diff options
Diffstat (limited to 'actionpack/lib/action_controller')
-rw-r--r-- | actionpack/lib/action_controller/base.rb | 90 | ||||
-rw-r--r-- | actionpack/lib/action_controller/deprecated/base.rb | 16 | ||||
-rw-r--r-- | actionpack/lib/action_controller/metal/cookies.rb | 3 | ||||
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 17 | ||||
-rw-r--r-- | actionpack/lib/action_controller/railtie.rb | 1 |
5 files changed, 70 insertions, 57 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index 46a175d2fa..1dfc240029 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -2,48 +2,59 @@ module ActionController class Base < Metal abstract! - include AbstractController::Layouts - include AbstractController::Translation + def self.without_modules(*modules) + modules = modules.map do |m| + m.is_a?(Symbol) ? ActionController.const_get(m) : m + end - include ActionController::Helpers - - include ActionController::HideActions - include ActionController::UrlFor - include ActionController::Redirecting - include ActionController::Rendering - include ActionController::Renderers::All - include ActionController::ConditionalGet - include ActionController::RackDelegation + MODULES - modules + end - # Legacy modules - include SessionManagement - include ActionController::Caching - include ActionController::MimeResponds - include ActionController::PolymorphicRoutes + MODULES = [ + AbstractController::Layouts, + AbstractController::Translation, - # Rails 2.x compatibility - include ActionController::Compatibility - include ActionController::ImplicitRender + Helpers, + HideActions, + UrlFor, + Redirecting, + Rendering, + Renderers::All, + ConditionalGet, + RackDelegation, + SessionManagement, + Caching, + MimeResponds, + PolymorphicRoutes, + ImplicitRender, + + Cookies, + Flash, + Verification, + RequestForgeryProtection, + Streaming, + RecordIdentifier, + HttpAuthentication::Basic::ControllerMethods, + HttpAuthentication::Digest::ControllerMethods, + + # Add instrumentations hooks at the bottom, to ensure they instrument + # all the methods properly. + Instrumentation, - include ActionController::Cookies - include ActionController::Flash - include ActionController::Verification - include ActionController::RequestForgeryProtection - include ActionController::Streaming - include ActionController::RecordIdentifier - include ActionController::HttpAuthentication::Basic::ControllerMethods - include ActionController::HttpAuthentication::Digest::ControllerMethods + # Before callbacks should also be executed the earliest as possible, so + # also include them at the bottom. + AbstractController::Callbacks, - # Add instrumentations hooks at the bottom, to ensure they instrument - # all the methods properly. - include ActionController::Instrumentation + # The same with rescue, append it at the end to wrap as much as possible. + Rescue + ] - # Before callbacks should also be executed the earliest as possible, so - # also include them at the bottom. - include AbstractController::Callbacks + MODULES.each do |mod| + include mod + end - # The same with rescue, append it at the end to wrap as much as possible. - include ActionController::Rescue + # Rails 2.x compatibility + include ActionController::Compatibility def self.inherited(klass) ::ActionController::Base.subclasses << klass.to_s @@ -55,15 +66,6 @@ module ActionController @subclasses ||= [] end - # This method has been moved to ActionDispatch::Request.filter_parameters - def self.filter_parameter_logging(*args, &block) - ActiveSupport::Deprecation.warn("Setting filter_parameter_logging in ActionController is deprecated and has no longer effect, please set 'config.filter_parameters' in config/application.rb instead", caller) - filter = Rails.application.config.filter_parameters - filter.concat(args) - filter << block if block - filter - end - ActiveSupport.run_load_hooks(:action_controller, self) end end diff --git a/actionpack/lib/action_controller/deprecated/base.rb b/actionpack/lib/action_controller/deprecated/base.rb index 2fd60aacc7..05551ffee4 100644 --- a/actionpack/lib/action_controller/deprecated/base.rb +++ b/actionpack/lib/action_controller/deprecated/base.rb @@ -6,6 +6,15 @@ module ActionController deprecated_config_writer(option, message) end + # This method has been moved to ActionDispatch::Request.filter_parameters + def filter_parameter_logging(*args, &block) + ActiveSupport::Deprecation.warn("Setting filter_parameter_logging in ActionController is deprecated and has no longer effect, please set 'config.filter_parameters' in config/application.rb instead", caller) + filter = Rails.application.config.filter_parameters + filter.concat(args) + filter << block if block + filter + end + def deprecated_config_reader(option, message = nil) message ||= "Reading #{option} directly from ActionController::Base is deprecated. " \ "Please read it from config.#{option}" @@ -68,14 +77,11 @@ module ActionController def cookie_verifier_secret=(value) ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret= is deprecated. " << - "Please configure it on your application with config.cookie_secret=", caller - ActionController::Base.config.secret = value + "Please configure it on your application with config.secret_token=", caller end def cookie_verifier_secret - ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated. " << - "Please use ActionController::Base.config.secret instead.", caller - ActionController::Base.config.secret + ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated.", caller end def trusted_proxies=(value) diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index 4aaa705203..d787f014cd 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -10,8 +10,7 @@ module ActionController #:nodoc: private def cookies - raise "You must set config.cookie_secret in your app's config" if config.secret.blank? - request.cookie_jar(:signing_secret => config.secret) + request.cookie_jar end end end diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 424828f7e8..6bd6c15990 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -159,7 +159,7 @@ module ActionController # Authenticate with HTTP Digest, returns true or false def authenticate_with_http_digest(realm = "Application", &password_procedure) - HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure) + HttpAuthentication::Digest.authenticate(request, realm, &password_procedure) end # Render output including the HTTP Digest authentication header @@ -169,14 +169,15 @@ module ActionController end # Returns false on a valid response, true otherwise - def authenticate(secret_key, request, realm, &password_procedure) - request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure) + def authenticate(request, realm, &password_procedure) + request.authorization && validate_digest_response(request, realm, &password_procedure) end # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. - def validate_digest_response(secret_key, request, realm, &password_procedure) + def validate_digest_response(request, realm, &password_procedure) + secret_key = secret_token(request) credentials = decode_credentials_header(request) valid_nonce = validate_nonce(secret_key, request, credentials[:nonce]) @@ -225,7 +226,7 @@ module ActionController end def authentication_header(controller, realm) - secret_key = controller.config.secret + secret_key = secret_token(controller.request) nonce = self.nonce(secret_key) opaque = opaque(secret_key) controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}") @@ -238,6 +239,12 @@ module ActionController controller.status = 401 end + def secret_token(request) + secret = request.env["action_dispatch.secret_token"] + raise "You must set config.secret_token in your app's config" if secret.blank? + secret + end + # Uses an MD5 digest based on time to generate a value to be used only once. # # A server-specified data string which should be uniquely generated each time a 401 response is made. diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb index 29d8523ee1..030ba4ec48 100644 --- a/actionpack/lib/action_controller/railtie.rb +++ b/actionpack/lib/action_controller/railtie.rb @@ -51,7 +51,6 @@ module ActionController ac.assets_dir = paths.public.to_a.first ac.javascripts_dir = paths.public.javascripts.to_a.first ac.stylesheets_dir = paths.public.stylesheets.to_a.first - ac.secret = app.config.cookie_secret ActiveSupport.on_load(:action_controller) do self.config.merge!(ac) |