5 files changed, 105 insertions, 39 deletions
diff --git a/actionpack/lib/action_controller/metal/basic_implicit_render.rb b/actionpack/lib/action_controller/metal/basic_implicit_render.rb
index 6c6f8381ff..cef65a362c 100644
--- a/actionpack/lib/action_controller/metal/basic_implicit_render.rb
+++ b/actionpack/lib/action_controller/metal/basic_implicit_render.rb
@@ -1,5 +1,5 @@
 module ActionController
-  module BasicImplicitRender
+  module BasicImplicitRender # :nodoc:
     def send_action(method, *args)
       super.tap { default_render unless performed? }
     end
diff --git a/actionpack/lib/action_controller/metal/conditional_get.rb b/actionpack/lib/action_controller/metal/conditional_get.rb
index f8e0d9cf6c..35befc05e1 100644
--- a/actionpack/lib/action_controller/metal/conditional_get.rb
+++ b/actionpack/lib/action_controller/metal/conditional_get.rb
@@ -185,7 +185,7 @@ module ActionController
       !request.fresh?(response)
     end
 
-    # Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
+    # Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
     # instruction, so that intermediate caches must not cache the response.
     #
     #   expires_in 20.minutes
@@ -195,7 +195,7 @@ module ActionController
     # This method will overwrite an existing Cache-Control header.
     # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
-    # The method will also ensure a HTTP Date header for client compatibility.
+    # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})
       response.cache_control.merge!(
         :max_age         => seconds,
@@ -208,7 +208,7 @@ module ActionController
       response.date = Time.now unless response.date?
     end
 
-    # Sets a HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
+    # Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
     # occur by the browser or intermediate caches (like caching proxy servers).
     def expires_now
       response.cache_control.replace(:no_cache => true)
@@ -216,18 +216,16 @@ module ActionController
 
     # Cache or yield the block. The cache is supposed to never expire.
     #
-    # You can use this method when you have a HTTP response that never changes,
+    # You can use this method when you have an HTTP response that never changes,
     # and the browser and proxies should cache it indefinitely.
     #
     # * +public+: By default, HTTP responses are private, cached only on the
     #   user's web browser. To allow proxies to cache the response, set +true+ to
     #   indicate that they can serve the cached response to all users.
-    #
-    # * +version+: the version passed as a key for the cache.
-    def http_cache_forever(public: false, version: 'v1')
+    def http_cache_forever(public: false)
       expires_in 100.years, public: public
 
-      yield if stale?(etag: "#{version}-#{request.fullpath}",
+      yield if stale?(etag: request.fullpath,
                       last_modified: Time.new(2011, 1, 1).utc,
                       public: public)
     end
diff --git a/actionpack/lib/action_controller/metal/implicit_render.rb b/actionpack/lib/action_controller/metal/implicit_render.rb
index 17fcc2fa02..3a6f784507 100644
--- a/actionpack/lib/action_controller/metal/implicit_render.rb
+++ b/actionpack/lib/action_controller/metal/implicit_render.rb
@@ -1,29 +1,80 @@
+require 'active_support/core_ext/string/strip'
+
 module ActionController
+  # Handles implicit rendering for a controller action when it did not
+  # explicitly indicate an appropiate response via methods such as +render+,
+  # +respond_to+, +redirect+ or +head+.
+  #
+  # For API controllers, the implicit render always renders "204 No Content"
+  # and does not account for any templates.
+  #
+  # For other controllers, the following conditions are checked:
+  #
+  # First, if a template exists for the controller action, it is rendered.
+  # This template lookup takes into account the action name, locales, format,
+  # variant, template handlers, etc. (see +render+ for details).
+  #
+  # Second, if other templates exist for the controller action but is not in
+  # the right format (or variant, etc.), an <tt>ActionController::UnknownFormat</tt>
+  # is raised. The list of available templates is assumed to be a complete
+  # enumeration of all the possible formats (or variants, etc.); that is,
+  # having only HTML and JSON templates indicate that the controller action is
+  # not meant to handle XML requests.
+  #
+  # Third, if the current request is an "interactive" browser request (the user
+  # navigated here by entering the URL in the address bar, submiting a form,
+  # clicking on a link, etc. as opposed to an XHR or non-browser API request),
+  # <tt>ActionView::UnknownFormat</tt> is raised to display a helpful error
+  # message.
+  #
+  # Finally, it falls back to the same "204 No Content" behavior as API controllers.
   module ImplicitRender
 
