Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
91ce8d8b
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
91ce8d8b
编写于
12月 20, 2009
作者:
D
David Heinemeier Hansson
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of github.com:rails/rails
上级
cf9d6a95
29c8a430
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
67 addition
and
84 deletion
+67
-84
actionpack/lib/action_controller.rb
actionpack/lib/action_controller.rb
+1
-2
actionpack/lib/action_controller/base.rb
actionpack/lib/action_controller/base.rb
+1
-2
actionpack/lib/action_controller/metal.rb
actionpack/lib/action_controller/metal.rb
+3
-3
actionpack/lib/action_controller/metal/conditional_get.rb
actionpack/lib/action_controller/metal/conditional_get.rb
+1
-1
actionpack/lib/action_controller/metal/cookies.rb
actionpack/lib/action_controller/metal/cookies.rb
+1
-1
actionpack/lib/action_controller/metal/flash.rb
actionpack/lib/action_controller/metal/flash.rb
+4
-6
actionpack/lib/action_controller/metal/rack_delegation.rb
actionpack/lib/action_controller/metal/rack_delegation.rb
+2
-1
actionpack/lib/action_controller/metal/request_forgery_protection.rb
...lib/action_controller/metal/request_forgery_protection.rb
+16
-16
actionpack/lib/action_controller/metal/session.rb
actionpack/lib/action_controller/metal/session.rb
+0
-15
actionpack/lib/action_controller/metal/testing.rb
actionpack/lib/action_controller/metal/testing.rb
+1
-1
actionpack/lib/action_controller/metal/url_for.rb
actionpack/lib/action_controller/metal/url_for.rb
+1
-1
actionpack/lib/action_controller/metal/verification.rb
actionpack/lib/action_controller/metal/verification.rb
+35
-35
activesupport/lib/active_support/core_ext/time/calculations.rb
...esupport/lib/active_support/core_ext/time/calculations.rb
+1
-0
未找到文件。
actionpack/lib/action_controller.rb
浏览文件 @
91ce8d8b
...
...
@@ -22,14 +22,13 @@ module ActionController
autoload
:HideActions
autoload
:Layouts
autoload
:MimeResponds
autoload
:Rack
Convenience
autoload
:Rack
Delegation
autoload
:Compatibility
autoload
:Redirecting
autoload
:Rendering
autoload
:Renderers
autoload
:Rescue
autoload
:Responder
autoload
:Session
autoload
:SessionManagement
autoload
:UrlFor
autoload
:Verification
...
...
actionpack/lib/action_controller/base.rb
浏览文件 @
91ce8d8b
...
...
@@ -13,7 +13,7 @@ class Base < Metal
include
ActionController
::
Renderers
::
All
include
ActionController
::
Layouts
include
ActionController
::
ConditionalGet
include
ActionController
::
Rack
Convenience
include
ActionController
::
Rack
Delegation
include
ActionController
::
Benchmarking
include
ActionController
::
Configuration
...
...
@@ -26,7 +26,6 @@ class Base < Metal
include
ActionController
::
Compatibility
include
ActionController
::
Cookies
include
ActionController
::
Session
include
ActionController
::
Flash
include
ActionController
::
Verification
include
ActionController
::
RequestForgeryProtection
...
...
actionpack/lib/action_controller/metal.rb
浏览文件 @
91ce8d8b
...
...
@@ -45,7 +45,7 @@ def controller_path
# The details below can be overridden to support a specific
# Request and Response object. The default ActionController::Base
# implementation includes Rack
Convenience
, which makes a request
# implementation includes Rack
Delegation
, which makes a request
# and response object available. You might wish to control the
# environment and response manually for performance reasons.
...
...
@@ -57,8 +57,8 @@ def initialize(*)
end
# Basic implementations for content_type=, location=, and headers are
# provided to reduce the dependency on the Rack
Convenience
module
# in Render
ing and Redirecting
.
