clearance 1.8.0 → 1.16.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of clearance might be problematic. Click here for more details.

Files changed (107) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +3 -0
  3. data/.travis.yml +25 -6
  4. data/.yardopts +6 -0
  5. data/Appraisals +15 -4
  6. data/CONTRIBUTING.md +4 -1
  7. data/Gemfile +5 -3
  8. data/Gemfile.lock +102 -96
  9. data/NEWS.md +742 -311
  10. data/README.md +217 -339
  11. data/app/controllers/clearance/passwords_controller.rb +35 -21
  12. data/app/controllers/clearance/sessions_controller.rb +17 -4
  13. data/app/controllers/clearance/users_controller.rb +10 -4
  14. data/app/mailers/clearance_mailer.rb +2 -3
  15. data/app/views/clearance_mailer/change_password.html.erb +6 -3
  16. data/app/views/clearance_mailer/change_password.text.erb +5 -0
  17. data/app/views/layouts/application.html.erb +2 -2
  18. data/app/views/passwords/create.html.erb +1 -1
  19. data/app/views/passwords/edit.html.erb +2 -2
  20. data/app/views/passwords/new.html.erb +2 -2
  21. data/app/views/sessions/_form.html.erb +2 -2
  22. data/app/views/sessions/new.html.erb +1 -1
  23. data/app/views/users/new.html.erb +2 -2
  24. data/bin/setup +6 -2
  25. data/config/locales/clearance.en.yml +6 -0
  26. data/db/migrate/20110111224543_create_clearance_users.rb +1 -1
  27. data/gemfiles/{rails3.2.gemfile → rails32.gemfile} +4 -2
  28. data/gemfiles/{rails4.0.gemfile → rails40.gemfile} +6 -3
  29. data/gemfiles/{rails4.1.gemfile → rails41.gemfile} +6 -3
  30. data/gemfiles/{rails4.2.gemfile → rails42.gemfile} +6 -3
  31. data/gemfiles/rails50.gemfile +21 -0
  32. data/lib/clearance/authentication.rb +61 -2
  33. data/lib/clearance/authorization.rb +47 -4
  34. data/lib/clearance/back_door.rb +29 -6
  35. data/lib/clearance/configuration.rb +152 -15
  36. data/lib/clearance/constraints/signed_in.rb +21 -0
  37. data/lib/clearance/constraints/signed_out.rb +12 -0
  38. data/lib/clearance/constraints.rb +12 -0
  39. data/lib/clearance/controller.rb +13 -0
  40. data/lib/clearance/default_sign_in_guard.rb +17 -0
  41. data/lib/clearance/engine.rb +24 -4
  42. data/lib/clearance/password_strategies/bcrypt.rb +16 -21
  43. data/lib/clearance/password_strategies/bcrypt_migration_from_sha1.rb +19 -0
  44. data/lib/clearance/password_strategies/blowfish.rb +17 -0
  45. data/lib/clearance/password_strategies/sha1.rb +17 -0
  46. data/lib/clearance/password_strategies.rb +13 -0
  47. data/lib/clearance/rack_session.rb +13 -0
  48. data/lib/clearance/rspec.rb +15 -4
  49. data/lib/clearance/session.rb +46 -1
  50. data/lib/clearance/session_status.rb +7 -0
  51. data/lib/clearance/sign_in_guard.rb +65 -0
  52. data/lib/clearance/test_unit.rb +3 -3
  53. data/lib/clearance/testing/controller_helpers.rb +44 -0
  54. data/lib/clearance/testing/deny_access_matcher.rb +36 -2
  55. data/lib/clearance/testing/helpers.rb +9 -25
  56. data/lib/clearance/testing/view_helpers.rb +32 -0
  57. data/lib/clearance/token.rb +7 -0
  58. data/lib/clearance/user.rb +182 -4
  59. data/lib/clearance/version.rb +1 -1
  60. data/lib/clearance.rb +2 -0
  61. data/lib/generators/clearance/install/install_generator.rb +24 -5
  62. data/lib/generators/clearance/install/templates/clearance.rb +1 -0
  63. data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb +3 -3
  64. data/lib/generators/clearance/install/templates/db/migrate/create_users.rb +2 -2
  65. data/lib/generators/clearance/install/templates/user.rb.erb +3 -0
  66. data/lib/generators/clearance/routes/routes_generator.rb +23 -0
  67. data/lib/generators/clearance/routes/templates/routes.rb +7 -7
  68. data/lib/generators/clearance/specs/templates/features/clearance/user_signs_out_spec.rb.tt +1 -1
  69. data/lib/generators/clearance/specs/templates/features/clearance/visitor_resets_password_spec.rb.tt +12 -2
  70. data/lib/generators/clearance/specs/templates/features/clearance/visitor_signs_in_spec.rb.tt +1 -1
  71. data/lib/generators/clearance/specs/templates/features/clearance/visitor_signs_up_spec.rb.tt +1 -1
  72. data/lib/generators/clearance/specs/templates/features/clearance/visitor_updates_password_spec.rb.tt +1 -1
  73. data/spec/acceptance/clearance_installation_spec.rb +4 -1
  74. data/spec/app_templates/app/models/rails5/user.rb +5 -0
  75. data/spec/app_templates/config/initializers/clearance.rb +2 -0
  76. data/spec/app_templates/testapp/app/controllers/home_controller.rb +5 -1
  77. data/spec/app_templates/testapp/config/initializers/action_mailer.rb +1 -3
  78. data/spec/clearance/back_door_spec.rb +25 -6
  79. data/spec/clearance/controller_spec.rb +11 -0
  80. data/spec/clearance/rack_session_spec.rb +5 -5
  81. data/spec/clearance/session_spec.rb +2 -15
  82. data/spec/clearance/testing/{helpers_spec.rb → controller_helpers_spec.rb} +12 -12
  83. data/spec/clearance/testing/view_helpers_spec.rb +37 -0
  84. data/spec/configuration_spec.rb +94 -86
  85. data/spec/controllers/apis_controller_spec.rb +6 -2
  86. data/spec/controllers/forgeries_controller_spec.rb +6 -1
  87. data/spec/controllers/passwords_controller_spec.rb +17 -16
  88. data/spec/controllers/permissions_controller_spec.rb +13 -3
  89. data/spec/controllers/sessions_controller_spec.rb +4 -4
  90. data/spec/dummy/app/controllers/application_controller.rb +5 -1
  91. data/spec/dummy/application.rb +4 -0
  92. data/spec/generators/clearance/install/install_generator_spec.rb +29 -3
  93. data/spec/generators/clearance/routes/routes_generator_spec.rb +5 -1
  94. data/spec/generators/clearance/views/views_generator_spec.rb +11 -10
  95. data/spec/helpers/helper_helpers_spec.rb +10 -0
  96. data/spec/mailers/clearance_mailer_spec.rb +13 -19
  97. data/spec/password_strategies/bcrypt_migration_from_sha1_spec.rb +6 -0
  98. data/spec/password_strategies/blowfish_spec.rb +6 -0
  99. data/spec/password_strategies/sha1_spec.rb +6 -0
  100. data/spec/requests/csrf_rotation_spec.rb +33 -0
  101. data/spec/spec_helper.rb +11 -2
  102. data/spec/support/generator_spec_helpers.rb +13 -1
  103. data/spec/support/http_method_shim.rb +23 -0
  104. data/spec/user_spec.rb +9 -0
  105. data/spec/views/view_helpers_spec.rb +10 -0
  106. metadata +22 -9
  107. data/lib/generators/clearance/install/templates/user.rb +0 -3
data/NEWS.md CHANGED
@@ -1,506 +1,937 @@
1
- Thank you to all the [contributors](https://github.com/thoughtbot/clearance/graphs/contributors)!
1
+ # News
2
2
 
