From cb3e96a447df592947ae10221c7494eb8bf08012 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sat, 26 Mar 2011 10:28:39 -0700
Subject: Make JavaScriptHelper#j() an alias for
 JavaScriptHelper#escape_javascript() -- note this then supersedes the
 Object#j() method that the JSON gem adds within templates using the
 JavaScriptHelper [DHH]

---
 actionpack/lib/action_view/helpers/javascript_helper.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb
index cd3a3eac80..6eda23a9a3 100644
--- a/actionpack/lib/action_view/helpers/javascript_helper.rb
+++ b/actionpack/lib/action_view/helpers/javascript_helper.rb
@@ -47,6 +47,9 @@ module ActionView
         "'"     => "\\'" }
 
       # Escape carrier returns and single and double quotes for JavaScript segments.
+      # Also available through the alias j(). This is particularly helpful in JavaScript responses, like:
+      #
+      #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
       def escape_javascript(javascript)
         if javascript
           javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[$1] }
@@ -55,6 +58,8 @@ module ActionView
         end
       end
 
+      alias_method :escape_javascript, :j
+
       # Returns a JavaScript tag with the +content+ inside. Example:
       #   javascript_tag "alert('All is good')"
       #
-- 
cgit v1.2.3


From f8a05ad297d637596d029b013bb65128ca0aa8bd Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sat, 26 Mar 2011 14:44:36 -0700
Subject: Allow FormHelper#form_for to specify the :method as a direct option
 instead of through the :html hash [DHH]

---
 actionpack/lib/action_view/helpers/form_helper.rb | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 48abf119f1..9025d9e24c 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -185,7 +185,7 @@ module ActionView
       #
       # is equivalent to something like:
       #
-      #   <%= form_for @post, :as => :post, :url => post_path(@post), :html => { :method => :put, :class => "edit_post", :id => "edit_post_45" } do |f| %>
+      #   <%= form_for @post, :as => :post, :url => post_path(@post), :method => :put, :html => { :class => "edit_post", :id => "edit_post_45" } do |f| %>
       #     ...
       #   <% end %>
       #
@@ -236,6 +236,16 @@ module ActionView
       # Where <tt>@document = Document.find(params[:id])</tt> and
       # <tt>@comment = Comment.new</tt>.
       #
+      # === Setting the method
+      #
+      # You can force the form to use the full array of HTTP verbs by setting 
+      #
+      #    :method => (:get|:post|:put|:delete)
+      #
+      # in the options hash. If the verb is not GET or POST, which are natively supported by HTML forms, the
+      # form will be set to POST and a hidden input called _method will carry the intended verb for the server
+      # to interpret.
+      #
       # === Unobtrusive JavaScript
       #
       # Specifying:
@@ -298,7 +308,7 @@ module ActionView
       #
       # In this case, if you use this:
       #
-      #   <%= render :partial => f %>
+      #   <%= render f %>
       #
       # The rendered template is <tt>people/_labelling_form</tt> and the local
       # variable referencing the form builder is called
@@ -350,6 +360,7 @@ module ActionView
         end
 
         options[:html][:remote] = options.delete(:remote)
+        options[:html][:method] = options.delete(:method) if options.has_key?(:method)
         options[:html][:authenticity_token] = options.delete(:authenticity_token)
 
         builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc)
-- 
cgit v1.2.3


From cc6fa2f4d718c2d7a990fe23c38fc0ea4f2391d9 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sun, 27 Mar 2011 11:20:54 -0700
Subject: Fix alias_method, add test

---
 actionpack/lib/action_view/helpers/javascript_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb
index 6eda23a9a3..a19ba7a968 100644
--- a/actionpack/lib/action_view/helpers/javascript_helper.rb
+++ b/actionpack/lib/action_view/helpers/javascript_helper.rb
@@ -58,7 +58,7 @@ module ActionView
         end
       end
 
-      alias_method :escape_javascript, :j
+      alias_method :j, :escape_javascript
 
       # Returns a JavaScript tag with the +content+ inside. Example:
       #   javascript_tag "alert('All is good')"
-- 
cgit v1.2.3


From b2d94322e6f2c2324154465147938ca8b16c610d Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Sun, 27 Mar 2011 20:45:23 +0200
Subject: fixes a couple of regexps, the suite showed warnings about them

A couple of things worth mentioning here:

 - "{" is a metacharacter, should be escaped
   if it is meant to match a "{". The code
   worked, though, because the regexp engine
   is tolerant to this, but issued warnings.

