Privatize unneededly protected methods in Action Pack

Author: amatsuda

actionpack/lib/abstract_controller/caching.rb

@@ -52,9 +52,9 @@ def view_cache_dependencies
       self.class._view_cache_dependencies.map { |dep| instance_exec(&dep) }.compact
     end
 
-    protected
+    private
       # Convenience accessor.
-      def cache(key, options = {}, &block)
+      def cache(key, options = {}, &block) # :doc:
         if cache_configured?
           cache_store.fetch(ActiveSupport::Cache.expand_cache_key(key, :controller), options, &block)
         else

actionpack/lib/abstract_controller/collector.rb

@@ -19,7 +19,7 @@ def #{sym}(*args, &block)
       generate_method_for_mime(mime) unless instance_methods.include?(mime.to_sym)
     end
 
-  protected
+  private
 
     def method_missing(symbol, &block)
       unless mime_constant = Mime[symbol]

actionpack/lib/action_controller/metal/data_streaming.rb

@@ -11,7 +11,7 @@ module DataStreaming
     DEFAULT_SEND_FILE_TYPE        = "application/octet-stream".freeze #:nodoc:
     DEFAULT_SEND_FILE_DISPOSITION = "attachment".freeze #:nodoc:
 
-    protected
+    private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
       # via the Rack::Sendfile middleware. The header to use is set via
       # +config.action_dispatch.x_sendfile_header+.
@@ -108,7 +108,6 @@ def send_data(data, options = {}) #:doc:
         render options.slice(:status, :content_type).merge(body: data)
       end
 
-    private
       def send_file_headers!(options)
         type_provided = options.has_key?(:type)
 

actionpack/lib/action_controller/metal/flash.rb

@@ -42,7 +42,7 @@ def add_flash_types(*types)
       end
     end
 
-    protected
+    private
       def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
         self.class._flash_types.each do |flash_type|
           if type = response_status_and_flash.delete(flash_type)

actionpack/lib/action_controller/metal/http_authentication.rb

@@ -28,7 +28,7 @@ module HttpAuthentication
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
     #
-    #     protected
+    #     private
     #       def set_account
     #         @account = Account.find_by(url_name: request.subdomains.first)
     #       end
@@ -363,7 +363,7 @@ def opaque(secret_key)
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
     #
-    #     protected
+    #     private
     #       def set_account
     #         @account = Account.find_by(url_name: request.subdomains.first)
     #       end

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -152,7 +152,7 @@ def handle_unverified_request
           request.cookie_jar = NullCookieJar.build(request, {})
         end
 
-        protected
+        private
 
           class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
             def initialize(req)
@@ -197,7 +197,7 @@ def handle_unverified_request
       end
     end
 
-    protected
+    private
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
       # strategy instead. If you override, you'll disable same-origin
@@ -208,7 +208,7 @@ def handle_unverified_request
       # enabled on an action, this before_action flags its after_action to
       # verify that JavaScript responses are for XHR requests, ensuring they
       # follow the browser's same-origin policy.
-      def verify_authenticity_token
+      def verify_authenticity_token # :doc:
         mark_for_same_origin_verification!
 
         if !verified_request?
@@ -219,7 +219,7 @@ def verify_authenticity_token
         end
       end
 
-      def handle_unverified_request
+      def handle_unverified_request # :doc:
         forgery_protection_strategy.new(self).handle_unverified_request
       end
 
@@ -233,7 +233,7 @@ def handle_unverified_request
       # If `verify_authenticity_token` was run (indicating that we have
       # forgery protection enabled for this request) then also verify that
       # we aren't serving an unauthorized cross-origin response.
-      def verify_same_origin_request
+      def verify_same_origin_request # :doc:
         if marked_for_same_origin_verification? && non_xhr_javascript_response?
           if logger && log_warning_on_csrf_failure
             logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING
@@ -243,18 +243,18 @@ def verify_same_origin_request
       end
 
       # GET requests are checked for cross-origin JavaScript after rendering.
-      def mark_for_same_origin_verification!
+      def mark_for_same_origin_verification! # :doc:
         @marked_for_same_origin_verification = request.get?
       end
 
       # If the `verify_authenticity_token` before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
-      def marked_for_same_origin_verification?
+      def marked_for_same_origin_verification? # :doc:
         @marked_for_same_origin_verification ||= false
       end
 
       # Check for cross-origin JavaScript responses.
-      def non_xhr_javascript_response?
+      def non_xhr_javascript_response? # :doc:
         content_type =~ %r(\Atext/javascript) && !request.xhr?
       end
 
@@ -265,20 +265,20 @@ def non_xhr_javascript_response?
       # * Is it a GET or HEAD request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       # * Does the X-CSRF-Token header match the form_authenticity_token
-      def verified_request?
+      def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)
       end
 
       # Checks if any of the authenticity tokens from the request are valid.
-      def any_authenticity_token_valid?
+      def any_authenticity_token_valid? # :doc:
         request_authenticity_tokens.any? do |token|
           valid_authenticity_token?(session, token)
         end
       end
 