3
- New for 1.8.0 (January 23, 2015)
4
- * Fixed an issue that would cause sites that are still using the deprecated
5
- `authorize` filter to enter a redirect loop when redirecting to the sign in
6
- path.
7
- * The Clearance remember token cookie name is now customizable via
3
+ The noteworthy changes for each Clearance version are included here. For a
4
+ complete changelog, see the git history for each version via the version links.
5
+
6
+ ## [1.16.0] - January 16, 2017
7
+
8
+ ### Security
9
+ - Clearance users can now help prevent [session fixation attacks] by setting
10
+ `Clearance.configuration.rotate_csrf_on_sign_in` to `true`. This will cause
11
+ the user's CSRF token to be rotated on sign in and is recommended for all
12
+ Clearance applications. This setting will default to `true` in Clearance 2.0.
13
+ Clearance will emit a warning on each sign in until this configuration setting
14
+ is explicitly set to `true` or `false`.
15
+
16
+ [session fixation attacks]: https://www.owasp.org/index.php/Session_fixation
17
+ [1.16.0]: https://github.com/thoughtbot/clearance/compare/v1.15.1...v1.16.0
18
+
19
+ ## [1.15.1] - October 6, 2016
20
+
21
+ ### Fixed
22
+ - Password reset form redirect no longer uses a named route helper, which means
23
+ it will work for developers that have customized their routes.
24
+
25
+ [1.15.1]: https://github.com/thoughtbot/clearance/compare/v1.15.0...v1.15.1
26
+
27
+ ## [1.15.0] - September 26, 2016
28
+
29
+ ### Security
30
+ - Prevent possible password reset token leak to external sites linked to on the
31
+ password reset page. See [PR #707] for more information.
32
+
33
+ [PR #707]: https://github.com/thoughtbot/clearance/pull/707
34
+ [1.15.0]: https://github.com/thoughtbot/clearance/compare/v1.14.2...v1.15.0
35
+
36
+ ## [1.14.2] - August 10, 2016
37
+
38
+ ### Fixed
39
+ - Fixed incompatibility with `attr_encrypted` gem by inlining the body of the
40
+ `encrypt` helper method used in the BCrypt password strategy.
41
+
42
+ [1.14.2]: https://github.com/thoughtbot/clearance/compare/v1.14.1...v1.14.2
43
+
44
+ ## [1.14.1] - May 12, 2016
45
+
46
+ ### Fixed
47
+ - Fixed insertion of `include Clearance::User` when running the install
48
+ generator in an app that already has a `User` model.
49
+ - Updated `deny_access` matcher to assert against configured redirect location
50
+ rather than hard coded `/`.
51
+
52
+ [1.14.1]: https://github.com/thoughtbot/clearance/compare/v1.14.0...v1.14.1
53
+
54
+ ## [1.14.0] - April 29, 2016
55
+
56
+ ### Added
57
+ - `Clearance::BackDoor` now accepts a block, allowing the user for a test to be
58
+ looked up by a parameter other than `id` if you have overridden `to_param` for
59
+ the `User` model.
60
+
61
+ ### Fixed
62
+ - We now correctly track the dirty state of `User#encrypted_password`, which
63
+ fixes custom validations on `User#password` (e.g. validating password length)
64
+ that were conditional on the password actually changing.
65
+ - The `clearance:install` generator will now generate a `User` model that
66
+ inherits from `ApplicationRecord` if run on a Rails 5 app that doesn't already
67
+ have a `User` model.
68
+
69
+ ### Deprecated
70
+ - `User#password_changing` is deprecated in favor of automatic dirty tracking on
71
+ `encrypted_password` and `password`. If you are calling this in your
72
+ application you should be able to remove it.
73
+
74
+ [1.14.0]: https://github.com/thoughtbot/clearance/compare/v1.13.0...v1.14.0
75
+
76
+ ## [1.13.0] - March 4, 2016
77
+
78
+ ### Added
79
+ - Clearance now supports Rails 5.0.0.beta3 and newer.
80
+
81
+ ### Fixed
82
+ - Clearance will now infer the parameter name to use when accessing user
83
+ parameters in a request. This previously used `:user`, which was incorrect for
84
+ customized user models.
85
+ - Generated feature specs no longer rely on RSpec monkey patches.
86
+
87
+ [1.13.0]: https://github.com/thoughtbot/clearance/compare/v1.12.1...v1.13.0
88
+
89
+ ## [1.12.1] - January 7, 2016
90
+
91
+ ### Fixed
92
+ - Fixed the `create_users` migration generated by `rails generate
93
+ clearance:install` under Rails 3.x.
94
+
95
+ [1.12.1]: https://github.com/thoughtbot/clearance/compare/v1.12.0...v1.12.1
96
+
97
+ ## [1.12.0] - November 17, 2015
98
+
99
+ ### Added
100
+ - Users will now see a flash message when redirected to sign in by
101
+ `require_login`. This I18n key for this message is
102
+ `flashes.failure_when_not_signed_in` and defaults to "Please sign in to
103
+ continue".
104
+ - Added significant API documentation. API documentation effort is ongoing.
105
+
106
+ ### Fixed
107
+ - Fixed expectation in the generated `visitor_resets_password_spec.rb` file.
108
+ - Corrected indentation of routes inserted by the routes generator.
109
+ - Corrected indentation of `include Clearance::User` when the install generator
110
+ adds it to an existing user class.
111
+
112
+ [1.12.0]: https://github.com/thoughtbot/clearance/compare/v1.11.0...v1.12.0
113
+
114
+ ## [1.11.0] - August 21, 2015
115
+
116
+ ### Added
117
+ - Add `sign_in` and `sign_in_as` helper methods to view specs. These helpers
118
+ avoid errors from verified partial doubles that come from. See
119
+ [462c009].
120
+
121
+ ### Fixed
122
+ - `clearance:routes` generator now properly disables internal routes in your
123
+ Clearance initializer.
124
+ - Clearance now accesses the cookie jar via ActionDispatch::Request rather than
125
+ `Rack::Request`. This is more consistent with what Rails does internally.
126
+
127
+ ### Deprecated
128
+ - `Clearance::Testing::Helpers` has been deprecated in favor of
129
+ `Clearance::Testing::ControllerHelpers`. Most users are accessing these
130
+ helpers by requiring `clearance/rspec` or `clearance/test_unit` and should be
131
+ unaffected.
132
+
133
+ [462c009]: https://github.com/thoughtbot/clearance/commit/462c00965c14b2492500fbb4fecd7b84b9790bb9
134
+ [1.11.0]: https://github.com/thoughtbot/clearance/compare/v1.10.1...v1.11.0
135
+
136
+ ## [1.10.1] - May 15, 2015
137
+
138
+ ### Deprecated
139
+ - All clearance-provided password strategies other than BCrypt have been
140
+ deprecated. You can continue to use those strategies without a deprecation
141
+ warning by adding `clearance-deprecated_password_strategies` to your Gemfile.
142
+
143
+ [1.10.1]: https://github.com/thoughtbot/clearance/compare/v1.9.0...v1.10.1
144
+
145
+ ## [1.9.0] - April 3, 2015
146
+
147
+ ### Added
148
+ - The change password mailer now produces a multipart message which includes a
149
+ text part along with the previously existing HTML part. To override the text
150
+ part, add `change_password.text.erb` alongside your `change_password.html.erb`
151
+ file.
152
+
153
+ ### Fixed
154
+ - Custom `user_model` configured in a Rails initializer will now be reloaded in
155
+ development mode.
156
+ - Change password template now contains "Change my password" link text to
157
+ address an issue linking the URL in some mail clients.
158
+
159
+ [1.9.0]: https://github.com/thoughtbot/clearance/compare/v1.8.1...v1.9.0
160
+
161
+ ## [1.8.1] - March 3, 2015
162
+
163
+ ### Security
164
+ - Enable cross-site request forgery protection on `sessions#create`. See
165
+ [7f5d56e](https://github.com/thoughtbot/clearance/commit/7f5d56ed3a51aca14fa60247a90ca0cd11db0e0d).
166
+
167
+ ### Fixed
168
+ - All methods included by `Clearance::Controller` are now excluded from
169
+ `action_methods`.
170
+
171
+ [1.8.1]: https://github.com/thoughtbot/clearance/compare/v1.8.0...v1.8.1
172
+
173
+ ## [1.8.0] - January 23, 2015
174
+
175
+ ### Added
176
+ - The remember token cookie name is now customizable via
8
177
  `Clearance.configuration.cookie_name`.
9
- * Signed in users that attempt to visit the sign in path are now redirected. The
178
+
179
+ ### Fixed
180
+ - Fixed a redirect loop on the sign in page for applications that are still
181
+ using the deprecated `authorize` filter.
182
+ - Signed in users that attempt to visit the sign in path are now redirected. The
10
183
  redirect URL defaults to the same URL used for the redirect after sign in, but
11
184
  can be customized by overriding `passwords_controller#url_for_signed_in_users`
12
- * `users_controller#avoid_sign_in` is now deprecated in favor of
185
+
186
+ ### Deprecated
187
+ - `users_controller#avoid_sign_in` is now deprecated in favor of
13
188
  `redirect_signed_in_users` which is more accurately named.
14
189
 
