- Remove dead classes / dead code
- Move class definitions to where they are used, don't define in a
  shared space

We should define it only where we need it, not in the global abstract
unit 😬

CSRF verification for non-XHR GET requests (cross-origin `<script>`
tags) didn't check this flag before logging failures.

Setting `config.action_controller.log_warning_on_csrf_failure = false`
now disables logging for these CSRF failures as well.

Closes #25086.
Signed-off-by: NJeremy Daer <jeremydaer@gmail.com>

Ruby 2.4 unifies Fixnum and Bignum into Integer: https://bugs.ruby-lang.org/issues/12005

* Forward compat with new unified Integer class in Ruby 2.4+.
* Backward compat with separate Fixnum/Bignum in Ruby 2.2 & 2.3.
* Drops needless Fixnum distinction in docs, preferring Integer.

Follows the same pattern as controllers and jobs. Exceptions raised in
delivery jobs (enqueued by `#deliver_later`) are also delegated to the
mailer's rescue_from handlers, so you can handle the DeserializationError
raised by delivery jobs:

```ruby
class MyMailer < ApplicationMailer
  rescue_from ActiveJob::DeserializationError do
    …
  end
```

ActiveSupport::Rescuable polish:
* Add the `rescue_with_handler` class method so exceptions may be
  handled at the class level without requiring an instance.
* Rationalize `exception.cause` handling. If no handler matches the
  exception, fall back to the handler that matches its cause.
* Handle exceptions raised elsewhere. Pass `object: …` to execute
  the `rescue_from` handler (e.g. a method call or a block to
  instance_exec) against a different object. Defaults to `self`.

- Earlier we were responding with JSON format for HTML requests in a API
  app.
- Now we will respond with HTML format for such requests in API apps.
- Also earlier we were not testing the API app's JSON requests
  properly. We were actually sending HTML requests. Now we send correct
  JSON requests. Also added more test coverage.
- Based on the discussion from this commit -
  https://github.com/rails/rails/commit/05d89410bf97d0778e78558db3c9fed275f8a614.

[Prathamesh Sonpatki, Jorge Bejar]

In #18721 we removed the discard key from the session hash used to flash
messages and that broke compatibility with Rails 4 applications because they
try to map in the discarded flash messages and it returns nil.

Fixes #24726.

- It was originally added in 83b4e907 and partially
  removed in 05d89410.

It is a common pattern in the Rails community that when people want to
:xa
use any kind of helper that is defined inside app/helpers they includes
the helper module inside the controller like:

    module UserHelper
      def my_user_helper
        # ...
      end
    end

    class UsersController < ApplicationController
      include UserHelper

      def index
        render inline: my_user_helper
      end
    end

This has problem because the helper can't access anything that is
defined in the view level context class.

Also all public methods of the helper become available in the controller
what can lead to undesirable methods being routed and behaving as
actions.

Also if you helper depends on other helpers or even Action View helpers
you need to include each one of these dependencies in your controller
otherwise your helper is not going to work.

We already have a helpers proxy at controller class level but that proxy
doesn't have access to the instance variables defined in the
controller.

With this new instance level helper proxy users can reuse helpers in the
controller without having to include the modules and with access to
instance variables defined in the controller.

    class UsersController < ApplicationController
      def index
        render inline: helpers.my_user_helper
      end
    end

Adding the `each` method is required for ensuring compatibility between
Rails, and other Rack frameworks (like Sinatra, etc.), that are mounted
within Rails, and wish to use its session tooling. Prior to this, there
was an inconsistency between ActionDispatch::Request::Session and
Rack::Session::Cookie, due to the absence of the `each` method. This
should hopefully fix that error. :)

For a full integration test with Sinatra and a standalone Rack
application, you can check out the gist for that here: https://gist.github.com/maclover7/08cd95b0bfe259465314311941326470.

Solves #15843.

Last August (2015), @tenderlove worked to remove all `@env[]` and `@env[]=`, in
favor of using `set_header`, `get_header`, etc. (Here's an [example
commit](https://github.com/rails/rails/commit/f16a33b68efc3dc57cfafa27651b9a765e363fbf)).

This PR should remove the last uses of these methods, and fully convert
them to the newly standardized API.

I always appreciate having a bit more information as to why something is
now an error. We can use this error to tell people why what they were
previously doing is insecure and give them hints on how to fix it.
Signed-off-by: NKasper Timm Hansen <kaspth@gmail.com>

- Followup of https://github.com/rails/rails/issues/18693.
- I think we missed deprecating `request_via_redirect` in that pull
  request.
- Originally requested by DHH here
  https://github.com/rails/rails/issues/18333.

Previously, users were trying to modify a frozen Hash. Includes a
regression test :)

Fixes #22975

When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.

To fix this we use the same information to generate the token and check
it.