       # Possible authenticity tokens sent in the request.
-      def request_authenticity_tokens
+      def request_authenticity_tokens # :doc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
@@ -290,7 +290,7 @@ def form_authenticity_token(form_options: {})
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {})
+      def masked_authenticity_token(session, form_options: {}) # :doc:
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
@@ -309,7 +309,7 @@ def masked_authenticity_token(session, form_options: {})
       # Checks the client's masked token to see if it matches the
       # session token. Essentially the inverse of
       # +masked_authenticity_token+.
-      def valid_authenticity_token?(session, encoded_masked_token)
+      def valid_authenticity_token?(session, encoded_masked_token) # :doc:
         if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
           return false
         end
@@ -340,19 +340,19 @@ def valid_authenticity_token?(session, encoded_masked_token)
         end
       end
 
-      def unmask_token(masked_token)
+      def unmask_token(masked_token) # :doc:
         # Split the token into the one-time pad and the encrypted
         # value and decrypt it
         one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
         encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
         xor_byte_strings(one_time_pad, encrypted_csrf_token)
       end
 
-      def compare_with_real_token(token, session)
+      def compare_with_real_token(token, session) # :doc:
         ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
       end
 
-      def valid_per_form_csrf_token?(token, session)
+      def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
@@ -366,38 +366,38 @@ def valid_per_form_csrf_token?(token, session)
         end
       end
 
-      def real_csrf_token(session)
+      def real_csrf_token(session) # :doc:
         session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         Base64.strict_decode64(session[:_csrf_token])
       end
 
-      def per_form_csrf_token(session, action_path, method)
+      def per_form_csrf_token(session, action_path, method) # :doc:
         OpenSSL::HMAC.digest(
           OpenSSL::Digest::SHA256.new,
           real_csrf_token(session),
           [action_path, method.downcase].join("#")
         )
       end
 
-      def xor_byte_strings(s1, s2)
+      def xor_byte_strings(s1, s2) # :doc:
         s2_bytes = s2.bytes
         s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
         s2_bytes.pack("C*")
       end
 
       # The form's authenticity parameter. Override to provide your own.
-      def form_authenticity_param
+      def form_authenticity_param # :doc:
         params[request_forgery_protection_token]
       end
 
       # Checks if the controller allows forgery protection.
-      def protect_against_forgery?
+      def protect_against_forgery? # :doc:
         allow_forgery_protection
       end
 
       # Checks if the request originated from the same origin by looking at the
       # Origin header.
-      def valid_request_origin?
+      def valid_request_origin? # :doc:
         if forgery_protection_origin_check
           # We accept blank origin headers because some user agents don't send it.
           request.origin.nil? || request.origin == request.base_url
@@ -406,7 +406,7 @@ def valid_request_origin?
         end
       end
 
-      def normalize_action_path(action_path)
+      def normalize_action_path(action_path) # :doc:
         uri = URI.parse(action_path)
         uri.path.chomp("/")
       end

actionpack/lib/action_controller/metal/streaming.rb

@@ -193,10 +193,10 @@ module ActionController #:nodoc:
   module Streaming
     extend ActiveSupport::Concern
 
-    protected
+    private
 
       # Set proper cache control and transfer encoding when streaming
-      def _process_options(options) #:nodoc:
+      def _process_options(options)
         super
         if options[:stream]
           if request.version == "HTTP/1.0"
@@ -210,7 +210,7 @@ def _process_options(options) #:nodoc:
       end
 
       # Call render_body if we are streaming instead of usual +render+.
-      def _render_template(options) #:nodoc:
+      def _render_template(options)
         if options.delete(:stream)
           Rack::Chunked::Body.new view_renderer.render_body(view_context, options)
         else

actionpack/lib/action_dispatch/http/filter_parameters.rb

@@ -51,28 +51,28 @@ def filtered_path
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    protected
+    private
 
-      def parameter_filter
+      def parameter_filter # :doc:
         parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER
         }
       end
 
-      def env_filter
+      def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
         }
         parameter_filter_for(Array(user_key) + ENV_MATCH)
       end
 
-      def parameter_filter_for(filters)
+      def parameter_filter_for(filters) # :doc:
         ParameterFilter.new(filters)
       end
 
       KV_RE   = "[^&;=]+"
       PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
-      def filtered_query_string
+      def filtered_query_string # :doc:
         query_string.gsub(PAIR_RE) do |_|
           parameter_filter.filter([[$1, $2]]).first.join("=")
         end

actionpack/lib/action_dispatch/http/mime_negotiation.rb

@@ -150,20 +150,20 @@ def negotiate_mime(order)
         order.include?(Mime::ALL) ? format : nil
       end
 
-      protected
+      private
 
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-        def valid_accept_header
+        def valid_accept_header # :doc:
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
         end
 
-        def use_accept_header
+        def use_accept_header # :doc:
           !self.class.ignore_accept_header
         end
 
-        def format_from_path_extension
+        def format_from_path_extension # :doc:
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]

actionpack/lib/action_dispatch/journey/router/utils.rb

@@ -58,12 +58,12 @@ def unescape_uri(uri)
             uri.gsub(ESCAPED) { |match| [match[1, 2].hex].pack("C") }.force_encoding(encoding)
           end
 
-          protected
-            def escape(component, pattern)
+          private
+            def escape(component, pattern) # :doc:
               component.gsub(pattern) { |unsafe| percent_encode(unsafe) }.force_encoding(US_ASCII)
             end
 
-            def percent_encode(unsafe)
+            def percent_encode(unsafe) # :doc:
               safe = EMPTY.dup
               unsafe.each_byte { |b| safe << DEC2HEX[b] }
               safe