15
- New for 1.7.0 (January, 8, 2015)
16
- * The `authorize` filter has been deprecated in favor of `require_login`. Update
190
+ [1.8.0]: https://github.com/thoughtbot/clearance/compare/v1.7.0...v1.8.0
191
+
192
+ ## [1.7.0] - January, 8, 2015
193
+
194
+ ### Fixed
195
+ - Fix the negation of the `deny_access` matcher in Rails 4.0.x on Ruby 2.2
196
+
197
+ ### Deprecated
198
+ - The `authorize` filter has been deprecated in favor of `require_login`. Update
17
199
  all reference to the filter including any calls to `skip_before_filter` or
18
200
  `skip_before_action`.
19
- * The `Clearance.root` method has been deprecated.
20
- * Fix the negation of the `deny_access` matcher in Rails 4.0.x on Ruby 2.2
201
+ - The `Clearance.root` method has been deprecated. It was used internally and
202
+ unlikely to impact external users.
203
+
204
+ [1.7.0]: https://github.com/thoughtbot/clearance/compare/v1.6.1...v1.7.0
205
+
206
+ ## [1.6.1] - January 6, 2015
21
207
 
22
- New for 1.6.1 (January 6, 2015)
23
- * Secure cookies are no longer overwritten when the user visits a non-HTTPS URL.
208
+ ### Fixed
209
+ - Secure cookies are no longer overwritten when the user visits a non-HTTPS URL.
24
210
 
25
- New for 1.6.0 (December 20, 2014)
26
- * When using Rails 4.2, password reset emails are sent with the
211
+ [1.6.1]: https://github.com/thoughtbot/clearance/compare/v1.6.0...v1.6.1
212
+
213
+ ## [1.6.0] - December 20, 2014
214
+
215
+ ### Added
216
+ - When using Rails 4.2, password reset emails are sent with the
27
217
  ActiveJob-compatible `#deliver_later` method.
28
218
 
29
- New for 1.5.1 (December 19, 2014)
30
- * Blowfish password strategy fixed
31
- * Specs generated with `rails generate clearance:specs` now work properly in
219
+ [1.6.0]: https://github.com/thoughtbot/clearance/compare/v1.5.1...v1.6.0
220
+
221
+ ## [1.5.1] - December 19, 2014
222
+
223
+ ### Fixed
224
+ - Blowfish password strategy fixed
225
+ - Specs generated with `rails generate clearance:specs` now work properly in
32
226
  RSpec 3 projects.
33
227
 
34
- New for 1.5.0 (October 17, 2014)
35
- * Disable clearance routes by setting `config.routes = false`.
36
- * Running `rails generate clearance:routes` will dump the default set of
228
+ [1.5.1]: https://github.com/thoughtbot/clearance/compare/v1.5.0...v1.5.1
229
+
230
+ ## [1.5.0] - October 17, 2014
231
+
232
+ ### Added
233
+ - Disable clearance routes by setting `config.routes = false`.
234
+ - Running `rails generate clearance:routes` will dump the default set of
37
235
  routes to your application's routes file for modification.
38
236
 
39
- New for 1.4.3 (October 3, 2014)
40
- * Routing constraints act appropriately when session data is missing.
237
+ [1.5.0]: https://github.com/thoughtbot/clearance/compare/v1.4.3...v1.5.0
238
+
239
+ ## [1.4.3] - October 3, 2014
240
+
241
+ ### Fixed
242
+ - Routing constraints act appropriately when session data is missing.
243
+
244
+ [1.4.3]: https://github.com/thoughtbot/clearance/compare/v1.4.2...v1.4.3
41
245
 
42
- New for 1.4.2 (September 13, 2014)
43
- * Eliminate deprecation message when using DenyAccess matcher with RSpec 3.
246
+ ## [1.4.2] - September 13, 2014
44
247
 
45
- New for 1.4.1 (September 5, 2014)
46
- * Prevent BCrypt strategy from raising an exception when `encypted_password`
248
+ ### Fixed
249
+ - Eliminate deprecation message when using DenyAccess matcher with RSpec 3.
250
+
251
+ [1.4.2]: https://github.com/thoughtbot/clearance/compare/v1.4.1...v1.4.2
252
+
253
+ ## [1.4.1] - September 5, 2014
254
+
255
+ ### Fixed
256
+ - Prevent BCrypt strategy from raising an exception when `encypted_password`
47
257
  is nil.
48
258
 
49
- New for 1.4.0 (July 18, 2014)
50
- * The sign out link in the default application layout has been replaced with a
259
+ [1.4.1]: https://github.com/thoughtbot/clearance/compare/v1.4.0...v1.4.1
260
+
261
+ ## [1.4.0] - July 18, 2014
262
+
263
+ ### Added
264
+ - `user_params` method was added to `Clearance::UsersController` which provides
265
+ a convenient place to override the parameters used when creating users.
266
+ - Controllers now inherit from `Clearance::BaseController` to allow for easily
267
+ adding behavior to all of them.
268
+
269
+ ### Changed
270
+ - The sign out link in the default application layout has been replaced with a
51
271
  semantically correct sign out button. This also removes an unnecessary
52
272
  JavaScript dependency.
53
- * Clearance now uses `original_fullpath` when redirecting to a saved URL after
273
+
274
+ ### Fixed
275
+ - Clearance now uses `original_fullpath` when redirecting to a saved URL after
54
276
  login. This should improve the behavior in mounted engines.
55
- * `user_params` method was added to `Clearance::UsersController` which provides
56
- a convenient place to override the parameters used when creating users.
57
- * Controllers now inherit from `Clearance::BaseController` to allow for easily
58
- adding behavior to all of them.
59
277
 
60
- New for 1.3.0 (March 14, 2014)
61
- * Installing Clearance with an existing User model will now create a migration
278
+ [1.4.0]: https://github.com/thoughtbot/clearance/compare/v1.3.0...v1.4.0
279
+
280
+ ## [1.3.0] - March 14, 2014
281
+
282
+ ### Added
283
+ - Installing Clearance with an existing User model will now create a migration
62
284
  that includes adding remember tokens to all existing user records.
63
285
 
64
- New for 1.2.1 (March 6, 2014):
65
- * Query string is now included in the redirect URL when Clearance redirects to a
286
+ [1.3.0]: https://github.com/thoughtbot/clearance/compare/v1.2.1...v1.3.0
287
+
288
+ ## [1.2.1] - March 6, 2014
289
+
290
+ ### Fixed
291
+ - Query string is now included in the redirect URL when Clearance redirects to a
66
292
  previously stored URL.
67
293
 
68
- New for 1.2.0 (February 28, 2014):
69
- * Support for Rails 4.1.0.rc1
70
- * `clearance/testing` is now deprecated. Require `clearance/rspec` or
71
- `clearance/test_unit` as appropriate.
72
- * Sign in failure message is now customized exclusively via I18n.
294
+ [1.2.1]: https://github.com/thoughtbot/clearance/compare/v1.2.0...v1.2.1
295
+
296
+ ## [1.2.0] - February 28, 2014
297
+
298
+ ### Added
299
+ - Support for Rails 4.1.0.rc1
300
+ - Sign in can now be disabled with `config.allow_sign_in = false`
301
+
302
+ ### Changed
303
+ - Sign in failure message is now customized exclusively via I18n.
73
304
  `SessionsController#flash_failure_after_create` is no longer called. To
74
305
  customize the message, change the
75
306
  `clearance.controllers.sessions.bad_email_or_password` or
76
307
  `flashes.failure_after_create` key.
77
- * Sign in can now be disabled with `config.allow_sign_in = false`
78
308
 
79
- New for 1.1.0 (November 21, 2013):
309
+ ### Deprecated
310
+ - `clearance/testing` is now deprecated. Require `clearance/rspec` or
311
+ `clearance/test_unit` as appropriate.
312
+
313
+ [1.2.0]: https://github.com/thoughtbot/clearance/compare/v1.1.0...v1.2.0
80
314
 
81
- * Validate email with `EmailValidator` [strict mode][strict].
82
- * The `cookie_expiration` configuration lambda can now be called with a
315
+ ## [1.1.0] - November 21, 2013
316
+
317
+ ### Added
318
+ - Validate email with `EmailValidator` [strict mode][strict].
319
+ - The `cookie_expiration` configuration lambda can now be called with a
83
320
  `cookies` parameter. Allows the Clearance cookie expiration to be set
84
321
  according to the value of another cookie (such as `remember_me`).
85
- * A `cookie_expiration` lambda that does not accept this `cookies`
86
- parameter has been deprecated.
87
- * Allow cookie domain and path configuration.
88
- * Add sign in guards.
89
- * Don't allow logins with blank `remember_token`.
322
+ - Allow cookie domain and path configuration.
323
+ - Add sign in guards.
90
324
 