# provided to reduce the dependency on the Rack
Delegation
module
# in Render
er and Redirector
.
def
content_type
=
(
type
)
headers
[
"Content-Type"
]
=
type
.
to_s
...
...
actionpack/lib/action_controller/metal/conditional_get.rb
浏览文件 @
91ce8d8b
...
...
@@ -2,7 +2,7 @@ module ActionController
module
ConditionalGet
extend
ActiveSupport
::
Concern
include
Rack
Convenience
include
Rack
Delegation
include
Head
# Sets the etag, last_modified, or both on the response and renders a
...
...
actionpack/lib/action_controller/metal/cookies.rb
浏览文件 @
91ce8d8b
...
...
@@ -46,7 +46,7 @@ module ActionController #:nodoc:
module
Cookies
extend
ActiveSupport
::
Concern
include
Rack
Convenience
include
Rack
Delegation
included
do
helper_method
:cookies
...
...
actionpack/lib/action_controller/metal/flash.rb
浏览文件 @
91ce8d8b
...
...
@@ -28,8 +28,6 @@ module ActionController #:nodoc:
module
Flash
extend
ActiveSupport
::
Concern
include
Session
included
do
helper_method
:alert
,
:notice
end
...
...
@@ -155,7 +153,7 @@ def flash #:doc:
def
alert
flash
[
:alert
]
end
# Convenience accessor for flash[:alert]=
def
alert
=
(
message
)
flash
[
:alert
]
=
message
...
...
@@ -165,7 +163,7 @@ def alert=(message)
def
notice
flash
[
:notice
]
end
# Convenience accessor for flash[:notice]=
def
notice
=
(
message
)
flash
[
:notice
]
=
message
...
...
@@ -193,11 +191,11 @@ def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
if
notice
=
response_status_and_flash
.
delete
(
:notice
)
flash
[
:notice
]
=
notice
end
if
other_flashes
=
response_status_and_flash
.
delete
(
:flash
)
flash
.
update
(
other_flashes
)
end
super
(
options
,
response_status_and_flash
)
end
end
...
...
actionpack/lib/action_controller/metal/rack_
convenience
.rb
→
actionpack/lib/action_controller/metal/rack_
delegation
.rb
浏览文件 @
91ce8d8b
module
ActionController
module
Rack
Convenience
module
Rack
Delegation
extend
ActiveSupport
::
Concern
included
do
delegate
:session
,
:reset_session
,
:to
=>
"@_request"
delegate
:headers
,
:status
=
,
:location
=
,
:content_type
=
,
:status
,
:location
,
:content_type
,
:to
=>
"@_response"
attr_internal
:request
...
...
actionpack/lib/action_controller/metal/request_forgery_protection.rb
浏览文件 @
91ce8d8b
...
...
@@ -5,7 +5,7 @@ class InvalidAuthenticityToken < ActionControllerError #:nodoc:
module
RequestForgeryProtection
extend
ActiveSupport
::
Concern
include
AbstractController
::
Helpers
,
Session
include
AbstractController
::
Helpers
included
do
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
...
...
@@ -19,31 +19,31 @@ module RequestForgeryProtection
helper_method
:form_authenticity_token
helper_method
:protect_against_forgery?
end
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
# web application, not a forged link from another site, is done by embedding a token based on a random
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
# web application, not a forged link from another site, is done by embedding a token based on a random
# string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
# requests are checked, so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these should be
# by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript
# requests are checked, so this will not protect your XML API (presumably you'll have a different
# authentication scheme there anyway). Also, GET requests are not protected as these should be
# idempotent anyway.
#
# This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
# ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
# error message in production by editing public/422.html. A call to this method in ApplicationController is
# generated by default in post-Rails 2.0 applications.
#
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
# include a hidden field named like that and set its value to what is returned by
# The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
# manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
# include a hidden field named like that and set its value to what is returned by
# <tt>form_authenticity_token</tt>.
#
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
# Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
# 1.x, add this to config/environments/test.rb:
#
# # Disable request forgery protection in test environment
# config.action_controller.allow_forgery_protection = false
#
#
# == Learn more about CSRF (Cross-Site Request Forgery) attacks
#
# Here are some resources:
...