Fix #24257

This brings the behavior more inline with other similar cases, such as
receiving a hash when an array of scalars was expected. Prior to this
commit, the key would be present, but the value would be `nil`

- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.

Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.

  - skip calling helper_method if it's not there: if we don't have helpers, we needn't define one.
  - tests that an api controller can include and use ActionController::Cookies

* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
  for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.

  Strong ETags are desirable when you're serving byte-for-byte identical
  responses that support Range requests, like PDFs or videos (typically
  done by reproxying the response from a backend storage service).
  Also desirable when fronted by some CDNs that support strong ETags
  only, like Akamai.

* No longer strips quotes (`"`) from ETag values before comparing them.
  Quotes are significant, part of the ETag. A quoted ETag and an unquoted
  one are not the same entity.

* Support `If-None-Match: *`. Rarely useful for GET requests; meant
  to provide some optimistic concurrency control for PUT requests.

  - Adds #each_chunk to ActionDispatch::Response. it's a method which
    will be called by ActionDispatch::Response#each.
  - Make Response#each a proper method instead of delegating to @stream
  - In Live, instead of overriding #each, override #each_chunk.
  - `#each` should just spit out @str_body if it's already set
  - Adds #test_set_header_after_read_body_during_action
    to prove this fixes #23964
  - Adds #test_each_isnt_called_if_str_body_is_written to
    ensure #each_chunk is not called when @str_body is available
  - Call `@response.sent!` in AC::TestCase's #perform so a test response
    acts a bit more like a real response. Makes test that call  `#assert_stream_closed`
    pass again.
  - Additionally assert `#committed?` in `#assert_stream_closed`
  - Make test that was calling @response.stream.each pass again by
    calling @response.each instead.

There was some subtle breakage caused by #18774, when we removed
`#original_exception` in favor of `#cause`. However, `#cause` is
automatically set by Ruby when raising an exception from a rescue block.
With this change, we will use whichever handler has the highest priority
(whichever call to `rescue_from` came last). In cases where the outer
has lower precidence than the cause, but the outer is what should be
handled, cause will need to be explicitly unset.

Fixes #23925

This method will only be added when used with Ruby 2.3.0 or greater.
This method has the same behavior as `Hash#dig`, except it will convert
hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.

Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.

- Fixes #24030

An example scope might be specified as such:

```ruby
HTML = { constraints: { format: :html } }.freeze
scope HTML do
  get 'x'
end
```

This currently raises an error because the mapper attempts to
destructively modify the passed options hash. This is dangerous because
this options hash might even be shared with other scopes.

We should instead always instantiate a new object instead of modifying
the passed options.

`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.

Renaming to `exclude` matches this intent more closely.

These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.

Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.

This reverts commit 22db455d, reversing
changes made to 40be61df.

This finishes off what I meant to do in 6216a092.

This reverts commit 45a75a3f.

HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.

Fixes #23884

When a `respond_to` collector doesn't have a response, then a
`:no_content` response should be rendered. This brings the default
rendering behavior introduced by
https://github.com/rails/rails/issues/19036 to controller methods
employing `respond_to`

* Fixes typos in error message and release notes.
* Removes unused template test file.

1. Conceptually revert #20276

   The feature was implemented for the `responders` gem. In the end,
   they did not need that feature, and have found a better fix (see
   plataformatec/responders#131).

   `ImplicitRender` is the place where Rails specifies our default
   policies for the case where the user did not explicitly tell us
   what to render, essentially describing a set of heuristics. If
   the gem (or the user) knows exactly what they want, they could
   just perform the correct `render` to avoid falling through to
   here, as `responders` did (the user called `respond_with`).

   Reverting the patch allows us to avoid exploding the complexity
   and defining “the fallback for a fallback” policies.

2. `respond_to` and templates are considered exhaustive enumerations

   If the user specified a list of formats/variants in a `respond_to`
   block, anything that is not explicitly included should result
   in an `UnknownFormat` error (which is then caught upstream to
   mean “406 Not Acceptable” by default). This is already how it
   works before this commit.

   Same goes for templates – if the user defined a set of templates
   (usually in the file system), that set is now considered exhaustive,
   which means that “missing” templates are considered `UnknownFormat`
   errors (406).

3. To keep API endpoints simple, the implicit render behavior for
   actions with no templates defined at all (regardless of formats,
   locales, variants, etc) are defaulted to “204 No Content”. This
   is a strictly narrower version of the feature landed in #19036 and
   #19377.

4. To avoid confusion when interacting in the browser, these actions
   will raise an `UnknownFormat` error for “interactive” requests
   instead. (The precise definition of “interactive” requests might
   change – the spirit here is to give helpful messages and avoid
   confusions.)

Closes #20666, #23062, #23077, #23564

[Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]