diff options
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/flash.rb | 7 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/record_identifier.rb | 14 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 6 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/routing/segments.rb | 9 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/session_management.rb | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/sanitize_helper.rb | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_view/partials.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/activerecord/render_partial_with_record_identification_test.rb | 189 | ||||
| -rw-r--r-- | actionpack/test/controller/record_identifier_test.rb | 36 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 24 | ||||
| -rw-r--r-- | actionpack/test/controller/routing_test.rb | 12 | ||||
| -rw-r--r-- | actionpack/test/controller/session_management_test.rb | 22 | ||||
| -rw-r--r-- | actionpack/test/controller/test_test.rb | 10 |
14 files changed, 281 insertions, 66 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index baba4ae5ed..2caaa40bf6 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,9 @@ *SVN* +* Fixed that forgery protection can be used without session tracking (Peter Jones) [#139] + +* Added session(:on) to turn session management back on in a controller subclass if the superclass turned it off (Peter Jones) [#136] + * InstanceTag#default_time_from_options with hash args uses Time.current as default; respects hash settings when time falls in system local spring DST gap [Geoff Buesing] * select_date defaults to Time.zone.today when config.time_zone is set [Geoff Buesing] diff --git a/actionpack/lib/action_controller/flash.rb b/actionpack/lib/action_controller/flash.rb index 692168f230..0148fb5c04 100644 --- a/actionpack/lib/action_controller/flash.rb +++ b/actionpack/lib/action_controller/flash.rb @@ -28,7 +28,6 @@ module ActionController #:nodoc: base.class_eval do include InstanceMethods alias_method_chain :assign_shortcuts, :flash - alias_method_chain :process_cleanup, :flash alias_method_chain :reset_session, :flash end end @@ -166,11 +165,7 @@ module ActionController #:nodoc: def assign_shortcuts_with_flash(request, response) #:nodoc: assign_shortcuts_without_flash(request, response) flash(:refresh) - end - - def process_cleanup_with_flash - flash.sweep if @_session - process_cleanup_without_flash + flash.sweep if @_session && !component_request? end end end diff --git a/actionpack/lib/action_controller/record_identifier.rb b/actionpack/lib/action_controller/record_identifier.rb index 22dbc8bbc5..643ff7e5f4 100644 --- a/actionpack/lib/action_controller/record_identifier.rb +++ b/actionpack/lib/action_controller/record_identifier.rb @@ -33,11 +33,17 @@ module ActionController # Returns plural/singular for a record or class. Example: # - # partial_path(post) # => "posts/post" - # partial_path(Person) # => "people/person" - def partial_path(record_or_class) + # partial_path(post) # => "posts/post" + # partial_path(Person) # => "people/person" + # partial_path(Person, "admin/games") # => "admin/people/person" + def partial_path(record_or_class, controller_path = nil) klass = class_from_record_or_class(record_or_class) - "#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + + if controller_path && controller_path.include?("/") + "#{File.dirname(controller_path)}/#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + else + "#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + end end # The DOM class convention is to use the singular form of an object or class. Examples: diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 5daf14eb30..139e91ecf9 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -105,12 +105,12 @@ module ActionController #:nodoc: # Sets the token value for the current session. Pass a <tt>:secret</tt> option # in +protect_from_forgery+ to add a custom salt to the hash. def form_authenticity_token - @form_authenticity_token ||= if request_forgery_protection_options[:secret] + @form_authenticity_token ||= if !session.respond_to?(:session_id) + raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." + elsif request_forgery_protection_options[:secret] authenticity_token_from_session_id elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) authenticity_token_from_cookie_session - elsif session.nil? - raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." else raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." end diff --git a/actionpack/lib/action_controller/routing/segments.rb b/actionpack/lib/action_controller/routing/segments.rb index 24ea8c7f2d..b142d18b47 100644 --- a/actionpack/lib/action_controller/routing/segments.rb +++ b/actionpack/lib/action_controller/routing/segments.rb @@ -244,11 +244,12 @@ module ActionController end class PathSegment < DynamicSegment #:nodoc: - RESERVED_PCHAR = "#{Segment::RESERVED_PCHAR}/" - UNSAFE_PCHAR = Regexp.new("[^#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}]", false, 'N').freeze - def interpolation_chunk(value_code = "#{local_name}") - "\#{URI.escape(#{value_code}.to_s, ActionController::Routing::PathSegment::UNSAFE_PCHAR)}" + "\#{#{value_code}}" + end + + def extract_value + "#{local_name} = hash[:#{key}] && hash[:#{key}].collect { |path_component| URI.escape(path_component, ActionController::Routing::Segment::UNSAFE_PCHAR) }.to_param #{"|| #{default.inspect}" if default}" end def default diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb index 8680104420..80a3ddd2c5 100644 --- a/actionpack/lib/action_controller/session_management.rb +++ b/actionpack/lib/action_controller/session_management.rb @@ -69,11 +69,16 @@ module ActionController #:nodoc: # session :off, # :if => Proc.new { |req| !