+    # :stopdoc:
     include BasicImplicitRender
 
-    # Renders the template corresponding to the controller action, if it exists.
-    # The action name, format, and variant are all taken into account.
-    # For example, the "new" action with an HTML format and variant "phone" 
-    # would try to render the <tt>new.html+phone.erb</tt> template.
-    #
-    # If no template is found <tt>ActionController::BasicImplicitRender</tt>'s implementation is called, unless
-    # a block is passed. In that case, it will override the super implementation.
-    #
-    #   default_render do
-    #     head 404 # No template was found
-    #   end
     def default_render(*args)
       if template_exists?(action_name.to_s, _prefixes, variants: request.variant)
         render(*args)
-      else
-        if block_given?
-          yield(*args)
-        else
-          logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
-          super
+      elsif any_templates?(action_name.to_s, _prefixes)
+        message = "#{self.class.name}\##{action_name} does not know how to respond " \
+          "to this request. There are other templates available for this controller " \
+          "action but none of them were suitable for this request.\n\n" \
+          "This usually happens when the client requested an unsupported format " \
+          "(e.g. requesting HTML content from a JSON endpoint or vice versa), but " \
+          "it might also be failing due to other constraints, such as locales or " \
+          "variants.\n"
+
+        if request.formats.any?
+          message << "\nRequested format(s): #{request.formats.join(", ")}"
         end
+
+        if request.variant.any?
+          message << "\nRequested variant(s): #{request.variant.join(", ")}"
+        end
+
+        raise ActionController::UnknownFormat, message
+      elsif interactive_browser_request?
+        message = "You did not define any templates for #{self.class.name}\##{action_name}. " \
+          "This is not necessarily a problem (e.g. you might be building an API endpoint " \
+          "that does not require any templates), and the controller would usually respond " \
+          "with `head :no_content` for your convenience.\n\n" \
+          "However, you appear to have navigated here from an interactive browser request – " \
+          "such as by navigating to this URL directly, clicking on a link or submitting a form. " \
+          "Rendering a `head :no_content` in this case could have resulted in unexpected UI " \
+          "behavior in the browser.\n\n" \
+          "If you expected the `head :no_content` response, you do not need to take any " \
+          "actions – requests coming from an XHR (AJAX) request or other non-browser clients " \
+          "will receive the \"204 No Content\" response as expected.\n\n" \
+          "If you did not expect this behavior, you can resolve this error by adding a " \
+          "template for this controller action (usually `#{action_name}.html.erb`) or " \
+          "otherwise indicate the appropriate response in the action using `render`, " \
+          "`redirect_to`, `head`, etc.\n"
+
+        raise ActionController::UnknownFormat, message
+      else
+        logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
+        super
       end
     end
 
@@ -32,5 +83,11 @@ module ActionController
         "default_render"
       end
     end
+
+    private
+
+      def interactive_browser_request?
+        request.format == Mime[:html] && !request.xhr?
+      end
   end
 end
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 6586985ff5..b2f0b382b9 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -379,7 +379,8 @@ module ActionController #:nodoc:
 
       def xor_byte_strings(s1, s2)
         s2_bytes = s2.bytes
-        s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
+        s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
+        s2_bytes.pack('C*')
       end
 
       # The form's authenticity parameter. Override to provide your own.
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index ad3c765d9e..a01110d474 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -109,7 +109,7 @@ module ActionController
     cattr_accessor :permit_all_parameters, instance_accessor: false
     cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
 
-    delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?, :inspect,
+    delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?,
       :as_json, to: :@parameters
 
     # By default, never raise an UnpermittedParameters exception if these
@@ -144,17 +144,21 @@ module ActionController
     end
 
     # Returns true if another +Parameters+ object contains the same content and
-    # permitted flag, or other Hash-like object contains the same content. This
-    # override is in place so you can perform a comparison with `Hash`.
-    def ==(other_hash)
-      if other_hash.respond_to?(:permitted?)
-        super
+    # permitted flag.
+    def ==(other)
+      if other.respond_to?(:permitted?)
+        self.permitted? == other.permitted? && self.parameters == other.parameters
+      elsif other.is_a?(Hash)
+        ActiveSupport::Deprecation.warn <<-WARNING.squish
+          Comparing equality between `ActionController::Parameters` and a
+          `Hash` is deprecated and will be removed in Rails 5.1. Please only do
+          comparisons between instances of `ActionController::Parameters`. If
+          you need to compare to a hash, first convert it using
+          `ActionController::Parameters#new`.
+        WARNING
+        @parameters == other.with_indifferent_access
       else
-        if other_hash.is_a?(Hash)
-          @parameters == other_hash.with_indifferent_access
-        else
-          @parameters == other_hash
-        end
+        @parameters == other
       end
     end
 
@@ -574,6 +578,10 @@ module ActionController
       dup
     end
 
+    def inspect
+      "<#{self.class} #{@parameters} permitted: #{@permitted}>"
+    end
+
     def method_missing(method_sym, *args, &block)
       if @parameters.respond_to?(method_sym)
         message = <<-DEPRECATE.squish
@@ -593,12 +601,14 @@ module ActionController
     end
 
     protected
+      attr_reader :parameters
+
       def permitted=(new_permitted)
         @permitted = new_permitted
       end
 
       def fields_for_style?
-        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && v.is_a?(Hash) }
+        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && (v.is_a?(Hash) || v.is_a?(Parameters)) }
       end
 
     private