devise 0.8.2 → 0.9.0

data/lib/devise/controllers/internal_helpers.rb

@@ -0,0 +1,120 @@
+module Devise
+  module Controllers
+    # Those helpers are used only inside Devise controllers and should not be
+    # included in ApplicationController since they all depend on the url being
+    # accessed.
+    module InternalHelpers #:nodoc:
+
+      def self.included(base)
+        base.class_eval do
+          unloadable
+
+          helper_method :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
+          hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
+
+          skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
+          before_filter :is_devise_resource?
+        end
+      end
+
+      # Gets the actual resource stored in the instance variable
+      def resource
+        instance_variable_get(:"@#{resource_name}")
+      end
+
+      # Proxy to devise map name
+      def resource_name
+        devise_mapping.name
+      end
+      alias :scope_name :resource_name
+
+      # Proxy to devise map class
+      def resource_class
+        devise_mapping.to
+      end
+
+      # Attempt to find the mapped route for devise based on request path
+      def devise_mapping
+        @devise_mapping ||= begin
+          mapping   = Devise::Mapping.find_by_path(request.path)
+          mapping ||= Devise.mappings[Devise.default_scope] if Devise.use_default_scope
+          mapping
+        end
+      end
+
+      # Overwrites devise_controller? to return true
+      def devise_controller?
+        true
+      end
+
+    protected
+
+      # Checks whether it's a devise mapped resource or not.
+      def is_devise_resource? #:nodoc:
+        raise ActionController::UnknownAction unless devise_mapping && devise_mapping.allows?(controller_name)
+      end
+
+      # Sets the resource creating an instance variable
+      def resource=(new_resource)
+        instance_variable_set(:"@#{resource_name}", new_resource)
+      end
+
+      # Build a devise resource without setting password and password confirmation fields.
+      def build_resource
+        self.resource ||= begin
+          attributes = params[resource_name].try(:except, :password, :password_confirmation)
+          resource_class.new(attributes || {})
+        end
+      end
+
+      # Helper for use in before_filters where no authentication is required.
+      #
+      # Example:
+      #   before_filter :require_no_authentication, :only => :new
+      def require_no_authentication
+        redirect_to after_sign_in_path_for(resource_name) if warden.authenticated?(resource_name)
+      end
+
+      # Sets the flash message with :key, using I18n. By default you are able
+      # to setup your messages using specific resource scope, and if no one is
+      # found we look to default scope.
+      # Example (i18n locale file):
+      #
+      #   en:
+      #     devise:
+      #       passwords:
+      #         #default_scope_messages - only if resource_scope is not found
+      #         user:
+      #           #resource_scope_messages
+      #
+      # Please refer to README or en.yml locale file to check what messages are
+      # available.
+      def set_flash_message(key, kind, now=false)
+        flash_hash = now ? flash.now : flash
+        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
+                            :scope => [:devise, controller_name.to_sym], :default => kind)
+      end
+
+      # Shortcut to set flash.now message. Same rules applied from set_flash_message
+      def set_now_flash_message(key, kind)
+        set_flash_message(key, kind, true)
+      end
+
+      # Render a view for the specified scope. Turned off by default.
+      # Accepts just :controller as option.
+      def render_with_scope(action, options={})
+        controller_name = options.delete(:controller) || self.controller_name
+        if Devise.scoped_views
+          begin
+            render :template => "#{controller_name}/#{devise_mapping.as}/#{action}"
+          rescue ActionView::MissingTemplate
+            render action, :controller => controller_name
+          end
+        else
+          render action, :controller => controller_name
+        end
+      end
+
+    end
+  end
+end

data/lib/devise/controllers/url_helpers.rb

@@ -19,7 +19,7 @@ module Devise
     # Those helpers are added to your ApplicationController.
     module UrlHelpers
 
-      [:session, :password, :confirmation].each do |module_name|
+      [:session, :password, :confirmation, :unlock].each do |module_name|
         [:path, :url].each do |path_or_url|
           actions = [ nil, :new_ ]
           actions << :edit_    if module_name == :password
@@ -28,15 +28,7 @@ module Devise
           actions.each do |action|
             class_eval <<-URL_HELPERS
               def #{action}#{module_name}_#{path_or_url}(resource, *args)
-                resource = case resource
-                  when Symbol, String
-                    resource
-                  when Class
-                    resource.name.underscore
-                  else
-                    resource.class.name.underscore
-                end
-
+                resource = Devise::Mapping.find_scope!(resource)
                 send("#{action}\#{resource}_#{module_name}_#{path_or_url}", *args)
               end
             URL_HELPERS