91
325
  [strict]: https://github.com/balexand/email_validator#strict-mode
92
326
 
93
- New for 1.0.1 (August 9, 2013):
327
+ ### Fixed
328
+ - Don't allow logins with blank `remember_token`.
329
+
330
+ ### Deprecated
331
+ - A `cookie_expiration` lambda that does not accept this `cookies`
332
+ parameter has been deprecated.
333
+
334
+ [1.1.0]: https://github.com/thoughtbot/clearance/compare/v1.0.1...v1.1.0
335
+
336
+ ## [1.0.1] - August 9, 2013
94
337
 
95
- * Fix an issue when trying to sign in with `nil`
338
+ ### Fixed
339
+ - Fix an issue when trying to sign in with `nil`
96
340
 
97
- New for 1.0.0 (August 1, 2013):
341
+ [1.0.1]: https://github.com/thoughtbot/clearance/compare/v1.0.0...v1.1.1
98
342
 
99
- * Support Rails 4.
100
- * Change default password strategy to BCrypt.
101
- * Speed up test suites using `::BCrypt::Engine::MIN_COST`.
102
- * Speed up integration suites with `Clearance::BackDoor`.
103
- * Replace email regular expression with `EmailValidator` gem.
104
- * Provide `BCryptMigrationFromSHA1` password strategy to help people migrate from
343
+ ## [1.0.0] - August 1, 2013
344
+
345
+ ### Added
346
+ - Support Rails 4.
347
+ - Speed up test suites using `::BCrypt::Engine::MIN_COST`.
348
+ - Speed up integration suites with `Clearance::BackDoor`.
349
+ - Provide `BCryptMigrationFromSHA1` password strategy to help people migrate from
105
350
  SHA1 (the old default password strategy) to BCrypt (the new default).
106
- * Support Ruby 2.
107
- * Require > Ruby 1.9.
108
- * More extension points in more controllers.
109
- * The `email`, `encrypted_password`, and `remember_token` fields of the users
351
+ - Support Ruby 2.
352
+ - More extension points in more controllers.
353
+ - Add `SignedIn` and `SignedOut` routing constraints.
354
+ - Add a fake password strategy, which is useful when writing tests.
355
+ - Add `redirect_url` configuration option.
356
+ - Add `secure_cookie` configuration option.
357
+
358
+ ### Changed
359
+ - Change default password strategy to BCrypt.
360
+ - Replace email regular expression with `EmailValidator` gem.
361
+ - Require > Ruby 1.9.
362
+ - The `email`, `encrypted_password`, and `remember_token` fields of the users
110
363
  table are `NOT NULL` in the default migration.
111
- * Add `SignedIn` and `SignedOut` routing constraints.
112
- * Add a fake password strategy, which is useful when writing tests.
113
- * Improve security when changing password.
114
- * Replace Cucumber feature generator with RSpec + Capybara.
115
- * Remove Diesel dependency.
116
- * Remove deprecated methods on User: `remember_me!`, `generate_random_code`,
117
- `password_required?`.
118
- * `PasswordsController` `params[:user]` has changed to `params[:password_reset]`
364
+ - Replace Cucumber feature generator with RSpec + Capybara.
365
+ - Remove Diesel dependency.
366
+ - `PasswordsController` `params[:user]` has changed to `params[:password_reset]`
119
367
  to avoid locale conflicts.
120
- * Remove `unloadable` from controllers (Rails 4 bug fix in development
121
- environment).
122
- * Add `redirect_url` configuration option.
123
- * Add `secure_cookie` configuration option.
124
- * Unauthorized API requests return HTTP status 401 rather than a redirect
368
+
369
+ ### Fixed
370
+ - Improve security when changing password.
371
+ - Reduce extra user lookups when adding cookie to headers.
372
+ - Unauthorized API requests return HTTP status 401 rather than a redirect
125
373
  to the sign in page.
126
- * Remove support for supplying `return_to` value via request parameter.
127
- * Reduce extra user lookups when adding cookie to headers.
128
374
 
129
- New for 0.16.2 (May 11, 2012):
375
+ ### Removed
376
+ - Remove deprecated methods on User: `remember_me!`, `generate_random_code`,
377
+ `password_required?`.
378
+ - Remove `unloadable` from controllers (Rails 4 bug fix in development
379
+ environment).
380
+ - Remove support for supplying `return_to` value via request parameter.
381
+
382
+ [1.0.0]: https://github.com/thoughtbot/clearance/compare/v0.16.2...v1.0.0
383
+
384
+ ## [0.16.2] - May 11, 2012
385
+
386
+ ### Changed
387
+ - Change default email sender to `deploy@example.com`.
130
388
 
131
- * Change default email sender to `deploy@example.com`.
389
+ [0.16.2]: https://github.com/thoughtbot/clearance/compare/v0.16.1...v0.16.2
132
390
 
133
- New for 0.16.1 (April 16, 2012):
391
+ ## [0.16.1] - April 16, 2012
134
392
 
135
- * Behave correctly when Rails whitelist attributes mass assignment
393
+ ### Fixed
394
+ - Behave correctly when Rails whitelist attributes mass assignment
136
395
  protection is turned on.
137
- * Fix for Rails 3.2.x modifying the HTTP cookie headers in rack requests.
396
+ - Fix for Rails 3.2.x modifying the HTTP cookie headers in rack requests.
397
+
398
+ [0.16.1]: https://github.com/thoughtbot/clearance/compare/v0.16.0...v0.16.1
399
+
400
+ ## [0.16.0] - March 16, 2012
401
+
402
+ ### Added
403
+ - Blowfish password encryption strategy.
404
+
405
+ [0.16.0]: https://github.com/thoughtbot/clearance/compare/v0.15.0...v0.16.0
406
+
407
+ ## [0.15.0] - February 3, 2012
408
+
409
+ ### Added
410
+ - The `User` model can be swapped out using the `Clearance.configure` method.
138
411
 
139
- New for 0.16.0 (March 16, 2012):
412
+ ### Removed
413
+ - Remove `User::InstanceMethods` to silence a Rails 3.2 deprecation warning.
140
414
 
141
- * Blowfish password encryption strategy.
415
+ [0.15.0]: https://github.com/thoughtbot/clearance/compare/v0.14.0...v0.15.0
142
416
 
143
- New for 0.15.0 (February 3, 2012):
417
+ ## [0.14.0] - January 13, 2012
144
418
 
145
- * The `User` model can be swapped out using the `Clearance.configure` method.
146
- * Remove `User::InstanceMethods` to silence a Rails 3.2 deprecation warning.
147
- * Bump development dependency of cucumber-rails to 1.1.1.
419
+ ### Added
420
+ - Support clearance session management from the Rack environment.
148
421
 
149
- New for 0.14.0 (January 13, 2012):
422
+ [0.14.0]: https://github.com/thoughtbot/clearance/compare/v0.13.2...v0.14.0
150
423
 
151
- * Support clearance session management from the Rack environment.
424
+ ## [0.13.2] - January 13, 2012
152
425
 
153
- New for 0.13.2 (January 13, 2012):
426
+ ### Fixed
427
+ - Fixed the `deny_access` matcher.
154
428
 
155
- * Fixed the `deny_access` matcher.
429
+ [0.13.2]: https://github.com/thoughtbot/clearance/compare/v0.13.0...v0.13.2
156
430
 
157
- New for 0.13.0 (October 11, 2011):
431
+ ## [0.13.0] - October 11, 2011
158
432
 
