devise 0.8.2 → 0.9.0

data/app/views/passwords/new.html.erb

@@ -9,8 +9,4 @@
   <p><%= f.submit "Send me reset password instructions" %></p>
 <% end %>
 
-<%= link_to "Sign in", new_session_path(resource_name) %><br />
-
-<%- if devise_mapping.confirmable? %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

data/app/views/sessions/new.html.erb

@@ -16,10 +16,4 @@
   <% end -%>
 <% end%>
 
-<%- if devise_mapping.recoverable? %>
-  <%= link_to "Forgot password?", new_password_path(resource_name) %><br />
-<% end -%>
-
-<%- if devise_mapping.confirmable? %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

data/app/views/shared/_devise_links.erb

@@ -0,0 +1,15 @@
+<%- if controller_name != 'sessions' %>
+  <%= link_to t('devise.sessions.link'), new_session_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
+  <%= link_to t('devise.passwords.link'), new_password_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
+  <%= link_to t('devise.confirmations.link'), new_confirmation_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.lockable? && controller_name != 'unlocks' %>
+  <%= link_to t('devise.unlocks.link'), new_unlock_path(resource_name) %><br />
+<% end -%>

data/app/views/unlocks/new.html.erb

@@ -0,0 +1,12 @@
+<h2>Resend unlock instructions</h2>
+
+<% form_for resource_name, resource, :url => unlock_path(resource_name) do |f| %>
+  <%= f.error_messages %>
+
+  <p><%= f.label :email %></p>
+  <p><%= f.text_field :email %></p>
+
+  <p><%= f.submit "Resend unlock instructions" %></p>
+<% end %>
+
+<%= render :partial => "shared/devise_links" %>

data/generators/devise/templates/migration.rb

@@ -6,6 +6,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
       t.recoverable
       t.rememberable
       t.trackable
+      # t.lockable
 
       t.timestamps
     end
@@ -13,6 +14,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :email,                :unique => true
     add_index :<%= table_name %>, :confirmation_token,   :unique => true
     add_index :<%= table_name %>, :reset_password_token, :unique => true
+    # add_index :<%= table_name %>, :unlock_token,         :unique => true
   end
 
   def self.down

data/generators/devise/templates/model.rb

@@ -1,5 +1,8 @@
 class <%= class_name %> < ActiveRecord::Base
-  devise :all
+  # Include default devise modules.
+  # Others available are :lockable, :timeoutable and :activatable.
+  devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation
 end

data/generators/devise_install/templates/devise.rb

@@ -1,18 +1,10 @@
 # Use this hook to configure devise mailer, warden hooks and so forth. The first
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|
-  # Configure Devise modules used by default. You should always set this value
-  # because if Devise adds a new strategy, it won't be added to your application
-  # by default, unless you configure it here.
-  #
-  # Remember that Devise includes other modules on its own (like :activatable
-  # and :timeoutable) which are not included here and also plugins. So be sure
-  # to check the docs for a complete set.
-  config.all = [:authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable]
-
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
 
+  # ==> Configuration for :authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate
   # the encrypted password. By default no pepper is used.
   # config.pepper = "rake secret output"
@@ -34,18 +26,36 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # config.authentication_keys = [ :email ]
 
+  # ==> Configuration for :confirmable
   # The time you want give to your user to confirm his account. During this time
   # he will be able to access your application without confirming. Default is nil.
   # config.confirm_within = 2.days
 
+  # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
+  # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again.
   # config.timeout_in = 10.minutes
 