data/lib/devise/encryptors/bcrypt.rb

@@ -2,10 +2,10 @@ require "bcrypt"
 
 module Devise
   module Encryptors
-    # = BCrypt 
+    # = BCrypt
     # Uses the BCrypt hash algorithm to encrypt passwords.
     class Bcrypt < Base
-      
+
       # Gererates a default password digest based on stretches, salt, pepper and the
       # incoming password. We don't strech it ourselves since BCrypt does so internally.
       def self.digest(password, stretches, salt, pepper)

data/lib/devise/hooks/activatable.rb

@@ -1,7 +1,4 @@
-# Each time the user is set we verify if it is still able to really sign in.
-# This is done by checking the time frame the user is able to sign in without
-# confirming it's account. If the user has not confirmed it's account during
-# this time frame, he/she will not able to sign in anymore.
+# Deny user access whenever his account is not active yet.
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active?) && !record.active?
     scope = options[:scope]

data/lib/devise/hooks/rememberable.rb

@@ -0,0 +1,30 @@
+# After authenticate hook to verify if the user in the given scope asked to be
+# remembered while he does not sign out. Generates a new remember token for
+# that specific user and adds a cookie with this user info to sign in this user
+# automatically without asking for credentials. Refer to rememberable strategy
+# for more info.
+Warden::Manager.after_authentication do |record, warden, options|
+  scope = options[:scope]
+  remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
+
+  if Devise::TRUE_VALUES.include?(remember_me) &&
+     warden.authenticated?(scope) && record.respond_to?(:remember_me!)
+    record.remember_me!
+
+    warden.response.set_cookie "remember_#{scope}_token", {
+      :value => record.class.serialize_into_cookie(record),
+      :expires => record.remember_expires_at,
+      :path => "/"
+    }
+  end
+end
+
+# Before logout hook to forget the user in the given scope, only if rememberable
+# is activated for this scope. Also clear remember token to ensure the user
+# won't be remembered again.
+Warden::Manager.before_logout do |record, warden, scope|
+  if record.respond_to?(:forget_me!)
+    record.forget_me!
+    warden.response.delete_cookie "remember_#{scope}_token"
+  end
+end

data/lib/devise/hooks/timeoutable.rb

@@ -5,12 +5,14 @@
 # verify timeout in the following request.
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
-  if record && record.respond_to?(:timeout?) && warden.authenticated?(scope)
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
     last_request_at = warden.session(scope)['last_request_at']
-    if record.timeout?(last_request_at)
+
+    if record.timedout?(last_request_at)
       warden.logout(scope)
       throw :warden, :scope => scope, :message => :timeout
     end
+
     warden.session(scope)['last_request_at'] = Time.now.utc
   end
 end

data/lib/devise/locales/en.yml

@@ -1,21 +1,28 @@
 en:
   devise:
     sessions:
+      link: 'Sign in'
       signed_in: 'Signed in successfully.'
       signed_out: 'Signed out successfully.'
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
+      locked: 'Your account is locked.'
       invalid: 'Invalid email or password.'
       timeout: 'Your session expired, please sign in again to continue.'
       inactive: 'Your account was not activated yet.'
     passwords:
+      link: 'Forgot password?'
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
     confirmations:
+      link: "Didn't receive confirmation instructions?"
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
+    unlocks:
+      link: "Didn't receive unlock instructions?"
+      send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
+      unlocked: 'Your account was successfully unlocked. You are now signed in.'
     mailer:
       confirmation_instructions: 'Confirmation instructions'
       reset_password_instructions: 'Reset password instructions'
-
-
+      unlock_instructions: 'Unlock Instructions'

data/lib/devise/mapping.rb

@@ -42,7 +42,8 @@ module Devise
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
-      if duck.is_a?(Symbol)
+      case duck
+      when String, Symbol
         duck
       else
         klass = duck.is_a?(Class) ? duck : duck.class
@@ -61,9 +62,8 @@ module Devise
       @as    = (options.delete(:as) || name).to_sym
       @klass = (options.delete(:class_name) || name.to_s.classify).to_s
       @name  = (options.delete(:scope) || name.to_s.singularize).to_sym
-      @path_names  = options.delete(:path_names) || {}
-      @path_prefix = options.delete(:path_prefix).to_s
-      @path_prefix << "/" unless @path_prefix[-1] == ?/
+      @path_names = options.delete(:path_names) || {}
+      @path_prefix = "/#{options.delete(:path_prefix)}/".squeeze("/")
       @route_options = options || {}
 
       setup_path_names
@@ -104,11 +104,12 @@ module Devise
     def parsed_path
       returning raw_path do |path|
         self.class.default_url_options.each do |key, value|
-          path.gsub!(key.inspect, value.to_s)
+          path.gsub!(key.inspect, value.to_param)
         end
       end
     end
 
