vendor/rails/actionpack/lib/action_controller/session_management.rb

   1 require 'action_controller/session/cookie_store'
   2 require 'action_controller/session/drb_store'
   3 require 'action_controller/session/mem_cache_store'
   4 if Object.const_defined?(:ActiveRecord)
   5   require 'action_controller/session/active_record_store'
   6 end
   7
   8 module ActionController #:nodoc:
   9   module SessionManagement #:nodoc:
  10     def self.included(base)
  11       base.class_eval do
  12         extend ClassMethods
  13         alias_method_chain :process, :session_management_support
  14         alias_method_chain :process_cleanup, :session_management_support
  15       end
  16     end
  17
  18     module ClassMethods
  19       # Set the session store to be used for keeping the session data between requests.
  20       # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
  21       # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
  22       # <tt>:p_store</tt>, <tt>:drb_store</tt>, <tt>:mem_cache_store</tt>, or
  23       # <tt>:memory_store</tt>) or your own custom class.
  24       def session_store=(store)
  25         ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] =
  26           store.is_a?(Symbol) ? CGI::Session.const_get(store == :drb_store ? "DRbStore" : store.to_s.camelize) : store
  27       end
  28
  29       # Returns the session store class currently used.
  30       def session_store
  31         ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager]
  32       end
  33
  34       # Returns the hash used to configure the session. Example use:
  35       #
  36       #   ActionController::Base.session_options[:session_secure] = true # session only available over HTTPS
  37       def session_options
  38         ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS
  39       end
  40
  41       # Specify how sessions ought to be managed for a subset of the actions on
  42       # the controller. Like filters, you can specify <tt>:only</tt> and
  43       # <tt>:except</tt> clauses to restrict the subset, otherwise options
  44       # apply to all actions on this controller.
  45       #
  46       # The session options are inheritable, as well, so if you specify them in
  47       # a parent controller, they apply to controllers that extend the parent.
  48       #
  49       # Usage:
  50       #
  51       #   # turn off session management for all actions.
  52       #   session :off
  53       #
  54       #   # turn off session management for all actions _except_ foo and bar.
  55       #   session :off, :except => %w(foo bar)
  56       #
  57       #   # turn off session management for only the foo and bar actions.
  58       #   session :off, :only => %w(foo bar)
  59       #
  60       #   # the session will only work over HTTPS, but only for the foo action
  61       #   session :only => :foo, :session_secure => true
  62       #
  63       #   # the session by default uses HttpOnly sessions for security reasons.
  64       #   # this can be switched off.
  65       #   session :only => :foo, :session_http_only => false
  66       #
  67       #   # the session will only be disabled for 'foo', and only if it is
  68       #   # requested as a web service
  69       #   session :off, :only => :foo,
  70       #           :if => Proc.new { |req| req.parameters[:ws] }
  71       #
  72       #   # the session will be disabled for non html/ajax requests
  73       #   session :off,
  74       #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
  75       #
  76       #   # turn the session back on, useful when it was turned off in the
  77       #   # application controller, and you need it on in another controller
  78       #   session :on
  79       #
  80       # All session options described for ActionController::Base.process_cgi
  81       # are valid arguments.
  82       def session(*args)
  83         options = args.extract_options!
  84
  85         options[:disabled] = false if args.delete(:on)
  86         options[:disabled] = true if !args.empty?
  87         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
  88         options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]
  89         if options[:only] && options[:except]
  90           raise ArgumentError, "only one of either :only or :except are allowed"
  91         end
  92
  93         write_inheritable_array(:session_options, [options])
  94       end
  95
  96       # So we can declare session options in the Rails initializer.
  97       alias_method :session=, :session
  98
  99       def cached_session_options #:nodoc:
 100         @session_options ||= read_inheritable_attribute(:session_options) || []
 101       end
 102
 103       def session_options_for(request, action) #:nodoc:
 104         if (session_options = cached_session_options).empty?
 105           {}
 106         else
 107           options = {}
 108
 109           action = action.to_s
 110           session_options.each do |opts|
 111             next if opts[:if] && !opts[:if].call(request)
 112             if opts[:only] && opts[:only].include?(action)
 113               options.merge!(opts)
 114             elsif opts[:except] && !opts[:except].include?(action)
 115               options.merge!(opts)
 116             elsif !opts[:only] && !opts[:except]
 117               options.merge!(opts)
 118             end
 119           end
 120
 121           if options.empty? then options
 122           else
 123             options.delete :only
 124             options.delete :except
 125             options.delete :if
 126             options[:disabled] ? false : options
 127           end
 128         end
 129       end
 130     end
 131
 132     def process_with_session_management_support(request, response, method = :perform_action, *arguments) #:nodoc:
 133       set_session_options(request)
 134       process_without_session_management_support(request, response, method, *arguments)
 135     end
 136
 137     private
 138       def set_session_options(request)
 139         request.session_options = self.class.session_options_for(request, request.parameters["action"] || "index")
 140       end
 141
 142       def process_cleanup_with_session_management_support
 143         clear_persistent_model_associations
 144         process_cleanup_without_session_management_support
 145       end
 146
 147       # Clear cached associations in session data so they don't overflow
 148       # the database field.  Only applies to ActiveRecordStore since there
 149       # is not a standard way to iterate over session data.
 150       def clear_persistent_model_associations #:doc:
 151         if defined?(@_session) && @_session.respond_to?(:data)
 152           session_data = @_session.data
 153
 154           if session_data && session_data.respond_to?(:each_value)
 155             session_data.each_value do |obj|
 156               obj.clear_association_cache if obj.respond_to?(:clear_association_cache)
 157             end
 158           end
 159         end
 160       end
 161   end
 162 end