devise 1.0.11 → 1.1.pre

data/lib/devise/controllers/scoped_views.rb

@@ -0,0 +1,35 @@
+module Devise
+  module Controllers
+    module ScopedViews
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def scoped_views
+          defined?(@scoped_views) ? @scoped_views : Devise.scoped_views
+        end
+
+        def scoped_views=(value)
+          @scoped_views = value
+        end
+      end
+
+    protected
+
+      # Render a view for the specified scope. Turned off by default.
+      # Accepts just :controller as option.
+      def render_with_scope(action, options={})
+        controller_name = options.delete(:controller) || self.controller_name
+
+        if self.class.scoped_views
+          begin
+            render :template => "#{devise_mapping.as}/#{controller_name}/#{action}"
+          rescue ActionView::MissingTemplate
+            render :template => "#{controller_path}/#{action}"
+          end
+        else
+          render :template => "#{controller_path}/#{action}"
+        end
+      end
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -22,8 +22,12 @@ module Devise
       options = @env['warden.options']
       scope   = options[:scope]
 
-      redirect_path = redirect_path_for(scope)
-      query_string  = query_string_for(options)
+      redirect_path = if mapping = Devise.mappings[scope]
+        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+      query_string = query_string_for(options)
       store_location!(scope)
 
       headers = {}
@@ -50,23 +54,12 @@ module Devise
       Rack::Utils.build_query(params)
     end
 
-    # Build the path based on current scope.
-    def redirect_path_for(scope)
-      if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
-      else
-        "/#{default_url}"
-      end
-    end
-
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
     def store_location!(scope)
-      if request && request.get? && !request.xhr?
-        session[:"#{scope}.return_to"] = request.request_uri
-      end
+      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
     end
   end
 end

data/lib/devise/hooks/rememberable.rb

@@ -22,12 +22,9 @@ end
 # Before logout hook to forget the user in the given scope, only if rememberable
 # is activated for this scope. Also clear remember token to ensure the user
 # won't be remembered again.
-# Notice that we forget the user if the record is frozen. This usually means the
-# user was just deleted.
-Warden::Manager.before_logout do |record, warden, options|
-  scope = options[:scope]
+Warden::Manager.before_logout do |record, warden, scope|
   if record.respond_to?(:forget_me!)
-    record.forget_me! unless record.frozen?
-    warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
+    record.forget_me!
+    warden.response.delete_cookie "remember_#{scope}_token"
   end
 end

data/lib/devise/hooks/trackable.rb

@@ -13,6 +13,6 @@ Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
     record.sign_in_count ||= 0
     record.sign_in_count += 1
 
-    record.save(false)
+    record.save(:validate => false)
   end
 end

data/lib/devise/mapping.rb

@@ -22,7 +22,7 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix, :route_options, :sign_out_via
+    attr_reader :name, :as, :path_names, :path_prefix
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
@@ -34,19 +34,26 @@ module Devise
       nil
     end
 
+    # Find a mapping by a given class. It takes into account single table inheritance as well.
+    def self.find_by_class(klass)
+      Devise.mappings.each_value do |mapping|
+        return mapping if klass <= mapping.to
+      end
+      nil
+    end
+
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
       case duck
       when String, Symbol
-        return duck
-      when Class
-        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
+        duck
       else
-        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
+        klass = duck.is_a?(Class) ? duck : duck.class
+        mapping = Devise::Mapping.find_by_class(klass)
+        raise "Could not find a valid mapping for #{duck}" unless mapping
+        mapping.name
       end
-
-      raise "Could not find a valid mapping for #{duck}"
     end
 
     # Default url options which can be used as prefix.
@@ -59,13 +66,9 @@ module Devise
       @klass = (options.delete(:class_name) || name.to_s.classify).to_s
       @name  = (options.delete(:scope) || name.to_s.singularize).to_sym
 
-      @path_prefix   = "/#{options.delete(:path_prefix)}/".squeeze("/")
-      @route_options = options || {}
-
-      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_prefix = "/#{options.delete(:path_prefix)}/".squeeze("/")
+      @path_names  = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(options.delete(:path_names) || {})
-
-      @sign_out_via = (options.delete(:sign_out_via) || :get)
     end
 
     # Return modules for the mapping.
@@ -98,17 +101,13 @@ module Devise
 
     # Returns the parsed path taking into account the relative url root and raw path.
     def parsed_path
-      (ActionController::Base.relative_url_root.to_s + raw_path).tap do |path|
+      returning (ActionController::Base.relative_url_root.to_s + raw_path) do |path|
         self.class.default_url_options.each do |key, value|
           path.gsub!(key.inspect, value.to_param)
         end
       end
     end
 
-    def authenticatable?
-      @authenticatable ||= self.for.any? { |m| m.to_s =~ /authenticatable/ }
-    end
-
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

data/lib/devise/models.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :DatabaseAuthenticatable, 'devise/models/database_authenticatable'
+    autoload :Authenticatable, 'devise/models/authenticatable'
     autoload :Confirmable, 'devise/models/confirmable'
     autoload :Lockable, 'devise/models/lockable'
     autoload :Recoverable, 'devise/models/recoverable'
@@ -57,12 +57,7 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-      options = modules.extract_options!
-
-      if modules.delete(:authenticatable)
-        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
-        modules << :database_authenticatable
-      end
+      options  = modules.extract_options!
 
