kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Merge Session stuff into RackConvenience

Browse source
This commit is contained in:
Joshua Peek 2009-12-20 20:00:04 -06:00
parent b4ecb55551
commit 0f8a5c7954
7 changed files with 56 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
actionpack/lib/action_controller.rb
View file

@ -29,7 +29,6 @@ module ActionController
autoload :RenderOptions
autoload :Rescue
autoload :Responder
autoload :Session
autoload :SessionManagement
autoload :UrlFor
autoload :Verification

1
actionpack/lib/action_controller/base.rb
View file

@ -26,7 +26,6 @@ module ActionController
include ActionController::Compatibility
include ActionController::Cookies
include ActionController::Session
include ActionController::Flash
include ActionController::Verification
include ActionController::RequestForgeryProtection

10
actionpack/lib/action_controller/metal/flash.rb
View file

@ -28,8 +28,6 @@ module ActionController #:nodoc:
module Flash
extend ActiveSupport::Concern
include Session
included do
helper_method :alert, :notice
end
@ -155,7 +153,7 @@ module ActionController #:nodoc:
def alert
flash[:alert]
end
# Convenience accessor for flash[:alert]=
def alert=(message)
flash[:alert] = message
@ -165,7 +163,7 @@ module ActionController #:nodoc:
def notice
flash[:notice]
end
# Convenience accessor for flash[:notice]=
def notice=(message)
flash[:notice] = message
@ -193,11 +191,11 @@ module ActionController #:nodoc:
if notice = response_status_and_flash.delete(:notice)
flash[:notice] = notice
end
if other_flashes = response_status_and_flash.delete(:flash)
flash.update(other_flashes)
end
super(options, response_status_and_flash)
end
end

1
actionpack/lib/action_controller/metal/rack_convenience.rb
View file

@ -3,6 +3,7 @@ module ActionController
extend ActiveSupport::Concern
included do
delegate :session, :reset_session, :to => "@_request"
delegate :headers, :status=, :location=, :content_type=,
:status, :location, :content_type, :to => "@_response"
attr_internal :request

32
actionpack/lib/action_controller/metal/request_forgery_protection.rb
View file

@ -5,7 +5,7 @@ module ActionController #:nodoc:
module RequestForgeryProtection
extend ActiveSupport::Concern
include AbstractController::Helpers, Session
include AbstractController::Helpers
included do
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
@ -19,31 +19,31 @@ module ActionController #:nodoc:
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
end
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
# web application, not a forged link from another site, is done by embedding a token based on a random
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
# web application, not a forged link from another site, is done by embedding a token based on a random
# string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
# requests are checked, so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these should be
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
# requests are checked, so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these should be
# idempotent anyway.
#
# This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
# error message in production by editing public/422.html. A call to this method in ApplicationController is
# generated by default in post-Rails 2.0 applications.
#
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
# include a hidden field named like that and set its value to what is returned by
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
# include a hidden field named like that and set its value to what is returned by
# <tt>form_authenticity_token</tt>.
#
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
# 1.x, add this to config/environments/test.rb:
#
# # Disable request forgery protection in test environment
# config.action_controller.allow_forgery_protection = false
#
#
# == Learn more about CSRF (Cross-Site Request Forgery) attacks
#
# Here are some resources:
@ -52,11 +52,11 @@ module ActionController #:nodoc:
#
# Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
# There are a few guidelines you should follow:
#
#
# * Keep your GET requests safe and idempotent. More reading material:
# * http://www.xml.com/pub/a/2002/04/24/deviant.html
# * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
# for "Expires: at end of session"
#
module ClassMethods
@ -92,7 +92,7 @@ module ActionController #:nodoc:
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
def verified_request?
!protect_against_forgery? || request.forgery_whitelisted? ||
!protect_against_forgery? || request.forgery_whitelisted? ||
form_authenticity_token == params[request_forgery_protection_token]
end

15
actionpack/lib/action_controller/metal/session.rb
View file

@ -1,15 +0,0 @@
module ActionController
module Session
extend ActiveSupport::Concern
include RackConvenience
def session
@_request.session
end
def reset_session
@_request.reset_session
end
end
end

