6 files changed, 44 insertions, 12 deletions

diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb
index 3d274e7dd7..7318c8b7ec 100644
--- a/actionpack/lib/action_controller/log_subscriber.rb
+++ b/actionpack/lib/action_controller/log_subscriber.rb
@@ -48,6 +48,11 @@ module ActionController
       info("Sent data #{event.payload[:filename]} (#{event.duration.round(1)}ms)")
     end
 
+    def unpermitted_parameters(event)
+      unpermitted_keys = event.payload[:keys]
+      debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}")
+    end
+
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
diff --git a/actionpack/lib/action_controller/metal/hide_actions.rb b/actionpack/lib/action_controller/metal/hide_actions.rb
index 2aa6b7adaf..af36ffa240 100644
--- a/actionpack/lib/action_controller/metal/hide_actions.rb
+++ b/actionpack/lib/action_controller/metal/hide_actions.rb
@@ -27,7 +27,7 @@ module ActionController
       end
 
       def visible_action?(action_name)
-        action_methods.include?(action_name)
+        not hidden_actions.include?(action_name)
       end
 
       # Overrides AbstractController::Base#action_methods to remove any methods
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index e295002b16..c7bb2dd147 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -299,6 +299,7 @@ module ActionController
       # allow a user to use new nonce without prompting user again for their
       # username and password.
       def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
+        return false if value.nil?
         t = ::Base64.decode64(value).split(":").first.to_i
         nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
       end
diff --git a/actionpack/lib/action_controller/metal/live.rb b/actionpack/lib/action_controller/metal/live.rb
index 9d628c916f..fb664a69dd 100644
--- a/actionpack/lib/action_controller/metal/live.rb
+++ b/actionpack/lib/action_controller/metal/live.rb
@@ -98,6 +98,10 @@ module ActionController
       def merge_default_headers(original, default)
         Header.new self, super
       end
+
+      def handle_conditional_get!
+        super unless committed?
+      end
     end
 
     def process(name)
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index e4dcd3213f..23d70c9ea2 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -2,6 +2,7 @@ require 'active_support/core_ext/hash/indifferent_access'
 require 'active_support/core_ext/array/wrap'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
+require 'stringio'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -68,6 +69,8 @@ module ActionController
   #   ActionController::UnpermittedParameters exception. The default value is <tt>:log</tt>
   #   in test and development environments, +false+ otherwise.
   #
+  # Examples:
+  #
   #   params = ActionController::Parameters.new
   #   params.permitted? # => false
   #
@@ -339,7 +342,8 @@ module ActionController
         if unpermitted_keys.any?
           case self.class.action_on_unpermitted_parameters
           when :log
-            ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+            name = "unpermitted_parameters.action_controller"
+            ActiveSupport::Notifications.instrument(name, keys: unpermitted_keys)
           when :raise
             raise ActionController::UnpermittedParameters.new(unpermitted_keys)
           end
@@ -417,7 +421,7 @@ module ActionController
             # Declaration { comment_ids: [] }.
             array_of_permitted_scalars_filter(params, key)
           else
-            # Declaration { user: :name } or { user: [:name, :age, { adress: ... }] }.
+            # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
             params[key] = each_element(value) do |element|
               if element.is_a?(Hash)
                 element = self.class.new(element) unless element.respond_to?(:permit)
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index e12bf0a1c6..41b5228872 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -42,13 +42,13 @@ module ActionController
       end
 
       ActiveSupport::Notifications.subscribe("!render_template.action_view") do |name, start, finish, id, payload|
-        path = payload[:identifier]
         next if payload[:virtual_path] # files don't have virtual path
+
+        path = payload[:identifier]
         if path
           @_files[path] += 1
           @_files[path.split("/").last] += 1
         end
-
       end
     end
 
@@ -451,37 +451,55 @@ module ActionController
 
       end
 
-      # Executes a request simulating GET HTTP method and set/volley the response
+      # Simulate a GET request with the given parameters.
+      #
+      # - +action+: The controller action to call.
+      # - +parameters+: The HTTP parameters that you want to pass. This may
+      #   be +nil+, a Hash, or a String that is appropriately encoded
+      #   (<tt>application/x-www-form-urlencoded</tt> or <tt>multipart/form-data</tt>).
+      # - +session+: A Hash of parameters to store in the session. This may be +nil+.
+      # - +flash+: A Hash of parameters to store in the flash. This may be +nil+.
+      #
+      # You can also simulate POST, PATCH, PUT, DELETE, and HEAD requests with
+      # +#post+, +#patch+, +#put+, +#delete+, and +#head+.
+      # Note that the request method is not verified. The different methods are
+      # available to make the tests more expressive.
       def get(action, *args)
         process(action, "GET", *args)
       end
 
-      # Executes a request simulating POST HTTP method and set/volley the response
+      # Simulate a POST request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def post(action, *args)
         process(action, "POST", *args)
       end
 
-      # Executes a request simulating PATCH HTTP method and set/volley the response
+      # Simulate a PATCH request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def patch(action, *args)
         process(action, "PATCH", *args)
       end
 
-      # Executes a request simulating PUT HTTP method and set/volley the response
+      # Simulate a PUT request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def put(action, *args)
         process(action, "PUT", *args)
       end
 
-      # Executes a request simulating DELETE HTTP method and set/volley the response
+      # Simulate a DELETE request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def delete(action, *args)
         process(action, "DELETE", *args)
       end
 
-      # Executes a request simulating HEAD HTTP method and set/volley the response
+      # Simulate a HEAD request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def head(action, *args)
         process(action, "HEAD", *args)
       end
 
-      # Executes a request simulating OPTIONS HTTP method and set/volley the response
+      # Simulate a OPTIONS request with the given parameters and set/volley the response.
+      # See +#get+ for more details.
       def options(action, *args)
         process(action, "OPTIONS", *args)
       end