(req.format.html? || req.format.js?) } # + # # turn the session back on, useful when it was turned off in the + # # application controller, and you need it on in another controller + # session :on + # # All session options described for ActionController::Base.process_cgi # are valid arguments. def session(*args) options = args.extract_options! + options[:disabled] = false if args.delete(:on) options[:disabled] = true if !args.empty? options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only] options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except] diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb index 3129ff414e..6c0a7ec25c 100644 --- a/actionpack/lib/action_view/helpers/sanitize_helper.rb +++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb @@ -48,6 +48,11 @@ module ActionView # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' # end # + # Please note that sanitizing user-provided text does not guarantee that the + # resulting markup is valid (conforming to a document type) or even well-formed. + # The output may still contain e.g. unescaped '<', '>', '&' characters and + # confuse browsers. + # def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options) end diff --git a/actionpack/lib/action_view/partials.rb b/actionpack/lib/action_view/partials.rb index a708ecb3fb..6b294be6bd 100644 --- a/actionpack/lib/action_view/partials.rb +++ b/actionpack/lib/action_view/partials.rb @@ -119,7 +119,7 @@ module ActionView "" end else - render_partial(ActionController::RecordIdentifier.partial_path(partial_path), partial_path, local_assigns) + render_partial(ActionController::RecordIdentifier.partial_path(partial_path, controller.class.controller_path), partial_path, local_assigns) end end @@ -147,7 +147,7 @@ module ActionView templates = Hash.new i = 0 collection.map do |element| - partial_path = ActionController::RecordIdentifier.partial_path(element) + partial_path = ActionController::RecordIdentifier.partial_path(element, controller.class.controller_path) template = templates[partial_path] ||= ActionView::PartialTemplate.new(self, partial_path, nil, local_assigns) template.counter = i i += 1 diff --git a/actionpack/test/activerecord/render_partial_with_record_identification_test.rb b/actionpack/test/activerecord/render_partial_with_record_identification_test.rb index 32b26206c3..ed10e72953 100644 --- a/actionpack/test/activerecord/render_partial_with_record_identification_test.rb +++ b/actionpack/test/activerecord/render_partial_with_record_identification_test.rb @@ -1,49 +1,49 @@ require 'active_record_unit' -class RenderPartialWithRecordIdentificationTest < ActiveRecordTestCase - fixtures :developers, :projects, :developers_projects, :topics, :replies, :companies, :mascots +class RenderPartialWithRecordIdentificationController < ActionController::Base + def render_with_has_many_and_belongs_to_association + @developer = Developer.find(1) + render :partial => @developer.projects + end - class RenderPartialWithRecordIdentificationController < ActionController::Base - def render_with_has_many_and_belongs_to_association - @developer = Developer.find(1) - render :partial => @developer.projects - end - - def render_with_has_many_association - @topic = Topic.find(1) - render :partial => @topic.replies - end - - def render_with_named_scope - render :partial => Reply.base - end - - def render_with_has_many_through_association - @developer = Developer.find(:first) - render :partial => @developer.topics - end - - def render_with_has_one_association - @company = Company.find(1) - render :partial => @company.mascot - end - - def render_with_belongs_to_association - @reply = Reply.find(1) - render :partial => @reply.topic - end - - def render_with_record - @developer = Developer.find(:first) - render :partial => @developer - end - - def render_with_record_collection - @developers = Developer.find(:all) - render :partial => @developers - end + def render_with_has_many_association + @topic = Topic.find(1) + render :partial => @topic.replies + end + + def render_with_named_scope + render :partial => Reply.base + end + + def render_with_has_many_through_association + @developer = Developer.find(:first) + render :partial => @developer.topics + end + + def render_with_has_one_association + @company = Company.find(1) + render :partial => @company.mascot + end + + def render_with_belongs_to_association + @reply = Reply.find(1) + render :partial => @reply.topic end - RenderPartialWithRecordIdentificationController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ] + + def render_with_record + @developer = Developer.find(:first) + render :partial => @developer + end + + def render_with_record_collection + @developers = Developer.find(:all) + render :partial => @developers + end +end +RenderPartialWithRecordIdentificationController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ] + +class RenderPartialWithRecordIdentificationTest < ActiveRecordTestCase + fixtures :developers, :projects, :developers_projects, :topics, :replies, :companies, :mascots def setup @controller = RenderPartialWithRecordIdentificationController.new @@ -84,3 +84,108 @@ class RenderPartialWithRecordIdentificationTest < ActiveRecordTestCase assert_equal mascot.name, @response.body end end + +class RenderPartialWithRecordIdentificationController < ActionController::Base + def render_with_has_many_and_belongs_to_association + @developer = Developer.find(1) + render :partial => @developer.projects + end + + def render_with_has_many_association + @topic = Topic.find(1) + render :partial => @topic.replies + end + + def render_with_has_many_through_association + @developer = Developer.find(:first) + render :partial => @developer.topics + end + + def render_with_belongs_to_association + @reply = Reply.find(1) + render :partial => @reply.topic + end + + def render_with_record + @developer = Developer.find(:first) + render :partial => @developer + end + + def render_with_record_collection + @developers = Developer.find(:all) + render :partial => @developers + end +end +RenderPartialWithRecordIdentificationController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ] + +class Game < Struct.new(:name, :id) + def to_param + id.to_s + end +end + +module Fun + class NestedController < ActionController::Base + def render_with_record_in_nested_controller + render :partial => Game.new("Pong") + end + + def render_with_record_collection_in_nested_controller + render :partial => [ Game.new("Pong"), Game.new("Tank") ] + end + end + NestedController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ] + + module Serious + class NestedDeeperController < ActionController::Base + def render_with_record_in_deeper_nested_controller + render :partial => Game.new("Chess") + end + + def render_with_record_collection_in_deeper_nested_controller + render :partial => [ Game.new("Chess"), Game.new("Sudoku"), Game.new("Solitaire") ] + end + end + NestedDeeperController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ] + end +end + +class RenderPartialWithRecordIdentificationAndNestedControllersTest < ActiveRecordTestCase + def setup + @controller = Fun::NestedController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + super + end + + def test_render_with_record_in_nested_controller + get :render_with_record_in_nested_controller + assert_template 'fun/games/_game' + end + + def test_render_with_record_collection_in_nested_controller + get :render_with_record_collection_in_nested_controller + assert_template 'fun/games/_game' + end + +end + +class RenderPartialWithRecordIdentificationAndNestedDeeperControllersTest < ActiveRecordTestCase + def setup + @controller = Fun::Serious::NestedDeeperController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + super + end + + def test_render_with_record_in_deeper_nested_controller + get :render_with_record_in_deeper_nested_controller + assert_template 'fun/serious/games/_game' + end + + def test_render_with_record_collection_in_deeper_nested_controller + get :render_with_record_collection_in_deeper_nested_controller + assert_template 'fun/serious/games/_game' + end + +end
\ No newline at end of file diff --git a/actionpack/test/controller/record_identifier_test.rb b/actionpack/test/controller/record_identifier_test.rb index def8613215..12c1eaea69 100644 --- a/actionpack/test/controller/record_identifier_test.rb +++ b/actionpack/test/controller/record_identifier_test.rb @@ -57,6 +57,18 @@ class RecordIdentifierTest < Test::Unit::TestCase assert_equal expected, partial_path(Comment) end + def test_partial_path_with_namespaced_controller_path + expected = "admin/#{@plural}/#{@singular}" + assert_equal expected, partial_path(@record, "admin/posts") + assert_equal expected, partial_path(@klass, "admin/posts") + end + + def test_partial_path_with_not_namespaced_controller_path + expected = "#{@plural}/#{@singular}" + assert_equal expected, partial_path(@record, "posts") + assert_equal expected, partial_path(@klass, "posts") + end + def test_dom_class assert_equal @singular, dom_class(@record) end @@ -100,4 +112,28 @@ class NestedRecordIdentifierTest < RecordIdentifierTest assert_equal expected, partial_path(@record) assert_equal expected, partial_path(Comment::Nested) end + + def test_partial_path_with_namespaced_controller_path + expected = "admin/comment/nesteds/nested" + assert_equal expected, partial_path(@record, "admin/posts") + assert_equal expected, partial_path(@klass, "admin/posts") + end + + def test_partial_path_with_deeper_namespaced_controller_path + expected = "deeper/admin/comment/nesteds/nested" + assert_equal expected, partial_path(@record, "deeper/admin/posts") + assert_equal expected, partial_path(@klass, "deeper/admin/posts") + end + + def test_partial_path_with_even_deeper_namespaced_controller_path + expected = "even/more/deeper/admin/comment/nesteds/nested" + assert_equal