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 
@@ -94,24 +89,13 @@ module Devise
         if value.present?
           record.send(:"#{attribute}=", value)
         else
-          error, skip_default = :blank, true
+          error = :blank
         end
 
-        add_error_on(record, attribute, error, !skip_default)
+        record.errors.add(attribute, error)
       end
 
       record
     end
-
-    # Wraps add error logic in a method that works for different frameworks.
-    def add_error_on(record, attribute, error, add_default=true)
-      options = add_default ? { :default => error.to_s.gsub("_", " ") } : {}
-
-      begin
-        record.errors.add(attribute, error, options)
-      rescue ArgumentError
-        record.errors.add(attribute, error.to_s.gsub("_", " "))
-      end
-    end
   end
 end

data/lib/devise/models/{database_authenticatable.rb → authenticatable.rb}

@@ -1,4 +1,4 @@
-require 'devise/strategies/database_authenticatable'
+require 'devise/strategies/authenticatable'
 
 module Devise
   module Models
@@ -26,20 +26,12 @@ module Devise
     #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
-    module DatabaseAuthenticatable
-      def self.included(base)
-        base.class_eval do
-          extend ClassMethods
+    module Authenticatable
+      extend ActiveSupport::Concern
 
-          attr_reader :password, :current_password
-          attr_accessor :password_confirmation
-        end
-      end
-
-      # TODO Remove me in next release
-      def old_password
-        ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
-        @old_password
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
       end
 
       # Regenerates password salt and encrypted password each time password is set,
@@ -55,7 +47,13 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
+        password_digest(incoming_password) == self.encrypted_password
+      end
+
+      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
+      # is the user authentication token.
+      def valid_authentication_token?(incoming_auth_token)
+        incoming_auth_token == self.authentication_token
       end
 
       # Checks if a resource is valid upon authentication.
@@ -74,16 +72,13 @@ module Devise
       def update_with_password(params={})
         current_password = params.delete(:current_password)
 
-        if params[:password].blank?
-          params.delete(:password)
-          params.delete(:password_confirmation) if params[:password_confirmation].blank?
-        end
+        params.delete(:password)              if params[:password].blank?
+        params.delete(:password_confirmation) if params[:password_confirmation].blank?
 
         result = if valid_password?(current_password)
           update_attributes(params)
         else
-          message = current_password.blank? ? :blank : :invalid
-          self.class.add_error_on(self, :current_password, message, false)
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           self.attributes = params
           false
         end
@@ -94,13 +89,6 @@ module Devise
 
       protected
 
-        # Checks whether a password is needed or not. For validations only.
-        # Passwords are always required if it's a new record, or if the password
-        # or confirmation are being set somewhere.
-        def password_required?
-          new_record? || !password.nil? || !password_confirmation.nil?
-        end
-
         # Digests the password using the configured encryptor.
         def password_digest(password)
           self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)

data/lib/devise/models/confirmable.rb

@@ -29,15 +29,12 @@ module Devise
     #   User.find(1).send_confirmation_instructions # manually send instructions
     #   User.find(1).resend_confirmation! # generates a new token and resent it
     module Confirmable
+      extend ActiveSupport::Concern
       include Devise::Models::Activatable
 
-      def self.included(base)
-        base.class_eval do
-          extend ClassMethods
-
-          before_create :generate_confirmation_token, :if => :confirmation_required?
-          after_create  :send_confirmation_instructions, :if => :confirmation_required?
-        end
+      included do
+        before_create :generate_confirmation_token, :if => :confirmation_required?
+        after_create  :send_confirmation_instructions, :if => :confirmation_required?
       end
 
       # Confirm a user by setting it's confirmed_at to actual time. If the user
@@ -46,7 +43,7 @@ module Devise
         unless_confirmed do
           self.confirmation_token = nil
           self.confirmed_at = Time.now
-          save(false)
+          save(:validate => false)
         end
       end
 
@@ -57,13 +54,18 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
-        generate_confirmation_token! if self.confirmation_token.nil?
-        ::DeviseMailer.deliver_confirmation_instructions(self)
+        ::Devise::Mailer.confirmation_instructions(self).deliver
       end
 
-      # Resend confirmation token. This method does not need to generate a new token.
-      def resend_confirmation_token
-        unless_confirmed { send_confirmation_instructions }
+      # Remove confirmation date and send confirmation instructions, to ensure
+      # after sending these instructions the user won't be able to sign in without
+      # confirming it's account
+      def resend_confirmation!
+        unless_confirmed do
+          generate_confirmation_token
+          save(:validate => false)
+          send_confirmation_instructions
+        end
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -71,12 +73,16 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
+        super && (confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        !confirmed? ? :unconfirmed : super
+        if !confirmed?
+          :unconfirmed
+        else
+          super
+        end
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -122,7 +128,7 @@ module Devise
           unless confirmed?
             yield
           else
-            self.class.add_error_on(self, :email, :already_confirmed)
+            self.errors.add(:email, :already_confirmed)
             false
           end
         end
@@ -135,10 +141,6 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
-        def generate_confirmation_token!
-          generate_confirmation_token && save(false)
-        end
-
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
@@ -146,7 +148,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation_token unless confirmable.new_record?
+          confirmable.resend_confirmation! unless confirmable.new_record?
           confirmable
         end
 