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #
@@ -116,13 +117,16 @@ module Devise
     #     self.for.include?(:confirmable)
     #   end
     #
-    ALL.each do |m|
-      class_eval <<-METHOD, __FILE__, __LINE__
-        def #{m}?
-          self.for.include?(:#{m})
-        end
-      METHOD
+    def self.register(*modules)
+      modules.each do |m|
+        class_eval <<-METHOD, __FILE__, __LINE__
+          def #{m}?
+            self.for.include?(:#{m})
+          end
+        METHOD
+      end
     end
+    Devise::Mapping.register *ALL
 
     private
 

data/lib/devise/models.rb

@@ -1,14 +1,14 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable' 
-    autoload :Confirmable, 'devise/models/confirmable' 
-    autoload :Recoverable, 'devise/models/recoverable' 
+    autoload :Authenticatable, 'devise/models/authenticatable'
+    autoload :Confirmable, 'devise/models/confirmable'
+    autoload :Lockable, 'devise/models/lockable'
+    autoload :Recoverable, 'devise/models/recoverable'
     autoload :Rememberable, 'devise/models/rememberable'
-    autoload :SessionSerializer, 'devise/models/session_serializer'
-    autoload :Timeoutable, 'devise/models/timeoutable' 
-    autoload :Trackable, 'devise/models/trackable' 
-    autoload :Validatable, 'devise/models/validatable' 
+    autoload :Timeoutable, 'devise/models/timeoutable'
+    autoload :Trackable, 'devise/models/trackable'
+    autoload :Validatable, 'devise/models/validatable'
 
     # Creates configuration values for Devise and for the given module.
     #
@@ -46,43 +46,24 @@ module Devise
       end
     end
 
-    # Shortcut method for including all devise modules inside your model.
-    # You can give some extra options while declaring devise in your model:
+    # Include the chosen devise modules in your model:
     #
-    # * except: convenient option that allows you to add all devise modules,
-    #   removing only the modules you setup here:
-    #
-    #    devise :all, :except => :rememberable
+    #   devise :authenticatable, :confirmable, :recoverable
     #
     # You can also give the following configuration values in a hash: :pepper,
     # :stretches, :confirm_within and :remember_for. Please check your Devise
     # initialiazer for a complete description on those values.
     #
-    # Examples:
-    #
-    #   # include only authenticatable module
-    #   devise :authenticatable
-    #
-    #   # include authenticatable + confirmable modules
-    #   devise :authenticatable, :confirmable
-    #
-    #   # include authenticatable + recoverable modules
-    #   devise :authenticatable, :recoverable
-    #
-    #   # include authenticatable + rememberable + validatable modules
-    #   devise :authenticatable, :rememberable, :validatable
-    #
-    #   # shortcut to include all available modules
-    #   devise :all
-    #
-    #   # include all except recoverable
-    #   devise :all, :except => :recoverable
-    #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-
       options  = modules.extract_options!
-      modules += Devise.all if modules.delete(:all)
+
+      # TODO Remove me
+      if modules.delete(:all)
+        ActiveSupport::Deprecation.warn "devise :all is deprecated. List your modules instead", caller
+        modules += Devise.all
+      end
+
       modules -= Array(options.delete(:except))
       modules  = Devise::ALL & modules.uniq
 

data/lib/devise/models/activatable.rb

@@ -5,7 +5,7 @@ module Devise
     # This module implements the default API required in activatable hook. 
     module Activatable
       def active?
-        raise NotImplementedError
+        true
       end
 
       def inactive_message

data/lib/devise/models/authenticatable.rb

@@ -1,5 +1,4 @@
 require 'devise/strategies/authenticatable'
-require 'devise/models/session_serializer'
 
 module Devise
   module Models
@@ -31,7 +30,6 @@ module Devise
       def self.included(base)
         base.class_eval do
           extend ClassMethods
-          extend SessionSerializer
 
           attr_reader :password, :old_password
           attr_accessor :password_confirmation
@@ -84,13 +82,7 @@ module Devise
           return unless authentication_keys.all? { |k| attributes[k].present? }
           conditions = attributes.slice(*authentication_keys)
           resource = find_for_authentication(conditions)
-          if respond_to?(:valid_for_authentication)
-            ActiveSupport::Deprecation.warn "valid_for_authentication class method is deprecated. " <<
-              "Use valid_for_authentication? in the instance instead."
-            valid_for_authentication(resource, attributes)
-          elsif resource.try(:valid_for_authentication?, attributes)
-            resource
-          end
+          resource if resource.try(:valid_for_authentication?, attributes)
         end
 