-  # Load and configure the ORM. Supports :active_record, :data_mapper and :mongo_mapper.
+  # ==> Configuration for :lockable
+  # Number of authentication tries before locking an account.
+  # config.maximum_attempts = 20
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Reanables login after a certain ammount of time (see :unlock_in below)
+  # :both  = enables both strategies
+  # config.unlock_strategy = :both
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> General configuration
+  # Load and configure the ORM. Supports :active_record (default), :mongo_mapper
+  # (requires mongo_ext installed) and :data_mapper (experimental).
   # require 'devise/orm/mongo_mapper'
   # config.orm = :mongo_mapper
 

data/lib/devise.rb

@@ -1,12 +1,12 @@
 module Devise
   autoload :FailureApp, 'devise/failure_app'
-  autoload :Mapping, 'devise/mapping'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
   module Controllers
-    autoload :Filters, 'devise/controllers/filters'
+    autoload :Common, 'devise/controllers/common'
     autoload :Helpers, 'devise/controllers/helpers'
+    autoload :InternalHelpers, 'devise/controllers/internal_helpers'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
@@ -26,22 +26,22 @@ module Devise
     autoload :MongoMapper, 'devise/orm/mongo_mapper'
   end
 
-  ALL = [:authenticatable, :activatable, :confirmable, :recoverable, :rememberable,
-         :timeoutable, :trackable, :validatable]
+  ALL = [:authenticatable, :activatable, :confirmable, :recoverable,
+         :rememberable, :validatable, :trackable, :timeoutable, :lockable]
 
   # Maps controller names to devise modules
   CONTROLLERS = {
     :sessions => [:authenticatable],
     :passwords => [:recoverable],
-    :confirmations => [:confirmable]
+    :confirmations => [:confirmable],
+    :unlocks => [:lockable]
   }
 
-  STRATEGIES  = [:authenticatable]
-  SERIALIZERS = [:session, :cookie]
+  STRATEGIES  = [:rememberable, :authenticatable]
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
   # Maps the messages types that are used in flash message.
-  FLASH_MESSAGES = [ :unauthenticated, :unconfirmed, :invalid, :timeout, :inactive ]
+  FLASH_MESSAGES = [ :unauthenticated, :unconfirmed, :invalid, :timeout, :inactive, :locked ]
 
   # Declare encryptors length which are used in migrations.
   ENCRYPTORS_LENGTH = {
@@ -86,15 +86,15 @@ module Devise
 
   # Store scopes mappings.
   mattr_accessor :mappings
-  @@mappings = {}
+  @@mappings = ActiveSupport::OrderedHash.new
 
   # Stores the chosen ORM.
   mattr_accessor :orm
   @@orm = :active_record
 
-  # Configure default options used in :all.
+  # TODO Remove
   mattr_accessor :all
-  @@all = Devise::ALL.dup
+  @@all = []
 
   # Tells if devise should apply the schema in ORMs where devise declaration
   # and schema belongs to the same class (as Datamapper and MongoMapper).
@@ -106,6 +106,19 @@ module Devise
   mattr_accessor :scoped_views
   @@scoped_views = false
 
+  # Number of authentication tries before locking an account
+  mattr_accessor :maximum_attempts
+  @@maximum_attempts = 20
+
+  # Defines which strategy can be used to unlock an account.
+  # Values: :email, :time, :both
+  mattr_accessor :unlock_strategy
+  @@unlock_strategy = :both
+
+  # Time interval to unlock the account if :time is defined as unlock_strategy.
+  mattr_accessor :unlock_in
+  @@unlock_in = 1.hour
+
   # Tell when to use the default scope, if one cannot be found from routes.
   mattr_accessor :use_default_scope
   @@use_default_scope
@@ -149,10 +162,8 @@ module Devise
     # block.
     def configure_warden(config) #:nodoc:
       config.default_strategies *Devise::STRATEGIES
-      config.default_serializers *Devise::SERIALIZERS
       config.failure_app = Devise::FailureApp
       config.silence_missing_strategies!
-      config.silence_missing_serializers!
       config.default_scope = Devise.default_scope
 