 - gsub accepts a string as first argument.
   That's the best idiom to use when your
   pattern has no metacharacters, since gsub
   interprets the string as an exact substring
   to look for, rather than a regexp. The
   benefit is that your pattern is crystal
   clear and needs no backslashes.
---
 actionpack/lib/action_view/template/resolver.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index 6c1063592f..41c6310ae2 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -157,8 +157,8 @@ module ActionView
         query.gsub!(/\:#{ext}/, "{#{variants.compact.uniq.join(',')}}")
       }
 
-      query.gsub!(/\.{html,/, ".{html,text.html,")
-      query.gsub!(/\.{text,/, ".{text,text.plain,")
+      query.gsub!('.{html,', '.{html,text.html,')
+      query.gsub!('.{text,', '.{text,text.plain,')
 
       File.expand_path(query, @path)
     end
-- 
cgit v1.2.3


From 7cbdfa83035aacb0d4dbfa84525b54e9122efb75 Mon Sep 17 00:00:00 2001
From: Prem Sichanugrist <s@sikachu.com>
Date: Mon, 28 Mar 2011 03:05:14 +0800
Subject: Add controller-specific `force_ssl` method to force web browser to
 use HTTPS protocol

This would become useful for site which sometime transferring sensitive information such as account information on particular controller or action.

This featured was requested by DHH.
---
 actionpack/lib/action_controller.rb                |  1 +
 actionpack/lib/action_controller/base.rb           |  1 +
 .../lib/action_controller/metal/force_ssl.rb       | 35 ++++++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 actionpack/lib/action_controller/metal/force_ssl.rb

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index 5b81cd39f4..62cc18b253 100644
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -14,6 +14,7 @@ module ActionController
     autoload :ConditionalGet
     autoload :Cookies
     autoload :Flash
+    autoload :ForceSSL
     autoload :Head
     autoload :Helpers
     autoload :HideActions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index 81c0698fb8..e6523e56d2 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -198,6 +198,7 @@ module ActionController
       Cookies,
       Flash,
       RequestForgeryProtection,
+      ForceSSL,
       Streaming,
       RecordIdentifier,
       HttpAuthentication::Basic::ControllerMethods,
diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb
new file mode 100644
index 0000000000..eb8ed7dfbd
--- /dev/null
+++ b/actionpack/lib/action_controller/metal/force_ssl.rb
@@ -0,0 +1,35 @@
+module ActionController
+  # This module provides a method which will redirects browser to use HTTPS
+  # protocol. This will ensure that user's sensitive information will be
+  # transferred safely over the internet. You _should_ always force browser
+  # to use HTTPS when you're transferring sensitive information such as
+  # user authentication, account information, or credit card information.
+  #
+  # Note that if you really concern about your application safety, you might
+  # consider using +config.force_ssl+ in your configuration config file instead.
+  # That will ensure all the data transferred via HTTPS protocol and prevent
+  # user from getting session hijacked when accessing the site under unsecured
+  # HTTP protocol.
+  module ForceSSL
+    extend ActiveSupport::Concern
+    include AbstractController::Callbacks
+
+    module ClassMethods
+      # Force the request to this particular controller or specified actions to be
+      # under HTTPS protocol.
+      #
+      # Note that this method will not be effective on development environment.
+      #
+      # ==== Options
+      # * <tt>only</tt>   - The callback should be run only for this action
+      # * <tt>except<tt>  - The callback should be run for all actions except this action
+      def force_ssl(options = {})
+        before_filter(options) do
+          if !request.ssl? && !Rails.env.development?
+            redirect_to :protocol => 'https://', :status => :moved_permanently
+          end
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
-- 
cgit v1.2.3