         # Returns the class for the configured encryptor.

data/lib/devise/models/confirmable.rb

@@ -76,12 +76,16 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        confirmed? || confirmation_period_valid?
+        super && (confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        :unconfirmed
+        if !confirmed?
+          :unconfirmed
+        else
+          super
+        end
       end
 
       # If you don't want confirmation to be sent on create, neither a code

data/lib/devise/models/lockable.rb

@@ -0,0 +1,142 @@
+require 'devise/models/activatable'
+
+module Devise
+  module Models
+
+    module Lockable
+      include Devise::Models::Activatable
+      include Devise::Models::Authenticatable
+
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+        end
+      end
+
+      # Lock an user setting it's locked_at to actual time.
+      def lock
+        self.locked_at = Time.now
+        if [:both, :email].include?(self.class.unlock_strategy)
+          generate_unlock_token
+          self.send_unlock_instructions
+        end
+      end
+
+      # calls lock and save the model
+      def lock!
+        self.lock
+        save(false)
+      end
+
+      # Unlock an user by cleaning locket_at and failed_attempts
+      def unlock!
+        if_locked do
+          self.locked_at = nil
+          self.failed_attempts = 0
+          self.unlock_token = nil
+          save(false)
+        end
+      end
+
+      # Verifies whether a user is locked or not
+      def locked?
+        self.locked_at && !lock_expired?
+      end
+
+      # Send unlock instructions by email
+      def send_unlock_instructions
+        ::DeviseMailer.deliver_unlock_instructions(self)
+      end
+
+      # Resend the unlock instructions if the user is locked
+      def resend_unlock!
+        if_locked do
+          generate_unlock_token unless self.unlock_token.present?
+          save(false)
+          send_unlock_instructions
+        end
+      end
+
+      # Overwrites active? from Devise::Models::Activatable for locking purposes
+      # by verifying whether an user is active to sign in or not based on locked?
+      def active?
+        super && !locked?
+      end
+
+      # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
+      # for verifying whether an user is allowed to sign in or not. If the user
+      # is locked, it should never be allowed.
+      def valid_for_authentication?(attributes)
+        if result = super
+          self.failed_attempts = 0
+        else
+          self.failed_attempts += 1
+          self.lock if self.failed_attempts > self.class.maximum_attempts
+        end
+        save(false) if changed?
+        result
+      end
+
+      # Overwrites invalid_message from Devise::Models::Authenticatable to define
+      # the correct reason for blocking the sign in.
+      def inactive_message
+        if locked?
+          :locked
+        else
+          super
+        end
+      end
+
+      protected
+
+        # Generates unlock token
+        def generate_unlock_token
+          self.unlock_token = Devise.friendly_token
+        end
+
+        # Tells if the lock is expired if :time unlock strategy is active
+        def lock_expired?
+          if [:both, :time].include?(self.class.unlock_strategy)
+            self.locked_at && self.locked_at < self.class.unlock_in.ago
+          else
+            false
+          end
+        end
+
+        # Checks whether the record is locked or not, yielding to the block
+        # if it's locked, otherwise adds an error to email.
+        def if_locked
+          if locked?
+            yield
+          else
+            self.class.add_error_on(self, :email, :not_locked)
+            false
+          end
+        end
+
+      module ClassMethods
+        # Attempt to find a user by it's email. If a record is found, send new
+        # unlock instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_unlock_instructions(attributes={})
+         lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+         lockable.resend_unlock! unless lockable.new_record?
+         lockable
+        end
+
+        # Find a user by it's unlock token and try to unlock it.
+        # If no user is found, returns a new user with an error.
+        # If the user is not locked, creates an error for the user
+        # Options must have the unlock_token
+        def unlock!(attributes={})
+          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
+          lockable.unlock! unless lockable.new_record?
+          lockable
+        end
+
+        Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
+      end
+    end
+  end
+end