...
@@ -52,11 +52,11 @@ module RequestForgeryProtection
#
# Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
# There are a few guidelines you should follow:
#
#
# * Keep your GET requests safe and idempotent. More reading material:
# * http://www.xml.com/pub/a/2002/04/24/deviant.html
# * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
# * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look
# for "Expires: at end of session"
#
module
ClassMethods
...
...
@@ -92,7 +92,7 @@ def verify_authenticity_token
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
def
verified_request?
!
protect_against_forgery?
||
request
.
forgery_whitelisted?
||
!
protect_against_forgery?
||
request
.
forgery_whitelisted?
||
form_authenticity_token
==
params
[
request_forgery_protection_token
]
end
...
...
actionpack/lib/action_controller/metal/session.rb
已删除
100644 → 0
浏览文件 @
cf9d6a95
module
ActionController
module
Session
extend
ActiveSupport
::
Concern
include
RackConvenience
def
session
@_request
.
session
end
def
reset_session
@_request
.
reset_session
end
end
end
actionpack/lib/action_controller/metal/testing.rb
浏览文件 @
91ce8d8b
...
...
@@ -2,7 +2,7 @@ module ActionController
module
Testing
extend
ActiveSupport
::
Concern
include
Rack
Convenience
include
Rack
Delegation
# OMG MEGA HAX
def
process_with_new_base_test
(
request
,
response
)
...
...
actionpack/lib/action_controller/metal/url_for.rb
浏览文件 @
91ce8d8b
...
...
@@ -2,7 +2,7 @@ module ActionController
module
UrlFor
extend
ActiveSupport
::
Concern
include
Rack
Convenience
include
Rack
Delegation
# Overwrite to implement a number of default options that all url_for-based methods will use. The default options should come in
# the form of a hash, just like the one you would use for url_for directly. Example:
...
...
actionpack/lib/action_controller/metal/verification.rb
浏览文件 @
91ce8d8b
...
...
@@ -2,7 +2,7 @@ module ActionController #:nodoc:
module
Verification
#:nodoc:
extend
ActiveSupport
::
Concern
include
AbstractController
::
Callbacks
,
Session
,
Flash
,
Rendering
include
AbstractController
::
Callbacks
,
Flash
,
Rendering
# This module provides a class-level method for specifying that certain
# actions are guarded against being called without certain prerequisites
...
...
@@ -35,7 +35,7 @@ module Verification #:nodoc:
# :add_flash => { "alert" => "Failed to create your message" },
# :redirect_to => :category_url
#
# Note that these prerequisites are not business rules. They do not examine
# Note that these prerequisites are not business rules. They do not examine
# the content of the session or the parameters. That level of validation should
# be encapsulated by your domain model or helper methods in the controller.
module
ClassMethods
...
...