159
- * In Clearance's optional generated features, use pure Capybara instead of
433
+ ### Changed
434
+ - In Clearance's optional generated features, use pure Capybara instead of
160
435
  depending on Cucumber's removed `web_steps`, paths, and selectors.
161
- * Extract SHA-1-specific code out of `User` into `PasswordStrategies` module.
162
- * Extract sign in form so that other methods can be added easily.
163
- * Test against Rails 3.1. Required upgrades to Diesel and Appraisal.
164
- * Improved README documentation for overrides.
165
-
166
- New for 0.12.0 (June 30, 2011):
167
-
168
- * Denying access redirects to `root_url` when signed in, `sign_in_url` when signed
169
- out.
170
- * Using flash `:notice` key everywhere now instead of `:success` and `:failure`. More
171
- in line with Rails conventions.
172
- * `redirect_back_or` on sign up.
173
- * Resetting password no longer redirects to sign in page. It displays a message
436
+ - Extract SHA-1-specific code out of `User` into `PasswordStrategies` module.
437
+ - Extract sign in form so that other methods can be added easily.
438
+ - Test against Rails 3.1. Required upgrades to Diesel and Appraisal.
439
+
440
+ [0.13.0]: https://github.com/thoughtbot/clearance/compare/v0.12.0...v0.13.0
441
+
442
+ ## [0.12.0] - June 30, 2011
443
+
444
+ ### Changed
445
+ - Denying access redirects to `root_url` when signed in, `sign_in_url` when
446
+ signed out.
447
+ - Using flash `:notice` key everywhere now instead of `:success` and `:failure`.
448
+ More in line with Rails conventions.
449
+ - `redirect_back_or` on sign up.
450
+ - Resetting password no longer redirects to sign in page. It displays a message
174
451
  telling them to look for an email.
175
- * Removed redundant flash messages. ("Signed in.", "Signed out.", and "You are
452
+ - Removed redundant flash messages. ("Signed in.", "Signed out.", and "You are
176
453
  now signed up.")
177
454
 
178
- New for 0.11.2 (June 29, 2011):
455
+ [0.12.0]: https://github.com/thoughtbot/clearance/compare/v0.11.2...v0.12.0
179
456
 
180
- * Rails 3.1.rc compatible.
181
- * Cucumber features no longer require password.
182
- * No more Clearance `shoulda_macros`. Instead providing RSpec- and
457
+ ## [0.11.2] - June 29, 2011
458
+
459
+ ### Added
460
+ - Rails 3.1.rc compatible.
461
+ - RSpec and Test::Unit compliant test matcher (`should deny_access`, etc)
462
+
463
+ ### Removed
464
+ - No more Clearance `shoulda_macros`. Instead providing RSpec and
183
465
  Test::Unit-compliant test matchers (`should deny_access`, etc).
184
466
 
185
- New for 0.11.1 (April 30, 2011):
467
+ [0.11.2]: https://github.com/thoughtbot/clearance/compare/v0.11.1...v0.11.2
186
468
 
187
- * Redirect to home page after sign up.
188
- * Remove dependency on `dynamic_form`. Replaced with flashes due to limited number
189
- of failure cases.
190
- * Moving `ClearanceMailer` to `app/mailers`. Moving spec to `spec/mailers`.
191
- * Removing `:case_sensitive` option from `validates_uniqueness_of`. It was
469
+ ## [0.11.1] - April 30, 2011
470
+
471
+ ### Added
472
+ - Redirect to home page after sign up.
473
+
474
+ ### Fixed
475
+ - Removing `:case_sensitive` option from `validates_uniqueness_of`. It was
192
476
  unnecessary and causes a small performance problem on some apps.
193
- * Only development dependency in `gemspec` should be `bundler`. All others are
194
- derived by bundling.
195
477
 
196
- New for 0.11.0 (April 24, 2011):
478
+ ### Removed
479
+ - Remove dependency on `dynamic_form`. Replaced with flashes due to limited number
480
+ of failure cases.
481
+
482
+ [0.11.1]: https://github.com/thoughtbot/clearance/compare/v0.11.0...v0.11.1
483
+
484
+ ## [0.11.0] - April 24, 2011
197
485
 
198
- * Removing password confirmation.
199
- * Use `ActiveSupport::Concern` and `ActiveSupport::SecureRandom` to clean up code.
200
- * New `controller#authenticate(params)` method. Redefine username & password or
486
+ ### Added
487
+ - New `controller#authenticate(params)` method. Redefine username & password or
201
488
  other styles of authentication.
202
- * `before_filter :authenticate` API replaced with more aptly-named `before_filter
489
+
490
+ ### Changed
491
+ - `before_filter :authenticate` API replaced with more aptly-named `before_filter
203
492
  :authorize`.
204
493
 
205
- New for 0.10.5 (April 19, 2011):
494
+ ### Removed
495
+ - Removing password confirmation.
206
496
 
207
- * Closing CSRF hole for Rails >= 3.0.4 apps.
497
+ [0.11.0]: https://github.com/thoughtbot/clearance/compare/v0.10.5...v0.11.0
208
498
 
209
- New for 0.10.4 (April 16, 2011):
499
+ ## [0.10.5] - April 19, 2011
210
500
 
211
- * Formtastic views generator removed.
212
- * Emails forced to be downcased (particularly for iPhone user case).
213
- * Suite converted from test/unit to RSpec.
214
- * Password reset requires a password.
215
- * Use HTML5 email fields.
501
+ ### Security
502
+ - Closing CSRF hole for Rails >= 3.0.4 apps.
216
503
 
217
- New for 0.10.3.2 (March 6, 2011):
504
+ [0.10.5]: https://github.com/thoughtbot/clearance/compare/v0.10.4...v0.10.5
218
505
 
219
- * Fix gemspec to include all necessary files.
506
+ ## [0.10.4] - April 16, 2011
220
507
 
221
- New for 0.10.3.1 (February 20, 2011):
508
+ ### Added
509
+ - Use HTML5 email fields.
222
510
 
223
- * Ensure everything within features inside any engine directory is included in
511
+ ### Changed
512
+ - Emails forced to be downcased (particularly for iPhone user case).
513
+
514
+ ### Fixed
515
+ - Password reset requires a password.
516
+
517
+ ### Removed
518
+ - Formtastic views generator removed.
519
+
520
+ [0.10.4]: https://github.com/thoughtbot/clearance/compare/v0.10.3.2...v0.10.4
521
+
522
+ ## [0.10.3.2] - March 6, 2011
523
+
524
+ ### Fixed
525
+ - Fix gemspec to include all necessary files.
526
+
527
+ [0.10.3.2]: https://github.com/thoughtbot/clearance/compare/v0.10.3.1...v0.10.3.2
528
+
529
+ ## [0.10.3.1] - February 20, 2011
530
+
531
+ ### Fixed
532
+ - Ensure everything within features inside any engine directory is included in
224
533
  the `gemspec`.
225
534
 
226
- New for 0.10.3 (February 19, 2011):
535
+ [0.10.3.1]: https://github.com/thoughtbot/clearance/compare/v0.10.3...v0.10.3.1
536
+
537
+ ## [0.10.3] - February 19, 2011
227
538
 
228
- * Include features/engines in `gemspec` file list so generator works as
539
+ ### Fixed
540
+ - Include features/engines in `gemspec` file list so generator works as
229
541
  expected.
230
542
 
231
- New for 0.10.2 (February 18, 2011):
543
+ [0.10.3]: https://github.com/thoughtbot/clearance/compare/v0.10.2...v0.10.3
232
544
 
233
- * Replaced `test/rails_root` & general testing strategy with Diesel.
234
- * Conveniences in factories for password/confirmation.
235
- * New generator command: `rails generate clearance:install`.
236
- * Step definitions are now prefixed with `visitor_` to use thoughtbot
237
- convention.
238
- * When Clearance installed in an app that already has users, allow old users to
545
+ ## [0.10.2] - February 18, 2011
546
+
547
+ ### Added
548
+ - New generator command: `rails generate clearance:install`.
549
+ - When Clearance installed in an app that already has users, allow old users to
239
550
  sign in by resetting their password.
240
551
 
241
- New for 0.10.1 (February 9, 2011):
552
+ ### Changed
553
+ - Step definitions are now prefixed with `visitor_` to use thoughtbot
554
+ convention.
555
+
556
+ [0.10.2]: https://github.com/thoughtbot/clearance/compare/v0.10.1...v0.10.2
557
+
558
+ ## [0.10.1] - February 9, 2011
559
+
560
+ ### Fixed
561
+ - Replaced `ActionController::Forbidden` with a user-friendly flash message.
242
562
 
243
- * Replaced `ActionController::Forbidden` with a user-friendly flash message.
244
- * Improved language of Cucumber steps by allowing a little more flexibility.
563
+ [0.10.1]: https://github.com/thoughtbot/clearance/compare/v0.10.0...v0.10.1
245
564
 
246
- New for 0.10.0 (June 29, 2010):
565
+ ## [0.10.0] - June 29, 2010
247
566
 
248
- * Better email validation regular expression.
249
- * Removed email confirmation step, was mostly a hassle and can always be added
567
+ ### Added
568
+ - Better email validation regular expression.
569
+
570
+ ### Removed
571
+ - Removed email confirmation step, was mostly a hassle and can always be added
250
572
  back in at the application level (instead of engine level) if necessary.
251
- * Removed `disable_with` on forms since it does not allow IE users to submit
573
+ - Removed `disable_with` on forms since it does not allow IE users to submit
252
574
  forms. [Read more](https://github.com/rails/jquery-ujs/issues#issue/30).
253
575
 