       # If the user provided a warden hook, call it now.
@@ -168,6 +179,42 @@ module Devise
     def friendly_token
       ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
     end
+
+    # Make Devise aware of an 3rd party Devise-module. For convenience.
+    #
+    # == Options:
+    #
+    #   +strategy+    - Boolean value representing if this module got a custom *strategy*.
+    #                   Default is +false+. Note: Devise will auto-detect this in such case if this is true.
+    #   +model+       - String representing a load path to a custom *model* for this module (to autoload).
+    #                   Default is +nil+ (i.e. +false+).
+    #   +controller+  - Symbol representing a name of an exisiting or custom *controller* for this module.
+    #                   Default is +nil+ (i.e. +false+).
+    #
+    # == Examples:
+    #
+    #   Devise.add_module(:party_module)
+    #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
+    #   Devise.add_module(:party_module, :model => 'party_module/model')
+    #
+    def add_module(module_name, options = {})
+      Devise::ALL.unshift module_name        unless Devise::ALL.include?(module_name)
+      Devise::STRATEGIES.unshift module_name if options[:strategy] && !Devise::STRATEGIES.include?(module_name)
+
+      if options[:controller]
+        controller = options[:controller].to_sym
+        Devise::CONTROLLERS[controller] ||= []
+        Devise::CONTROLLERS[controller].unshift module_name unless Devise::CONTROLLERS[controller].include?(module_name)
+      end
+
+      if options[:model]
+        Devise::Models.module_eval do
+          autoload :"#{module_name.to_s.classify}", options[:model]
+        end
+      end
+
+      Devise::Mapping.register module_name
+    end
   end
 end
 
@@ -178,8 +225,5 @@ rescue
   require 'warden'
 end
 
-# Clear some Warden default configuration which will be overwritten
-Warden::Strategies.clear!
-Warden::Serializers.clear!
-
-require 'devise/rails'
+require 'devise/mapping'
+require 'devise/rails'

data/lib/devise/controllers/common.rb

@@ -0,0 +1,24 @@
+module Devise
+  module Controllers
+    # Common actions shared between Devise controllers
+    module Common #:nodoc:
+      # GET /resource/controller/new
+      def new
+        build_resource
+        render_with_scope :new
+      end
+
+      # POST /resource/controller
+      def create
+        self.resource = resource_class.send(send_instructions_with, params[resource_name])
+
+        if resource.errors.empty?
+          set_flash_message :notice, :send_instructions
+          redirect_to new_session_path(resource_name)
+        else
+          render_with_scope :new
+        end
+      end
+    end
+  end
+end

data/lib/devise/controllers/helpers.rb

@@ -1,118 +1,198 @@
 module Devise
   module Controllers
-    # Those helpers are used only inside Devise controllers and should not be
-    # included in ApplicationController since they all depend on the url being
-    # accessed.
+    # Those helpers are convenience methods added to ApplicationController.
     module Helpers
 
       def self.included(base)
         base.class_eval do
-          unloadable
+          helper_method :warden, :signed_in?, :devise_controller?,
+                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?"] }.flatten
 
-          helper_method :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
-          hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
-
-          skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
-          before_filter :is_devise_resource?
+          # Use devise default_url_options. We have to declare it here to overwrite
+          # default definitions.
+          def default_url_options(options=nil)
+            Devise::Mapping.default_url_options
+          end
         end
       end
 
-      # Gets the actual resource stored in the instance variable
-      def resource
-        instance_variable_get(:"@#{resource_name}")
+      # The main accessor for the warden proxy instance
+      def warden
+        request.env['warden']
       end
 
-      # Proxy to devise map name
-      def resource_name
-        devise_mapping.name
+      # Return true if it's a devise_controller. false to all controllers unless
+      # the controllers defined inside devise. Useful if you want to apply a before
+      # filter to all controller, except the ones in devise:
+      #
+      #   before_filter :my_filter, :unless => { |c| c.devise_controller? }
+      def devise_controller?
+        false
       end
-      alias :scope_name :resource_name
 