@@ -154,8 +156,8 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm_by_token(confirmation_token)
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+        def confirm!(attributes={})
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
           confirmable.confirm! unless confirmable.new_record?
           confirmable
         end

data/lib/devise/models/http_authenticatable.rb

@@ -3,16 +3,12 @@ require 'devise/strategies/http_authenticatable'
 module Devise
   module Models
     # Adds HttpAuthenticatable behavior to your model. It expects that your
-    # model class responds to authenticate method
-    # (which for example is defined in authenticatable).
+    # model class responds to authenticate and authentication_keys methods
+    # (which for example are defined in authenticatable).
     module HttpAuthenticatable
-      def self.included(base)
-        base.extend ClassMethods
-      end
+      extend ActiveSupport::Concern
 
       module ClassMethods
-        Devise::Models.config(self, :authentication_keys)
-
         # Authenticate an user using http.
         def authenticate_with_http(username, password)
           authenticate(authentication_keys.first => username, :password => password)

data/lib/devise/models/lockable.rb

@@ -18,62 +18,67 @@ module Devise
     #              available when unlock_strategy is :time or :both.
     #
     module Lockable
+      extend ActiveSupport::Concern
       include Devise::Models::Activatable
 
-      def self.included(base)
-        base.class_eval do
-          extend ClassMethods
-        end
-      end
-
       # Lock an user setting it's locked_at to actual time.
-      def lock_access!
-        return true if access_locked?
+      def lock
         self.locked_at = Time.now
-
-        if self.class.unlock_strategy_enabled?(:email)
+        if unlock_strategy_enabled?(:email)
           generate_unlock_token
           send_unlock_instructions
         end
+      end
 
-        save(false)
+      # Lock an user also saving the record.
+      def lock!
+        lock
+        save(:validate => false)
       end
 
       # Unlock an user by cleaning locket_at and failed_attempts.
-      def unlock_access!
-        if_access_locked do
+      def unlock!
+        if_locked do
           self.locked_at = nil
           self.failed_attempts = 0
           self.unlock_token = nil
-          save(false)
+          save(:validate => false)
         end
       end
 
       # Verifies whether a user is locked or not.
-      def access_locked?
+      def locked?
         locked_at && !lock_expired?
       end
 
       # Send unlock instructions by email
       def send_unlock_instructions
-        ::DeviseMailer.deliver_unlock_instructions(self)
+        ::Devise::Mailer.unlock_instructions(self).deliver
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock_token
-        if_access_locked { send_unlock_instructions }
+      def resend_unlock!
+        if_locked do
+          generate_unlock_token unless unlock_token.present?
+          save(:validate => false)
+          send_unlock_instructions
+        end
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
       # by verifying whether an user is active to sign in or not based on locked?
       def active?
-        super && !access_locked?
+        super && !locked?
       end
 
       # Overwrites invalid_message from Devise::Models::Authenticatable to define
       # the correct reason for blocking the sign in.
       def inactive_message
-        access_locked? ? :locked : super
+        if locked?
+          :locked
+        else
+          super
+        end
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
@@ -84,9 +89,9 @@ module Devise
           self.failed_attempts = 0
         else
           self.failed_attempts += 1
-          lock_access! if failed_attempts > self.class.maximum_attempts
+          lock if failed_attempts > self.class.maximum_attempts
         end
-        save(false) if changed?
+        save(:validate => false) if changed?
         result
       end
 
@@ -99,7 +104,7 @@ module Devise
 
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
-          if self.class.unlock_strategy_enabled?(:time)
+          if unlock_strategy_enabled?(:time)
             locked_at && locked_at < self.class.unlock_in.ago
           else
             false
@@ -108,15 +113,20 @@ module Devise
 
         # Checks whether the record is locked or not, yielding to the block
         # if it's locked, otherwise adds an error to email.
-        def if_access_locked
-          if access_locked?
+        def if_locked
+          if locked?
             yield
           else
-            self.class.add_error_on(self, :email, :not_locked)
+            self.errors.add(:email, :not_locked)
             false
           end
         end
 
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.class.unlock_strategy)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
@@ -124,7 +134,7 @@ module Devise
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
          lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-         lockable.resend_unlock_token unless lockable.new_record?
+         lockable.resend_unlock! unless lockable.new_record?
          lockable
         end
 
@@ -132,17 +142,12 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
-        def unlock_access_by_token(unlock_token)
-          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
-          lockable.unlock_access! unless lockable.new_record?
+        def unlock!(attributes={})
+          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
+          lockable.unlock! unless lockable.new_record?
           lockable
         end
 
-        # Is the unlock enabled for the given unlock strategy?
-        def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
-        end
-
         Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
       end
     end