254
- New for 0.9.1 (June 29, 2010):
576
+ [0.10.0]: https://github.com/thoughtbot/clearance/compare/v0.9.1...v0.10.0
577
+
578
+ ## [0.9.1] - June 29, 2010
579
+
580
+ ### Added
581
+ - This release supports Rails 3, capybara, and shoulda 2.10+.
255
582
 
256
- * This release supports Rails 3, capybara, and shoulda 2.10+.
583
+ [0.9.1]: https://github.com/thoughtbot/clearance/compare/v0.9.0...v0.9.1
257
584
 
258
- New for 0.9.0 (June 11, 2010):
585
+ ## [0.9.0] - June 11, 2010
259
586
 
260
- * Removed unnecessary db index.
261
- * Allow customization of cookie duration.
262
- * `rake generator:cleanup` needed to be... cleaned up.
587
+ ### Added
588
+ - Allow customization of cookie duration.
263
589
 
264
- New for 0.8.8 (February 25, 2010):
590
+ ### Changed
591
+ - Removed unnecessary db index.
265
592
 
266
- * Fixed `sign_in` and `sign_out` not setting `current_user`.
593
+ [0.9.0]: https://github.com/thoughtbot/clearance/compare/v0.8.8...v0.9.0
267
594
 
268
- New for 0.8.7 (February 21, 2010):
595
+ ## [0.8.8] - February 25, 2010
269
596
 
270
- * Fixed global sign out bug.
271
- * Allow Rails apps to `before_filter :authenticate` the entire app
597
+ ### Fixed
598
+ - Fixed `sign_in` and `sign_out` not setting `current_user`.
599
+
600
+ [0.8.8]: https://github.com/thoughtbot/clearance/compare/v0.8.7...v0.8.8
601
+
602
+ ## [0.8.7] - February 21, 2010
603
+
604
+ ### Fixed
605
+ - Fixed global sign out bug.
606
+ - Allow Rails apps to `before_filter :authenticate` the entire app
272
607
  in `ApplicationController` and still have password recovery work without
273
608
  overriding any controllers.
274
- * Rails 3 fix for `ActionController`/`ActionDispatch` change.
609
+ - Rails 3 fix for `ActionController`/`ActionDispatch` change.
275
610
 
276
- New for 0.8.6 (February 17, 2010):
611
+ [0.8.7]: https://github.com/thoughtbot/clearance/compare/v0.8.6...v0.8.7
612
+
613
+ ## [0.8.6] - February 17, 2010
614
+
615
+ ### Added
616
+ - Allow overridden user models to skip email/password validations
617
+ conditionally. This makes username/facebook integration easier.
277
618
 
278
- * Clearance features capitalization should match view text.
279
- * Skip `:authenticate before_filter` in controllers so apps can easily
619
+ ### Fixed
620
+ - Clearance features capitalization should match view text.
621
+ - Skip `:authenticate before_filter` in controllers so apps can easily
280
622
  authenticate a whole site without subclassing.
281
- * Added randomness to token and salt generation,
282
- * Reset the `remember_token` on sign out instead of sign in. Allows for the same
623
+ - Added randomness to token and salt generation,
624
+ - Reset the `remember_token` on sign out instead of sign in. Allows for the same
283
625
  user to sign in from two locations at once.
284
- * Append the version number to generated update migrations.
285
- * Allow overridden user models to skip email/password validations
286
- conditionally. This makes username/facebook integration easier.
626
+ - Append the version number to generated update migrations.
287
627
 
288
- New for 0.8.5 (January 20, 2010):
628
+ [0.8.6]: https://github.com/thoughtbot/clearance/compare/v0.8.5...v0.8.6
289
629
 
290
- * Replaced routing hack with `Clearance::Routes.draw(map)` to give more control
291
- to the application developer.
292
- * Removed `attr_accessible` from `Clearance::User`.
293
- * Fixed bug in password reset feature.
294
- * Use Jeweler for gemming.
295
- * Remove dependency on `root_path`, use `'/'` instead.
296
- * Use `Clearance.configure` block to set mailer sender instead of `DO_NOT_REPLY`
630
+ ## [0.8.5] - January 20, 2010
631
+
632
+ ### Changed
633
+ - Removed `attr_accessible` from `Clearance::User`.
634
+ - Remove dependency on `root_path`, use `'/'` instead.
635
+ - Use `Clearance.configure` block to set mailer sender instead of `DO_NOT_REPLY`
297
636
  constant.
298
637
 
299
- New for 0.8.4 (December 08, 2009):
638
+ ### Fixed
639
+ - Replaced routing hack with `Clearance::Routes.draw(map)` to give more control
640
+ to the application developer.
641
+ - Fixed bug in password reset feature.
642
+
643
+ [0.8.5]: https://github.com/thoughtbot/clearance/compare/v0.8.4...v0.8.5
644
+
645
+ ## [0.8.4] - December 08, 2009
646
+
647
+ ### Fixed
648
+ - Remove unnecessary `require 'factory_girl'` in generator.
649
+
650
+ [0.8.4]: https://github.com/thoughtbot/clearance/compare/v0.8.3...v0.8.4
651
+
652
+ ## [0.8.3] - September 21, 2009
653
+
654
+ ### Fixed
655
+ - Avoid possible collisions in the remember me token.
656
+
657
+ [0.8.3]: https://github.com/thoughtbot/clearance/compare/v0.8.2...v0.8.3
658
+
659
+ ## [0.8.2] - September 01, 2009
300
660
 
301
- * Remove unnecessary `require 'factory_girl'` in generator.
302
- * Reference gemcutter (not github) as the gem source in README.
303
- * Add IRC, rdoc.info links to README.
304
- * Move user confirmation email trigger into model.
661
+ ### Added
662
+ - `current_user= accessor` method.
663
+ - Set `current_user` in `sign_in`.
305
664
 
306
- New for 0.8.3 (September 21, 2009):
665
+ [0.8.2]: https://github.com/thoughtbot/clearance/compare/v0.8.1...v0.8.2
307
666
 
308
- * Remove `class_eval` in `Clearance::Authentication`.
309
- * Avoid possible collisions in the remember me token.
667
+ ## [0.8.1] - August 31, 2009
310
668
 
311
- New for 0.8.2 (September 01, 2009):
669
+ ### Changed
670
+ - Removed unnecessary `remember_token_expires_at` column.
312
671
 
313
- * `current_user= accessor` method.
314
- * Set `current_user` in `sign_in`.
672
+ ### Removed
673
+ - Removed `remember?` and `forget_me!` user instance methods.
315
674
 
316
- New for 0.8.1 (August 31, 2009):
675
+ [0.8.1]: https://github.com/thoughtbot/clearance/compare/v0.8.0...v0.8.1
317
676
 
318
- * Removed unnecessary `remember_token_expires_at` column and the
319
- `remember?` and `forget_me!` user instance methods.
677
+ ## [0.8.0] - August 31, 2009
320
678
 
321
- New for 0.8.0 (August 31, 2009):
679
+ ### Added
680
+ - Documented `Clearance::Authentication` with YARD.
681
+ - Documented `Clearance::User` with YARD.
322
682
 
323
- * Always remember me. Replaced session-and-remember-me authentication with
683
+ ### Changed
684
+ - Always remember me. Replaced session-and-remember-me authentication with
324
685
  always using a cookie with a long timeout.
325
- * Documented `Clearance::Authentication` with YARD.
326
- * Documented `Clearance::User` with YARD.
327
686
 
328
- New for 0.7.0 (August 4, 2009):
687
+ [0.8.0]: https://github.com/thoughtbot/clearance/compare/v0.7.0...v0.8.0
329
688
 
330
- * Redirect signed in user who clicks confirmation link again.
331
- * Redirect signed out user who clicks confirmation link again.
332
- * Added `signed_out?` convenience method for controllers, helpers, views.
333
- * Added `clearance_views` generator. By default, creates formtastic views which
689
+ ## [0.7.0] - August 4, 2009
690
+
691
+ ### Added
692
+ - Added `signed_out?` convenience method for controllers, helpers, views.
693
+ - Added `clearance_views` generator. By default, creates formtastic views which
334
694
  pass all tests and features.
335
695
 
