From 6776edccf6fb553eb0ac6db55e1d30df1b5b6589 Mon Sep 17 00:00:00 2001 From: Chris Roos Date: Sat, 10 May 2008 14:55:11 +1200 Subject: Escape globbed parameters in routes correctly. :controller => 'glob', :action=> 'show', :additional => ['foo/bar', 'baz'] Should generate /glob/show/foo%2Fbar/baz not /glob/show/foo/bar/baz --- actionpack/lib/action_controller/routing/segments.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/routing/segments.rb b/actionpack/lib/action_controller/routing/segments.rb index 24ea8c7f2d..b142d18b47 100644 --- a/actionpack/lib/action_controller/routing/segments.rb +++ b/actionpack/lib/action_controller/routing/segments.rb @@ -244,11 +244,12 @@ module ActionController end class PathSegment < DynamicSegment #:nodoc: - RESERVED_PCHAR = "#{Segment::RESERVED_PCHAR}/" - UNSAFE_PCHAR = Regexp.new("[^#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}]", false, 'N').freeze - def interpolation_chunk(value_code = "#{local_name}") - "\#{URI.escape(#{value_code}.to_s, ActionController::Routing::PathSegment::UNSAFE_PCHAR)}" + "\#{#{value_code}}" + end + + def extract_value + "#{local_name} = hash[:#{key}] && hash[:#{key}].collect { |path_component| URI.escape(path_component, ActionController::Routing::Segment::UNSAFE_PCHAR) }.to_param #{"|| #{default.inspect}" if default}" end def default -- cgit v1.2.3 From a7ea06b4ebe252e258f83e7de945b4baa30ec3bc Mon Sep 17 00:00:00 2001 From: Jacek Becela Date: Thu, 8 May 2008 13:47:24 +0200 Subject: Make render shorthands work with namespaced controllers Signed-off-by: Pratik Naik --- actionpack/lib/action_controller/record_identifier.rb | 14 ++++++++++---- actionpack/lib/action_view/partials.rb | 4 ++-- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/record_identifier.rb b/actionpack/lib/action_controller/record_identifier.rb index 22dbc8bbc5..643ff7e5f4 100644 --- a/actionpack/lib/action_controller/record_identifier.rb +++ b/actionpack/lib/action_controller/record_identifier.rb @@ -33,11 +33,17 @@ module ActionController # Returns plural/singular for a record or class. Example: # - # partial_path(post) # => "posts/post" - # partial_path(Person) # => "people/person" - def partial_path(record_or_class) + # partial_path(post) # => "posts/post" + # partial_path(Person) # => "people/person" + # partial_path(Person, "admin/games") # => "admin/people/person" + def partial_path(record_or_class, controller_path = nil) klass = class_from_record_or_class(record_or_class) - "#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + + if controller_path && controller_path.include?("/") + "#{File.dirname(controller_path)}/#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + else + "#{klass.name.tableize}/#{klass.name.demodulize.underscore}" + end end # The DOM class convention is to use the singular form of an object or class. Examples: diff --git a/actionpack/lib/action_view/partials.rb b/actionpack/lib/action_view/partials.rb index a708ecb3fb..6b294be6bd 100644 --- a/actionpack/lib/action_view/partials.rb +++ b/actionpack/lib/action_view/partials.rb @@ -119,7 +119,7 @@ module ActionView "" end else - render_partial(ActionController::RecordIdentifier.partial_path(partial_path), partial_path, local_assigns) + render_partial(ActionController::RecordIdentifier.partial_path(partial_path, controller.class.controller_path), partial_path, local_assigns) end end @@ -147,7 +147,7 @@ module ActionView templates = Hash.new i = 0 collection.map do |element| - partial_path = ActionController::RecordIdentifier.partial_path(element) + partial_path = ActionController::RecordIdentifier.partial_path(element, controller.class.controller_path) template = templates[partial_path] ||= ActionView::PartialTemplate.new(self, partial_path, nil, local_assigns) template.counter = i i += 1 -- cgit v1.2.3 From 74eed6290e63111d1aad2b181692a84f4f040aea Mon Sep 17 00:00:00 2001 From: Andreas Neuhaus Date: Sat, 10 May 2008 17:54:09 +0200 Subject: Fixed flash.now not being accessible in tests. Flash sweeping is now done before action processing instead after Signed-off-by: Michael Koziarski [#10 state:resolved] --- actionpack/lib/action_controller/flash.rb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/flash.rb b/actionpack/lib/action_controller/flash.rb index 692168f230..0148fb5c04 100644 --- a/actionpack/lib/action_controller/flash.rb +++ b/actionpack/lib/action_controller/flash.rb @@ -28,7 +28,6 @@ module ActionController #:nodoc: base.class_eval do include InstanceMethods alias_method_chain :assign_shortcuts, :flash - alias_method_chain :process_cleanup, :flash alias_method_chain :reset_session, :flash end end @@ -166,11 +165,7 @@ module ActionController #:nodoc: def assign_shortcuts_with_flash(request, response) #:nodoc: assign_shortcuts_without_flash(request, response) flash(:refresh) - end - - def process_cleanup_with_flash - flash.sweep if @_session - process_cleanup_without_flash + flash.sweep if @_session && !component_request? end end end -- cgit v1.2.3 From c43623c48b977d05413d86867651bfc3762b745a Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Sun, 11 May 2008 13:18:49 -0500 Subject: Added session(:on) to turn session management back on in a controller subclass if the superclass turned it off (Peter Jones) [#136 state:resolved] --- actionpack/lib/action_controller/session_management.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb index 8680104420..80a3ddd2c5 100644 --- a/actionpack/lib/action_controller/session_management.rb +++ b/actionpack/lib/action_controller/session_management.rb @@ -69,11 +69,16 @@ module ActionController #:nodoc: # session :off, # :if => Proc.new { |req| !(req.format.html? || req.format.js?) } # + # # turn the session back on, useful when it was turned off in the + # # application controller, and you need it on in another controller + # session :on + # # All session options described for ActionController::Base.process_cgi # are valid arguments. def session(*args) options = args.extract_options! + options[:disabled] = false if args.delete(:on) options[:disabled] = true if !args.empty? options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only] options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except] -- cgit v1.2.3 From 2a986200b9a6be0f68a0db504dc478da04842dee Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 7 May 2008 16:04:18 -0600 Subject: Bug: Earlier Check for Session in Forgery Protection The session is used by the form_authenticity_token method before it is tested to be valid. This patch moves a few lines around so that the session is validated first. Without this patch, if you try to use forgery protection with sessions turned off, you get this exception message: undefined method `session_id' for {}:Hash The patch includes a test that can be used to see this behavior before the request_forgery_protection.rb file is patched to fix it. --- actionpack/lib/action_controller/request_forgery_protection.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 5daf14eb30..139e91ecf9 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -105,12 +105,12 @@ module ActionController #:nodoc: # Sets the token value for the current session. Pass a :secret option # in +protect_from_forgery+ to add a custom salt to the hash. def form_authenticity_token - @form_authenticity_token ||= if request_forgery_protection_options[:secret] + @form_authenticity_token ||= if !session.respond_to?(:session_id) + raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." + elsif request_forgery_protection_options[:secret] authenticity_token_from_session_id elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) authenticity_token_from_cookie_session - elsif session.nil? - raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." else raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." end -- cgit v1.2.3 From 9a137506a1267ec5938fcec4d2ff135f15037459 Mon Sep 17 00:00:00 2001 From: Michael Schuerig Date: Mon, 12 May 2008 00:12:22 +0200 Subject: Added not to sanitize helper docs that it doesn't guarantee well-formed markup. Signed-off-by: Michael Koziarski [#166 state:resolved] --- actionpack/lib/action_view/helpers/sanitize_helper.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb index 3129ff414e..6c0a7ec25c 100644 --- a/actionpack/lib/action_view/helpers/sanitize_helper.rb +++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb @@ -48,6 +48,11 @@ module ActionView # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' # end # + # Please note that sanitizing user-provided text does not guarantee that the + # resulting markup is valid (conforming to a document type) or even well-formed. + # The output may still contain e.g. unescaped '<', '>', '&' characters and + # confuse browsers. + # def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options) end -- cgit v1.2.3