-      # Proxy to devise map class
-      def resource_class
-        devise_mapping.to
+      # Attempts to authenticate the given scope by running authentication hooks,
+      # but does not redirect in case of failures.
+      def authenticate(scope)
+        warden.authenticate(:scope => scope)
       end
 
-      # Attempt to find the mapped route for devise based on request path
-      def devise_mapping
-        @devise_mapping ||= begin
-          mapping   = Devise::Mapping.find_by_path(request.path)
-          mapping ||= Devise.mappings[Devise.default_scope] if Devise.use_default_scope
-          mapping
-        end
+      # Attempts to authenticate the given scope by running authentication hooks,
+      # redirecting in case of failures.
+      def authenticate!(scope)
+        warden.authenticate!(:scope => scope)
       end
 
-      # Overwrites devise_controller? to return true
-      def devise_controller?
-        true
+      # Check if the given scope is signed in session, without running
+      # authentication hooks.
+      def signed_in?(scope)
+        warden.authenticate?(:scope => scope)
       end
 
-    protected
+      # Sign in an user that already was authenticated. This helper is useful for logging
+      # users in after sign up.
+      #
+      # Examples:
+      #
+      #   sign_in :user, @user    # sign_in(scope, resource)
+      #   sign_in @user           # sign_in(resource)
+      #
+      def sign_in(resource_or_scope, resource=nil)
+        scope      = Devise::Mapping.find_scope!(resource_or_scope)
+        resource ||= resource_or_scope
+        warden.set_user(resource, :scope => scope)
+      end
 
-      # Checks whether it's a devise mapped resource or not.
-      def is_devise_resource? #:nodoc:
-        raise ActionController::UnknownAction unless devise_mapping && devise_mapping.allows?(controller_name)
+      # Sign out a given user or scope. This helper is useful for signing out an user
+      # after deleting accounts.
+      #
+      # Examples:
+      #
+      #   sign_out :user     # sign_out(scope)
+      #   sign_out @user     # sign_out(resource)
+      #
+      def sign_out(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        warden.user(scope) # Without loading user here, before_logout hook is not called
+        warden.raw_session.inspect # Without this inspect here. The session does not clear.
+        warden.logout(scope)
       end
 
-      # Sets the resource creating an instance variable
-      def resource=(new_resource)
-        instance_variable_set(:"@#{resource_name}", new_resource)
+      # Returns and delete the url stored in the session for the given scope. Useful
+      # for giving redirect backs after sign up:
+      #
+      # Example:
+      #
+      #   redirect_to stored_location_for(:user) || root_path
+      #
+      def stored_location_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        session.delete(:"#{scope}.return_to")
       end
 
-      # Build a devise resource without setting password and password confirmation fields.
-      def build_resource
-        self.resource ||= begin
-          attributes = params[resource_name].try(:except, :password, :password_confirmation)
-          resource_class.new(attributes || {})
-        end
+      # The default url to be used after signing in. This is used by all Devise
+      # controllers and you can overwrite it in your ApplicationController to
+      # provide a custom hook for a custom resource.
+      #
+      # By default, it first tries to find a resource_root_path, otherwise it
+      # uses the root path. For a user scope, you can define the default url in
+      # the following way:
+      #
+      #   map.user_root '/users', :controller => 'users' # creates user_root_path
+      #
+      #   map.resources :users do |users|
+      #     users.root # creates user_root_path
+      #   end
+      #
+      #
+      # If none of these are defined, root_path is used. However, if this default
+      # is not enough, you can customize it, for example:
+      #
+      #   def after_sign_in_path_for(resource)
+      #     if resource.is_a?(User) && resource.can_publish?
+      #       publisher_url
+      #     else
+      #       super
+      #     end
+      #   end
+      #
+      def after_sign_in_path_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        home_path = :"#{scope}_root_path"
+        respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
-      # Helper for use in before_filters where no authentication is required.
+      # Method used by sessions controller to sign out an user. You can overwrite
+      # it in your ApplicationController to provide a custom hook for a custom
+      # scope. Notice that differently from +after_sign_in_path_for+ this method
+      # receives a symbol with the scope, and not the resource.
       #
-      # Example:
-      #   before_filter :require_no_authentication, :only => :new
-      def require_no_authentication
-        redirect_to after_sign_in_path_for(resource_name) if warden.authenticated?(resource_name)
+      # By default is the root_path.
+      def after_sign_out_path_for(resource_or_scope)
+        root_path
       end
 