336
- New for 0.6.9 (July 4, 2009):
696
+ ### Fixed
697
+ - Redirect signed in user who clicks confirmation link again.
698
+ - Redirect signed out user who clicks confirmation link again.
699
+
700
+ [0.7.0]: https://github.com/thoughtbot/clearance/compare/v0.6.9...v0.7.0
701
+
702
+ ## [0.6.9] - July 4, 2009
337
703
 
338
- * Added timestamps to create users migration.
339
- * Ready for Ruby 1.9.
704
+ ### Added
705
+ - Added timestamps to create users migration.
706
+ - Ready for Ruby 1.9.
340
707
 
341
- New for 0.6.8 (June 24, 2009):
708
+ [0.6.9]: https://github.com/thoughtbot/clearance/compare/v0.6.8...v0.6.9
342
709
 
343
- * Added `defined?` checks for various Rails constants such as `ActionController`
710
+ ## [0.6.8] - June 24, 2009
711
+
712
+ ### Fixed
713
+ - Added `defined?` checks for various Rails constants such as `ActionController`
344
714
  for easier unit testing of Clearance extensions... particularly `ActiveRecord`
345
715
  extensions... `particularly strong_password`.
346
716
 
347
- New for 0.6.7 (June 13, 2009):
717
+ [0.6.8]: https://github.com/thoughtbot/clearance/compare/v0.6.7...v0.6.8
718
+
719
+ ## [0.6.7] - June 13, 2009
348
720
 
349
- * Added `sign_up`, `sign_in`, `sign_out` named routes.
350
- * Minimizing Reek smell: Duplication in `redirect_back_or`.
351
- * Deprecated `sign_user_in`. Told developers to use `sign_in` instead.
352
- * `flash_success_after_create`, `flash_notice_after_create`,
721
+ ### Added
722
+ - Added `sign_up`, `sign_in`, `sign_out` named routes.
723
+ - `flash_success_after_create`, `flash_notice_after_create`,
353
724
  `flash_failure_after_create`, `flash_sucess_after_update`,
354
725
  `flash_success_after_destroy`, etc.
355
- * Added `#create` to forbidden `before_filters` on confirmations controller.
356
- * `should_be_signed_in_as` shouldn't look in the session.
357
- * README improvements.
358
- * Move routes loading to separate file.
726
+ - Added `#create` to forbidden `before_filters` on confirmations controller.
727
+
728
+ ### Fixed
729
+ - `should_be_signed_in_as` shouldn't look in the session.
359
730
 
360
- New for 0.6.6 (May 18, 2009):
731
+ ### Deprecated
732
+ - Deprecated `sign_user_in`. Told developers to use `sign_in` instead.
361
733
 
362
- * replaced `class_eval` in `Clearance::User` with modules. This was needed
734
+ [0.6.7]: https://github.com/thoughtbot/clearance/compare/v0.6.6...v0.6.7
735
+
736
+ ## [0.6.6] - May 18, 2009
737
+
738
+ ### Fixed
739
+ - replaced `class_eval` in `Clearance::User` with modules. This was needed
363
740
  so we could write our own validations.
364
741
 
365
- New for 0.6.5 (May 17, 2009):
742
+ [0.6.6]: https://github.com/thoughtbot/clearance/compare/v0.6.5...v0.6.6
743
+
744
+ ## [0.6.5] - May 17, 2009
366
745
 
367
- * Make Clearance i18n aware.
746
+ ### Added
747
+ - Make Clearance i18n aware.
368
748
 
369
- New for 0.6.4 (May 12, 2009):
749
+ [0.6.5]: https://github.com/thoughtbot/clearance/compare/v0.6.4...v0.6.5
370
750
 
371
- * Moved issue tracking to Github from Lighthouse.
372
- * Asking higher-level questions of controllers in webrat steps, such as
373
- `signed_in`? instead of what's in the session. same for accessors.
374
- * Replacing `sign_in_as` & `sign_out` shoulda macros with a stubbing (requires no
375
- dependency) approach. this will avoid dealing with the internals of
751
+ ## [0.6.4] - May 12, 2009
752
+
753
+ ### Changed
754
+ - Replacing `sign_in_as` & `sign_out` shoulda macros with a stubbing (requires no
755
+ dependency) approach. This will avoid dealing with the internals of
376
756
  `current_user`, such as session & cookies. Added `sign_in` macro which signs in an
377
757
  email confirmed user from clearance's factories.
378
- * Move private methods on sessions controller into `Clearance::Authentication`
758
+ - Move private methods on sessions controller into `Clearance::Authentication`
379
759
  module.
380
- * Audited flash keys.
760
+ - Audited flash keys.
761
+
762
+ [0.6.4]: https://github.com/thoughtbot/clearance/compare/v0.6.3...v0.6.4
381
763
 
382
- New for 0.6.3 (April 23, 2009):
764
+ ## [0.6.3] - April 23, 2009
383
765
 
384
- * Scoping `ClearanceMailer` properly within controllers so it works in
766
+ ### Fixed
767
+ - Scoping `ClearanceMailer` properly within controllers so it works in
385
768
  production environments.
386
769
 
387
- New for 0.6.2 (April 22, 2009):
770
+ [0.6.3]: https://github.com/thoughtbot/clearance/compare/v0.6.2...v0.6.3
771
+
772
+ ## [0.6.2] - April 22, 2009
388
773
 
389
- * Insert `Clearance::User` into User model if it exists.
390
- * `World(NavigationHelpers)` Cucumber 3.0 style.
774
+ ### Added
775
+ - Insert `Clearance::User` into User model if it exists.
391
776
 
392
- New for 0.6.1 (April 21, 2009):
777
+ [0.6.2]: https://github.com/thoughtbot/clearance/compare/v0.6.1...v0.6.2
393
778
 
394
- * Scope operators are necessary to keep Rails happy. Reverting the original
779
+ ## [0.6.1] - April 21, 2009
780
+
781
+ ### Changed
782
+ - Scope operators are necessary to keep Rails happy. Reverting the original
395
783
  revert so they're back in the library now for constants referenced inside of
396
784
  the gem.
397
785
 
398
- New for 0.6.0 (April 21, 2009):
786
+ [0.6.1]: https://github.com/thoughtbot/clearance/compare/v0.6.0...v0.6.1
787
+
788
+ ## [0.6.0] - April 21, 2009
399
789
 
400
- * Converted Clearance to a Rails engine.
401
- * Include `Clearance::User` in User model in app.
402
- * Include `Clearance::Authentication` in `ApplicationController`.
403
- * Namespace controllers under `Clearance` module.
404
- * Routes move to engine, use namespaced controllers but publicly the same.
405
- * If you want to override a controller, subclass it like `SessionsController <
790
+ ### Changed
791
+ - Converted Clearance to a Rails engine.
792
+ - Include `Clearance::User` in User model in app.
793
+ - Include `Clearance::Authentication` in `ApplicationController`.
794
+ - Namespace controllers under `Clearance` module.
795
+ - Routes move to engine, use namespaced controllers but publicly the same.
796
+ - If you want to override a controller, subclass it like `SessionsController <
406
797
  Clearance::SessionsController`. This gives you access to usual hooks such as
407
798
  `url_after_create`.
408
- * Controllers, mailer, model, routes all unit tested inside engine. Use
799
+ - Controllers, mailer, model, routes all unit tested inside engine. Use
409
800
  `script/generate clearance_features` to test integration of Clearance with your
410
801
  Rails app. No longer including modules in your app's test files.
411
- * Moved views to engine.
412
- * Converted generated `test/factories/clearance.rb` to use inheritence for
802
+ - Moved views to engine.
803
+ - Converted generated `test/factories/clearance.rb` to use inheritence for
413
804
  `email_confirmed_user`.
414
- * Corrected some spelling errors with methods.
415
- * Converted "I should see error messages" to use a regex in the features.
416
- * Loading clearance routes after rails routes via some monkeypatching.
417
- * Made the clearance controllers `unloadable` to stop constant loading errors in
805
+ - Corrected some spelling errors with methods.
806
+ - Loading clearance routes after rails routes via some monkeypatching.
807
+ - Made the clearance controllers `unloadable` to stop constant loading errors in
418
808
  development mode.
419
809
 
420
- New for 0.5.6 (April 11, 2009):
810
+ [0.6.0]: https://github.com/thoughtbot/clearance/compare/v0.5.6...v0.6.0
811
+
812
+ ## [0.5.6] - April 11, 2009
421
813
 
422
- * Step definition changed for "User should see error messages" so features won't
814
+ ### Fixed
815
+ - Step definition changed for "User should see error messages" so features won't
423
816
  fail for certain validations.
424
817
 