70
actionpack/lib/action_controller/metal/verification.rb
View file

@ -2,7 +2,7 @@ module ActionController #:nodoc:
module Verification #:nodoc:
extend ActiveSupport::Concern
include AbstractController::Callbacks, Session, Flash, Rendering
include AbstractController::Callbacks, Flash, Rendering
# This module provides a class-level method for specifying that certain
# actions are guarded against being called without certain prerequisites
@ -35,7 +35,7 @@ module ActionController #:nodoc:
# :add_flash => { "alert" => "Failed to create your message" },
# :redirect_to => :category_url
#
# Note that these prerequisites are not business rules. They do not examine
# Note that these prerequisites are not business rules. They do not examine
# the content of the session or the parameters. That level of validation should
# be encapsulated by your domain model or helper methods in the controller.
module ClassMethods
@ -43,40 +43,40 @@ module ActionController #:nodoc:
# the user is redirected to a different action. The +options+ parameter
# is a hash consisting of the following key/value pairs:
#
# <tt>:params</tt>::
# a single key or an array of keys that must be in the <tt>params</tt>
# <tt>:params</tt>::
# a single key or an array of keys that must be in the <tt>params</tt>
# hash in order for the action(s) to be safely called.
# <tt>:session</tt>::
# a single key or an array of keys that must be in the <tt>session</tt>
# <tt>:session</tt>::
# a single key or an array of keys that must be in the <tt>session</tt>
# in order for the action(s) to be safely called.
# <tt>:flash</tt>::
# a single key or an array of keys that must be in the flash in order
# <tt>:flash</tt>::
# a single key or an array of keys that must be in the flash in order
# for the action(s) to be safely called.
# <tt>:method</tt>::
# a single key or an array of keys--any one of which must match the
# current request method in order for the action(s) to be safely called.
# (The key should be a symbol: <tt>:get</tt> or <tt>:post</tt>, for
# <tt>:method</tt>::
# a single key or an array of keys--any one of which must match the
# current request method in order for the action(s) to be safely called.
# (The key should be a symbol: <tt>:get</tt> or <tt>:post</tt>, for
# example.)
# <tt>:xhr</tt>::
# true/false option to ensure that the request is coming from an Ajax
# call or not.
# <tt>:add_flash</tt>::
# a hash of name/value pairs that should be merged into the session's
# <tt>:xhr</tt>::
# true/false option to ensure that the request is coming from an Ajax
# call or not.
# <tt>:add_flash</tt>::
# a hash of name/value pairs that should be merged into the session's
# flash if the prerequisites cannot be satisfied.
# <tt>:add_headers</tt>::
# a hash of name/value pairs that should be merged into the response's
# <tt>:add_headers</tt>::
# a hash of name/value pairs that should be merged into the response's
# headers hash if the prerequisites cannot be satisfied.
# <tt>:redirect_to</tt>::
# the redirection parameters to be used when redirecting if the
# prerequisites cannot be satisfied. You can redirect either to named
# <tt>:redirect_to</tt>::
# the redirection parameters to be used when redirecting if the
# prerequisites cannot be satisfied. You can redirect either to named
# route or to the action in some controller.
# <tt>:render</tt>::
# <tt>:render</tt>::
# the render parameters to be used when the prerequisites cannot be satisfied.
# <tt>:only</tt>::
# only apply this verification to the actions specified in the associated
# <tt>:only</tt>::
# only apply this verification to the actions specified in the associated
# array (may also be a single value).
# <tt>:except</tt>::
# do not apply this verification to the actions specified in the associated
# <tt>:except</tt>::
# do not apply this verification to the actions specified in the associated
# array (may also be a single value).
def verify(options={})
before_filter :only => options[:only], :except => options[:except] do
@ -94,31 +94,31 @@ module ActionController #:nodoc:
apply_remaining_actions(options) unless performed?
end
end
def prereqs_invalid?(options) # :nodoc:
verify_presence_of_keys_in_hash_flash_or_params(options) ||
verify_method(options) ||
verify_presence_of_keys_in_hash_flash_or_params(options) ||
verify_method(options) ||
verify_request_xhr_status(options)
end
def verify_presence_of_keys_in_hash_flash_or_params(options) # :nodoc:
[*options[:params] ].find { |v| v && params[v.to_sym].nil? } ||
[*options[:session]].find { |v| session[v].nil? } ||
[*options[:flash] ].find { |v| flash[v].nil? }
end
def verify_method(options) # :nodoc:
[*options[:method]].all? { |v| request.method != v.to_sym } if options[:method]
end
def verify_request_xhr_status(options) # :nodoc:
request.xhr? != options[:xhr] unless options[:xhr].nil?
end
def apply_redirect_to(redirect_to_option) # :nodoc:
(redirect_to_option.is_a?(Symbol) && redirect_to_option != :back) ? self.__send__(redirect_to_option) : redirect_to_option
end
def apply_remaining_actions(options) # :nodoc:
case
when options[:render] ; render(options[:render])