expected, partial_path(@record, "even/more/deeper/admin/posts") + assert_equal expected, partial_path(@klass, "even/more/deeper/admin/posts") + end + + def test_partial_path_with_not_namespaced_controller_path + expected = "comment/nesteds/nested" + assert_equal expected, partial_path(@record, "posts") + assert_equal expected, partial_path(@klass, "posts") + end end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d0c3c6e224..7022713e30 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -50,6 +50,14 @@ class CsrfCookieMonsterController < ActionController::Base protect_from_forgery :only => :index end +# sessions are turned off +class SessionOffController < ActionController::Base + protect_from_forgery :secret => 'foobar' + session :off + def rescue_action(e) raise e end + include RequestForgeryProtectionActions +end + class FreeCookieController < CsrfCookieMonsterController self.allow_forgery_protection = false @@ -224,3 +232,19 @@ class FreeCookieControllerTest < Test::Unit::TestCase end end end + +class SessionOffControllerTest < Test::Unit::TestCase + def setup + @controller = SessionOffController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + end + + def test_should_raise_correct_exception + @request.session = {} # session(:off) doesn't appear to work with controller tests + assert_raises(ActionController::InvalidAuthenticityToken) do + post :index, :authenticity_token => @token + end + end +end diff --git a/actionpack/test/controller/routing_test.rb b/actionpack/test/controller/routing_test.rb index 640afd58f8..b28f7bcdff 100644 --- a/actionpack/test/controller/routing_test.rb +++ b/actionpack/test/controller/routing_test.rb @@ -25,7 +25,7 @@ class UriReservedCharactersRoutingTest < Test::Unit::TestCase ActionController::Routing.use_controllers! ['controller'] @set = ActionController::Routing::RouteSet.new @set.draw do |map| - map.connect ':controller/:action/:variable' + map.connect ':controller/:action/:variable/*additional' end safe, unsafe = %w(: @ & = + $ , ;), %w(^ / ? # [ ]) @@ -36,17 +36,19 @@ class UriReservedCharactersRoutingTest < Test::Unit::TestCase end def test_route_generation_escapes_unsafe_path_characters - assert_equal "/contr#{@segment}oller/act#{@escaped}ion/var#{@escaped}iable", + assert_equal "/contr#{@segment}oller/act#{@escaped}ion/var#{@escaped}iable/add#{@escaped}itional-1/add#{@escaped}itional-2", @set.generate(:controller => "contr#{@segment}oller", :action => "act#{@segment}ion", - :variable => "var#{@segment}iable") + :variable => "var#{@segment}iable", + :additional => ["add#{@segment}itional-1", "add#{@segment}itional-2"]) end def test_route_recognition_unescapes_path_components options = { :controller => "controller", :action => "act#{@segment}ion", - :variable => "var#{@segment}iable" } - assert_equal options, @set.recognize_path("/controller/act#{@escaped}ion/var#{@escaped}iable") + :variable => "var#{@segment}iable", + :additional => ["add#{@segment}itional-1", "add#{@segment}itional-2"] } + assert_equal options, @set.recognize_path("/controller/act#{@escaped}ion/var#{@escaped}iable/add#{@escaped}itional-1/add#{@escaped}itional-2") end end diff --git a/actionpack/test/controller/session_management_test.rb b/actionpack/test/controller/session_management_test.rb index 495a9153f8..592b0b549d 100644 --- a/actionpack/test/controller/session_management_test.rb +++ b/actionpack/test/controller/session_management_test.rb @@ -13,6 +13,19 @@ class SessionManagementTest < Test::Unit::TestCase end end + class SessionOffOnController < ActionController::Base + session :off + session :on, :only => :tell + + def show + render :text => "done" + end + + def tell + render :text => "done" + end + end + class TestController < ActionController::Base session :off, :only => :show session :session_secure => true, :except => :show @@ -100,6 +113,15 @@ class SessionManagementTest < Test::Unit::TestCase assert_equal false, @request.session_options end + def test_session_off_then_on_globally + @controller = SessionOffOnController.new + get :show + assert_equal false, @request.session_options + get :tell + assert_instance_of Hash, @request.session_options + assert_equal false, @request.session_options[:disabled] + end + def test_session_off_conditionally @controller = TestController.new get :show diff --git a/actionpack/test/controller/test_test.rb b/actionpack/test/controller/test_test.rb index 04cc2a20d8..ba6c7f4299 100644 --- a/actionpack/test/controller/test_test.rb +++ b/actionpack/test/controller/test_test.rb @@ -12,6 +12,11 @@ class TestTest < Test::Unit::TestCase render :text => 'ignore me' end + def set_flash_now + flash.now["test_now"] = ">#{flash["test_now"]}<" + render :text => 'ignore me' + end + def set_session session['string'] = 'A wonder' session[:symbol] = 'it works' @@ -145,6 +150,11 @@ XML assert_equal '>value<', flash['test'] end + def test_process_with_flash_now + process :set_flash_now, nil, nil, { "test_now" => "value_now" } + assert_equal '>value_now<', flash['test_now'] + end + def test_process_with_session process :set_session assert_equal 'A wonder', session['string'], "A value stored in the session should be available by string key" |