425
- New for 0.5.5 (March 23, 2009):
818
+ [0.5.6]: https://github.com/thoughtbot/clearance/compare/v0.5.5...v0.5.6
819
+
820
+ ## [0.5.5] - March 23, 2009
821
+
822
+ ### Fixed
823
+ - Removing duplicate test to get rid of warning.
824
+
825
+ [0.5.5]: https://github.com/thoughtbot/clearance/compare/v0.5.4...v0.5.5
426
826
 
427
- * Removing duplicate test to get rid of warning.
827
+ ## [0.5.4] - March 21, 2009
428
828
 
429
- New for 0.5.4 (March 21, 2009):
829
+ ### Changed
830
+ - When users fail logging in, redirect them instead of rendering.
430
831
 
431
- * When users fail logging in, redirect them instead of rendering.
832
+ [0.5.4]: https://github.com/thoughtbot/clearance/compare/v0.5.3...v0.5.4
432
833
 
433
- New for 0.5.3 (March 5, 2009):
834
+ ## [0.5.3] - March 5, 2009
434
835
 
435
- * Clearance now works with (and requires) Shoulda 2.10.0.
436
- * Prefer flat over nested contexts in `sessions_controller_test`.
836
+ ### Changed
837
+ - Clearance now works with (and requires) Shoulda 2.10.0.
437
838
 
438
- New for 0.5.2 (March 2, 2009):
839
+ [0.5.3]: https://github.com/thoughtbot/clearance/compare/v0.5.2...v0.5.3
439
840
 
440
- * Fixed last remaining errors in Rails 2.3 tests. Now fully compatible.
841
+ ## [0.5.2] - March 2, 2009
441
842
 
442
- New for 0.5.1 (February 27, 2009):
843
+ ### Added
844
+ - Full compatible with Rails 2.3 (all tests pass)
443
845
 
444
- * A user with unconfirmed email who resets password now confirms email.
445
- * Refactored `user_from_cookie`, `user_from_session`, `User#authenticate` to use
446
- more direct return code instead of ugly, harder to read ternary.
447
- * Switch order of cookies and sessions to take advantage of Rails 2.3's
846
+ [0.5.2]: https://github.com/thoughtbot/clearance/compare/v0.5.1...v0.5.2
847
+
848
+ ## [0.5.1] - February 27, 2009
849
+
850
+ ### Changed
851
+ - A user with unconfirmed email who resets password now confirms email.
852
+ - Switch order of cookies and sessions to take advantage of Rails 2.3's
448
853
  "Rack-based lazy-loaded sessions",
449
- * Altered generator to interact with `application_controller.rb` instead of
854
+ - Altered generator to interact with `application_controller.rb` instead of
450
855
  `application.rb` in Rails 2.3 apps.
451
- * Bug fix. Rack-based session change altered how to test remember me cookie.
452
856
 
453
- New for 0.5.0 (February 27, 2009):
857
+ ### Fixed
858
+ - Rack-based session change altered how to test remember me cookie.
859
+
860
+ [0.5.1]: https://github.com/thoughtbot/clearance/compare/v0.5.0...v0.5.1
861
+
862
+ ## [0.5.0] - February 27, 2009
863
+
864
+ ### Fixed
865
+ - Fixed problem with Cucumber features.
866
+ - Fixed missing HTTP fluency use case.
867
+
868
+ [0.5.0]: https://github.com/thoughtbot/clearance/compare/v0.4.9...v0.5.0
454
869
 
455
- * Fixed problem with Cucumber features.
456
- * Fixed mising HTTP fluency use case.
457
- * Refactored `User#update_password` to take just parameters it needs.
458
- * Refactored `User` unit tests to be more readable.
870
+ ## [0.4.9] - February 20, 2009
459
871
 
460
- New for 0.4.9 (February 20, 2009):
872
+ ### Changed
873
+ - Protect passwords & confirmations actions with forbidden filters.
874
+ - Return 403 Forbidden status code in those cases.
461
875
 
462
- * Protect passwords & confirmations actions with forbidden filters.
463
- * Return 403 Forbidden status code in those cases.
464
- * Test 403 Forbidden status code in Cucumber feature.
465
- * Raise custom `ActionController::Forbidden` error internally.
466
- * Test `ActionController::Forbidden` error is raised in functional test.
467
- * Fixed bug that allowed anyone to edit another user's password.
468
- * Required Factory Girl >= 1.2.0.
876
+ ### Security
877
+ - Fixed bug that allowed anyone to edit another user's password.
469
878
 
470
- New for 0.4.8 (February 16, 2009):
879
+ [0.4.9]: https://github.com/thoughtbot/clearance/compare/v0.4.8...v0.4.9
471
880
 
472
- * Added support paths for Cucumber.
473
- * Added documentation for the flash.
474
- * Generators `require 'test_helper'` instead of `File.join` for RR compatibility.
475
- * Removed interpolated email address from flash message to make i18n easier.
476
- * Standardized flash messages that refer to email delivery.
881
+ ## [0.4.8] - February 16, 2009
477
882
 
478
- New for 0.4.7 (February 12, 2009):
883
+ ### Added
884
+ - Added documentation for the flash.
885
+ - Generators `require 'test_helper'` instead of `File.join` for RR
886
+ compatibility.
479
887
 
480
- * Removed `Clearance::Test::TestHelper` so there is one less setup step.
481
- * All test helpers now in `shoulda_macros`.
888
+ ### Changed
889
+ - Removed interpolated email address from flash message to make i18n easier.
890
+ - Standardized flash messages that refer to email delivery.
482
891
 
483
- New for 0.4.6 (February 11, 2009):
892
+ [0.4.8]: https://github.com/thoughtbot/clearance/compare/v0.4.7...v0.4.8
484
893
 
485
- * Made the modules behave like mixins again.
486
- * Created `Actions` and `PrivateMethods` modules on controllers for future RDoc
894
+ ## [0.4.7] - February 12, 2009
895
+
896
+ ### Changed
897
+ - Removed `Clearance::Test::TestHelper` so there is one less setup step.
898
+ - All test helpers now in `shoulda_macros`.
899
+
900
+ [0.4.7]: https://github.com/thoughtbot/clearance/compare/v0.4.7...v0.4.7
901
+
902
+ ## [0.4.6] - February 11, 2009
903
+
904
+ ### Added
905
+ - Created `Actions` and `PrivateMethods` modules on controllers for future RDoc
487
906
  reasons.
488
907
 
489
- New for 0.4.5 (February 9, 2009):
908
+ [0.4.6]: https://github.com/thoughtbot/clearance/compare/v0.4.5...v0.4.6
490
909
 
491
- * Removed email downcasing because local-part is case sensitive per
492
- RFC5321.
493
- * Removed dependency on Mocha.
494
- * Required Shoulda >= 2.9.1.
495
- * Added password reset feature to `clearance_features` generator.
496
- * Removed unnecessary `session[:salt]`.
497
- * Only store location for `session[:return_to]` for GET requests.
498
- * Audited "sign up" naming convention. "Register" had slipped in a few places.
499
- * Switched to `SHA1` encryption. Cypher doesn't matter much for email
910
+ ## [0.4.5] - February 9, 2009
911
+
912
+ ### Added
913
+ - Added password reset feature to `clearance_features` generator.
914
+
915
+ ### Changed
916
+ - Only store location for `session[:return_to]` for GET requests.
917
+ - Audited "sign up" naming convention. "Register" had slipped in a few places.
918
+ - Switched to `SHA1` encryption. Cypher doesn't matter much for email
500
919
  confirmation, password reset. Better to have shorter hashes in the emails for
501
920
  clients who line break on 72 chars.
502
921
 
503
- New for 0.4.4 (February 2, 2009):
922
+ ### Removed
923
+ - Removed email downcasing because local-part is case sensitive per
924
+ RFC5321.
925
+ - Removed unnecessary `session[:salt]`.
926
+
927
+ [0.4.5]: https://github.com/thoughtbot/clearance/compare/v0.4.4...v0.4.5
928
+
929
+ ## [0.4.4] - February 2, 2009
930
+
931
+ ### Added
932
+ - Added a generator for Cucumber features.
933
+
934
+ ### Changed
935
+ - Standardized naming for "Sign up," "Sign in," and "Sign out".
504
936
 
505
- * Added a generator for Cucumber features.
506
- * Standardized naming for "Sign up," "Sign in," and "Sign out".
937
+ [0.4.4]: https://github.com/thoughtbot/clearance/compare/v0.3.7...v0.4.4