key] = HashKey.get(self.class, formats, I18n.locale) - super self.content_type ||= options[:_template].mime_type.to_s response_body @@ -70,29 +34,19 @@ module ActionController controller_path end - def with_template_cache(name) - self.class.template_cache[Thread.current[:format_locale_key]][name] ||= super - end - def _determine_template(options) - if options.key?(:text) - options[:_template] = ActionView::TextTemplate.new(options[:text], formats.first) - elsif options.key?(:inline) - handler = ActionView::Template.handler_class_for_extension(options[:type] || "erb") - template = ActionView::Template.new(options[:inline], "inline #{options[:inline].inspect}", handler, {}) - options[:_template] = template - elsif options.key?(:template) - options[:_template_name] = options[:template] - elsif options.key?(:file) - options[:_template_name] = options[:file] - elsif !options.key?(:partial) - options[:_template_name] = (options[:action] || action_name).to_s + if (options.keys & [:partial, :file, :template, :text, :inline]).empty? + options[:_template_name] ||= options[:action] options[:_prefix] = _prefix end super end + def format_for_text + formats.first + end + def _process_options(options) status, content_type, location = options.values_at(:status, :content_type, :location) self.status = status if status diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index ad06657f86..113c20a758 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -5,7 +5,6 @@ module ActionController #:nodoc: module RequestForgeryProtection extend ActiveSupport::Concern - # TODO : Remove the defined? check when new base is the main base include AbstractController::Helpers, Session included do @@ -21,26 +20,26 @@ module ActionController #:nodoc: helper_method :protect_against_forgery? end - # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a - # forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all - # forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only - # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication - # scheme there anyway). Also, GET requests are not protected as these should be idempotent anyway. + # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current + # web application, not a forged link from another site, is done by embedding a token based on a random + # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated + # by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript + # requests are checked, so this will not protect your XML API (presumably you'll have a different + # authentication scheme there anyway). Also, GET requests are not protected as these should be + # idempotent anyway. # # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an - # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the error message in - # production by editing public/422.html. A call to this method in ApplicationController is generated by default in post-Rails 2.0 - # applications. + # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the + # error message in production by editing public/422.html. A call to this method in ApplicationController is + # generated by default in post-Rails 2.0 applications. # - # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form manually (without the - # use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include a hidden field named like that and - # set its value to what is returned by <tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax requests. To - # make the token available through a global variable to scripts on a certain page, you could add something like this to a view: + # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form + # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to + # include a hidden field named like that and set its value to what is returned by + # <tt>form_authenticity_token</tt>. # - # <%= javascript_tag "window._token = '#{form_authenticity_token}'" %> - # - # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails 1.x, add this to - # config/environments/test.rb: + # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails + # 1.x, add this to config/environments/test.rb: # # # Disable request forgery protection in test environment # config.action_controller.allow_forgery_protection = false @@ -57,7 +56,8 @@ module ActionController #:nodoc: # * Keep your GET requests safe and idempotent. More reading material: # * http://www.xml.com/pub/a/2002/04/24/deviant.html # * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 - # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session" + # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look + # for "Expires: at end of session" # module ClassMethods # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked. @@ -76,10 +76,7 @@ module ActionController #:nodoc: # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set which actions are verified. def protect_from_forgery(options = {}) self.request_forgery_protection_token ||= :authenticity_token - before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) - if options[:secret] || options[:digest] - ActiveSupport::Deprecation.warn("protect_from_forgery only takes :only and :except options now. :digest and :secret have no effect", caller) - end + before_filter :verify_authenticity_token, options end end @@ -88,31 +85,24 @@ module ActionController #:nodoc: def verify_authenticity_token verified_request? || raise(ActionController::InvalidAuthenticityToken) end - + # Returns true or false if a request is verified. Checks: # # * is the format restricted? By default, only HTML requests are checked. # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? def verified_request? - !protect_against_forgery? || - request.method == :get || - request.xhr? || - !verifiable_request_format? || + !protect_against_forgery? || request.forgery_whitelisted? || form_authenticity_token == params[request_forgery_protection_token] end - - def verifiable_request_format? - !request.content_type.nil? && request.content_type.verify_request? - end - + # Sets the token value for the current session. def form_authenticity_token session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32) end def protect_against_forgery? - allow_forgery_protection && request_forgery_protection_token + allow_forgery_protection end end end diff --git a/actionpack/lib/action_controller/metal/responder.rb b/actionpack/lib/action_controller/metal/responder.rb index a16ed97131..e8e88e7479 100644 --- a/actionpack/lib/action_controller/metal/responder.rb +++ b/actionpack/lib/action_controller/metal/responder.rb @@ -14,12 +14,11 @@ module ActionController #:nodoc: # # When a request comes, for example with format :xml, three steps happen: # - # 1) respond_with searches for a template at people/index.xml; + # 1) responder searches for a template at people/index.xml; # - # 2) if the template is not available, it will create a responder, passing - # the controller and the resource and invoke :to_xml on it; + # 2) if the template is not available, it will invoke :to_xml in the given resource; # - # 3) if the responder does not respond_to :to_xml, call to_format on it. + # 3) if the responder does not respond_to :to_xml, call :to_format on it. # # === Builtin HTTP verb semantics # @@ -88,14 +87,16 @@ module ActionController #:nodoc: @resource = resources.is_a?(Array) ? resources.last : resources @resources = resources @options = options + @action = options.delete(:action) @default_response = options.delete(:default_response) end delegate :head, :render, :redirect_to, :to => :controller delegate :get?, :post?, :put?, :delete?, :to => :request - # Undefine :to_json since it's defined on Object - undef_method :to_json + # Undefine :to_json and :to_yaml since it's defined on Object + undef_method(:to_json) if method_defined?(:to_json) + undef_method(:to_yaml) if method_defined?(:to_yaml) # Initializes a new responder an invoke the proper format. If the format is # not defined, call to_format. @@ -111,14 +112,8 @@ module ActionController #:nodoc: # def to_html default_render - rescue ActionView::MissingTemplate - if get? - raise - elsif has_errors? - render :action => default_action - else - redirect_to resource_location - end + rescue ActionView::MissingTemplate => e + navigation_behavior(e) end # All others formats follow the procedure below. First we try to render a @@ -127,9 +122,26 @@ module ActionController #:nodoc: # def to_format default_render - rescue ActionView::MissingTemplate + rescue ActionView::MissingTemplate => e raise unless resourceful? + api_behavior(e) + end + protected + + # This is the common behavior for "navigation" requests, like :html, :iphone and so forth. + def navigation_behavior(error) + if get? + raise error + elsif has_errors? + render :action => default_action + else + redirect_to resource_location + end + end + + # This is the common behavior for "API" requests, like :xml and :json. + def api_behavior(error) if get? display resource elsif has_errors? @@ -141,8 +153,6 @@ module ActionController #:nodoc: end end - protected - # Checks whether the resource responds to the current format or not. # def resourceful? @@ -194,7 +204,7 @@ module ActionController #:nodoc: # the verb is post. # def default_action - request.post? ? :new : :edit + @action || (request.post? ? :new : :edit) end end end diff --git a/actionpack/lib/action_controller/metal/session_management.rb b/actionpack/lib/action_controller/metal/session_management.rb index 654aa08cd3..d70f40ce7a 100644 --- a/actionpack/lib/action_controller/metal/session_management.rb +++ b/actionpack/lib/action_controller/metal/session_management.rb @@ -1,10 +1,8 @@ module ActionController #:nodoc: module SessionManagement #:nodoc: - def self.included(base) - base.class_eval do - extend ClassMethods - end - end + extend ActiveSupport::Concern + + include ActionController::Configuration module ClassMethods # Set the session store to be used for keeping the session data between requests. @@ -35,13 +33,6 @@ module ActionController #:nodoc: session_options.merge!(options) end - # Returns the hash used to configure the session. Example use: - # - # ActionController::Base.session_options[:secure] = true # session only available over HTTPS - def session_options - @session_options ||= {} - end - def session(*args) ActiveSupport::Deprecation.warn( "Disabling sessions for a single controller has been deprecated. " + diff --git a/actionpack/lib/action_controller/metal/streaming.rb b/actionpack/lib/action_controller/metal/streaming.rb index 4761763a26..43c661bef4 100644 --- a/actionpack/lib/action_controller/metal/streaming.rb +++ b/actionpack/lib/action_controller/metal/streaming.rb @@ -1,5 +1,3 @@ -require 'active_support/core_ext/string/bytesize' - module ActionController #:nodoc: # Methods for sending arbitrary data and for streaming files to the browser, # instead of rendering. diff --git a/actionpack/lib/action_controller/metal/verification.rb b/actionpack/lib/action_controller/metal/verification.rb index d3d78e3749..500cced539 100644 --- a/actionpack/lib/action_controller/metal/verification.rb +++ b/actionpack/lib/action_controller/metal/verification.rb @@ -79,8 +79,8 @@ module ActionController #:nodoc: # do not apply this verification to the actions specified in the associated # array (may also be a single value). def verify(options={}) - before_filter :only => options[:only], :except => options[:except] do |c| - c.__send__ :verify_action, options + before_filter :only => options[:only], :except => options[:except] do + verify_action options end end end |