@@ -43,40 +43,40 @@ module ClassMethods
# the user is redirected to a different action. The +options+ parameter
# is a hash consisting of the following key/value pairs:
#
# <tt>:params</tt>::
# a single key or an array of keys that must be in the <tt>params</tt>
# <tt>:params</tt>::
# a single key or an array of keys that must be in the <tt>params</tt>
# hash in order for the action(s) to be safely called.
# <tt>:session</tt>::
# a single key or an array of keys that must be in the <tt>session</tt>
# <tt>:session</tt>::
# a single key or an array of keys that must be in the <tt>session</tt>
# in order for the action(s) to be safely called.
# <tt>:flash</tt>::
# a single key or an array of keys that must be in the flash in order
# <tt>:flash</tt>::
# a single key or an array of keys that must be in the flash in order
# for the action(s) to be safely called.
# <tt>:method</tt>::
# a single key or an array of keys--any one of which must match the
# current request method in order for the action(s) to be safely called.
# (The key should be a symbol: <tt>:get</tt> or <tt>:post</tt>, for
# <tt>:method</tt>::
# a single key or an array of keys--any one of which must match the
# current request method in order for the action(s) to be safely called.
# (The key should be a symbol: <tt>:get</tt> or <tt>:post</tt>, for
# example.)
# <tt>:xhr</tt>::
# true/false option to ensure that the request is coming from an Ajax
# call or not.
# <tt>:add_flash</tt>::
# a hash of name/value pairs that should be merged into the session's
# <tt>:xhr</tt>::
# true/false option to ensure that the request is coming from an Ajax
# call or not.
# <tt>:add_flash</tt>::
# a hash of name/value pairs that should be merged into the session's
# flash if the prerequisites cannot be satisfied.
# <tt>:add_headers</tt>::
# a hash of name/value pairs that should be merged into the response's
# <tt>:add_headers</tt>::
# a hash of name/value pairs that should be merged into the response's
# headers hash if the prerequisites cannot be satisfied.
# <tt>:redirect_to</tt>::
# the redirection parameters to be used when redirecting if the
# prerequisites cannot be satisfied. You can redirect either to named
# <tt>:redirect_to</tt>::
# the redirection parameters to be used when redirecting if the
# prerequisites cannot be satisfied. You can redirect either to named
# route or to the action in some controller.
# <tt>:render</tt>::
# <tt>:render</tt>::
# the render parameters to be used when the prerequisites cannot be satisfied.
# <tt>:only</tt>::
# only apply this verification to the actions specified in the associated
# <tt>:only</tt>::
# only apply this verification to the actions specified in the associated
# array (may also be a single value).
# <tt>:except</tt>::
# do not apply this verification to the actions specified in the associated
# <tt>:except</tt>::
# do not apply this verification to the actions specified in the associated
# array (may also be a single value).
def
verify
(
options
=
{})
before_filter
:only
=>
options
[
:only
],
:except
=>
options
[
:except
]
do
...
...
@@ -94,31 +94,31 @@ def verify_action(options) #:nodoc:
apply_remaining_actions
(
options
)
unless
performed?
end
end
def
prereqs_invalid?
(
options
)
# :nodoc:
verify_presence_of_keys_in_hash_flash_or_params
(
options
)
||
verify_method
(
options
)
||
verify_presence_of_keys_in_hash_flash_or_params
(
options
)
||
verify_method
(
options
)
||
verify_request_xhr_status
(
options
)
end
def
verify_presence_of_keys_in_hash_flash_or_params
(
options
)
# :nodoc:
[
*
options
[
:params
]
].
find
{
|
v
|
v
&&
params
[
v
.
to_sym
].
nil?
}
||
[
*
options
[
:session
]].
find
{
|
v
|
session
[
v
].
nil?
}
||
[
*
options
[
:flash
]
].
find
{
|
v
|
flash
[
v
].
nil?
}
end
def
verify_method
(
options
)
# :nodoc:
[
*
options
[
:method
]].
all?
{
|
v
|
request
.
method
!=
v
.
to_sym
}
if
options
[
:method
]
end
def
verify_request_xhr_status
(
options
)
# :nodoc:
request
.
xhr?
!=
options
[
:xhr
]
unless
options
[
:xhr
].
nil?
end
def
apply_redirect_to
(
redirect_to_option
)
# :nodoc:
(
redirect_to_option
.
is_a?
(
Symbol
)
&&
redirect_to_option
!=
:back
)
?
self
.
__send__
(
redirect_to_option
)
:
redirect_to_option
end
def
apply_remaining_actions
(
options
)
# :nodoc:
case
when
options
[
:render
]
;
render
(
options
[
:render
])
...
...
activesupport/lib/active_support/core_ext/time/calculations.rb
浏览文件 @
91ce8d8b
require
'active_support/duration'
require
'active_support/core_ext/date/acts_like'
require
'active_support/core_ext/date/calculations'
class
Time
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录