-      # Sets the flash message with :key, using I18n. By default you are able
-      # to setup your messages using specific resource scope, and if no one is
-      # found we look to default scope.
-      # Example (i18n locale file):
-      #
-      #   en:
-      #     devise:
-      #       passwords:
-      #         #default_scope_messages - only if resource_scope is not found
-      #         user:
-      #           #resource_scope_messages
-      #
-      # Please refer to README or en.yml locale file to check what messages are
-      # available.
-      def set_flash_message(key, kind, now=false)
-        flash_hash = now ? flash.now : flash
-        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
-                            :scope => [:devise, controller_name.to_sym], :default => kind)
+      # Sign in an user and tries to redirect first to the stored location and
+      # then to the url specified by after_sign_in_path_for.
+      #
+      # If just a symbol is given, consider that the user was already signed in
+      # through other means and just perform the redirection.
+      def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
+        scope      = Devise::Mapping.find_scope!(resource_or_scope)
+        resource ||= resource_or_scope
+        sign_in(scope, resource) unless skip
+        redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
-      # Shortcut to set flash.now message. Same rules applied from set_flash_message
-      def set_now_flash_message(key, kind)
-        set_flash_message(key, kind, true)
+      # Sign out an user and tries to redirect to the url specified by
+      # after_sign_out_path_for.
+      def sign_out_and_redirect(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        sign_out(scope)
+        redirect_to after_sign_out_path_for(scope)
       end
 
-      # Render a view for the specified scope. Turned off by default.
-      # Accepts just :controller as option.
-      def render_with_scope(action, options={})
-        controller_name = options.delete(:controller) || self.controller_name
-        if Devise.scoped_views
-          begin
-            render :template => "#{controller_name}/#{devise_mapping.as}/#{action}"
-          rescue ActionView::MissingTemplate
-            render action, :controller => controller_name
+      # Define authentication filters and accessor helpers based on mappings.
+      # These filters should be used inside the controllers as before_filters,
+      # so you can control the scope of the user who should be signed in to
+      # access that specific controller/action.
+      # Example:
+      #
+      #   Maps:
+      #     User => :authenticatable
+      #     Admin => :authenticatable
+      #
+      #   Generated methods:
+      #     authenticate_user!  # Signs user in or redirect
+      #     authenticate_admin! # Signs admin in or redirect
+      #     user_signed_in?     # Checks whether there is an user signed in or not
+      #     admin_signed_in?    # Checks whether there is an admin signed in or not
+      #     current_user        # Current signed in user
+      #     current_admin       # Currend signed in admin
+      #     user_session        # Session data available only to the user scope
+      #     admin_session       # Session data available only to the admin scope
+      #
+      #   Use:
+      #     before_filter :authenticate_user!  # Tell devise to use :user map
+      #     before_filter :authenticate_admin! # Tell devise to use :admin map
+      #
+      Devise.mappings.each_key do |mapping|
+        class_eval <<-METHODS, __FILE__, __LINE__
+          def authenticate_#{mapping}!
+            warden.authenticate!(:scope => :#{mapping})
           end
-        else
-          render action, :controller => controller_name
-        end
+
+          def #{mapping}_signed_in?
+            warden.authenticate?(:scope => :#{mapping})
+          end
+
+          def current_#{mapping}
+            @current_#{mapping} ||= warden.authenticate(:scope => :#{mapping})
+          end
+
+          def #{mapping}_session
+            current_#{mapping} && warden.session(:#{mapping})
+          end
+        METHODS
       end
 
     end