devise 1.1.pre4 → 1.1.rc0

data/app/views/devise/unlocks/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Resend unlock instructions</h2>
 
-<% form_for resource_name, resource, :url => unlock_path(resource_name) do |f| %>
+<%= form_for(resource_name, resource, :url => unlock_path(resource_name)) do |f| %>
   <%= f.error_messages %>
 
   <p><%= f.label :email %></p>

data/config/locales/en.yml

@@ -6,10 +6,7 @@ en:
       not_locked: "was not locked"
 
   devise:
-    sessions:
-      link: 'Sign in'
-      signed_in: 'Signed in successfully.'
-      signed_out: 'Signed out successfully.'
+    failure:
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'
@@ -17,25 +14,23 @@ en:
       invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'
       inactive: 'Your account was not activated yet.'
+    sessions:
+      signed_in: 'Signed in successfully.'
+      signed_out: 'Signed out successfully.'
     passwords:
-      link: 'Forgot password?'
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
     confirmations:
-      link: "Didn't receive confirmation instructions?"
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
-      link: 'Sign up'
       signed_up: 'You have signed up successfully.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
     unlocks:
-      link: "Didn't receive unlock instructions?"
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'
     mailer:
       confirmation_instructions: 'Confirmation instructions'
       reset_password_instructions: 'Reset password instructions'
       unlock_instructions: 'Unlock Instructions'
-

data/lib/devise.rb

@@ -1,3 +1,5 @@
+require 'active_support/core_ext/numeric/time'
+
 module Devise
   autoload :FailureApp, 'devise/failure_app'
   autoload :Schema, 'devise/schema'
@@ -20,13 +22,17 @@ module Devise
     autoload :Sha1, 'devise/encryptors/sha1'
   end
 
+  module Strategies
+    autoload :Base, 'devise/strategies/base'
+    autoload :Authenticatable, 'devise/strategies/authenticatable'
+  end
+
   # Constants which holds devise configuration for extensions. Those should
   # not be modified by the "end user".
-  ALL            = []
-  CONTROLLERS    = {}
-  ROUTES         = []
-  STRATEGIES     = []
-  FLASH_MESSAGES = [:unauthenticated]
+  ALL         = []
+  CONTROLLERS = ActiveSupport::OrderedHash.new
+  ROUTES      = ActiveSupport::OrderedHash.new
+  STRATEGIES  = ActiveSupport::OrderedHash.new
 
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
@@ -41,9 +47,6 @@ module Devise
     :bcrypt => 60
   }
 
-  # Email regex used to validate email formats. Adapted from authlogic.
-  EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
-
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
@@ -56,6 +59,26 @@ module Devise
   mattr_accessor :authentication_keys
   @@authentication_keys = [ :email ]
 
+  # If http authentication is enabled by default.
+  mattr_accessor :http_authenticatable
+  @@http_authenticatable = true
+
+  # If params authenticatable is enabled by default.
+  mattr_accessor :params_authenticatable
+  @@params_authenticatable = true
+
+  # The realm used in Http Basic Authentication.
+  mattr_accessor :http_authentication_realm
+  @@http_authentication_realm = "Application"
+
+  # Email regex used to validate email formats. Adapted from authlogic.
+  mattr_accessor :email_regexp
+  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
+  # Range validation for password length
+  mattr_accessor :password_length
+  @@password_length = 6..20
+
   # Time interval where the remember me token is valid.
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
@@ -77,7 +100,7 @@ module Devise
   @@mappings = ActiveSupport::OrderedHash.new
 
   # Tells if devise should apply the schema in ORMs where devise declaration
-  # and schema belongs to the same class (as Datamapper and MongoMapper).
+  # and schema belongs to the same class (as Datamapper and Mongoid).
   mattr_accessor :apply_schema
   @@apply_schema = true
 
@@ -86,15 +109,20 @@ module Devise
   mattr_accessor :scoped_views
   @@scoped_views = false
 
-  # Number of authentication tries before locking an account
-  mattr_accessor :maximum_attempts
-  @@maximum_attempts = 20
+  # Defines which strategy can be used to lock an account.
+  # Values: :failed_attempts, :none
+  mattr_accessor :lock_strategy
+  @@lock_strategy = :failed_attempts
 
   # Defines which strategy can be used to unlock an account.
   # Values: :email, :time, :both
   mattr_accessor :unlock_strategy
   @@unlock_strategy = :both
 
+  # Number of authentication tries before locking an account
+  mattr_accessor :maximum_attempts
+  @@maximum_attempts = 20
+
   # Time interval to unlock the account if :time is defined as unlock_strategy.
   mattr_accessor :unlock_in
   @@unlock_in = 1.hour
@@ -115,9 +143,10 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
-  # The realm used in Http Basic Authentication
-  mattr_accessor :http_authentication_realm
-  @@http_authentication_realm = "Application"
+  # Private methods to interface with Warden.
+  mattr_accessor :warden_config
+  @@warden_config = nil
+  @@warden_config_block = nil
 
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
@@ -125,39 +154,57 @@ module Devise
     yield self
   end
 
+  # Register a model in Devise. You can call this manually if you don't want
+  # to use devise routes. Check devise_for in routes to know which options
+  # are available.
+  def self.register(resource, options)
+    mapping = Devise::Mapping.new(resource, options)
+    self.mappings[mapping.name] = mapping
+    self.default_scope ||= mapping.name
+
+    warden_config.default_scope ||= mapping.name
+    warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
+    mapping
+  end
+
   # Make Devise aware of an 3rd party Devise-module. For convenience.
   #
   # == Options:
   #
-  #   +strategy+    - Boolean value representing if this module got a custom *strategy*.
-  #                   Default is +false+. Note: Devise will auto-detect this in such case if this is true.
-  #   +model+       - String representing the load path to a custom *model* for this module (to autoload.)
-  #                   Default is +nil+ (i.e. +false+).
-  #   +controller+  - Symbol representing the name of an exisiting or custom *controller* for this module.
-  #                   Default is +nil+ (i.e. +false+).
-  #   +route+       - Symbol representing the named *router* helper for this module.
-  #                   Default is +nil+ (i.e. +false+).
-  #   +flash+       - Symbol representing the *flash messages* used by this helper.
-  #                   Default is +nil+ (i.e. +false+).
+  #   +model+      - String representing the load path to a custom *model* for this module (to autoload.)
+  #   +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
+  #   +route+      - Symbol representing the named *route* helper for this module.
+  #   +flash+      - Symbol representing the *flash messages* used by this helper.
+  #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #
+  # All values, except :model, accept also a boolean and will have the same name as the given module
+  # name.
   #
   # == Examples:
   #
   #   Devise.add_module(:party_module)
   #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
-  #   Devise.add_module(:party_module, :autoload => 'party_module/model')
+  #   Devise.add_module(:party_module, :model => 'party_module/model')
   #
   def self.add_module(module_name, options = {})
     ALL << module_name
-    options.assert_valid_keys(:strategy, :model, :controller, :route, :flash)
+    options.assert_valid_keys(:strategy, :model, :controller, :route)
+
+    config = {
+      :strategy => STRATEGIES,
+      :route => ROUTES,
+      :controller => CONTROLLERS
+    }
 
-    { :strategy => STRATEGIES, :flash => FLASH_MESSAGES, :route => ROUTES }.each do |key, value|
+    config.each do |key, value|
       next unless options[key]
       name = (options[key] == true ? module_name : options[key])
-      value.unshift(name) unless value.include?(name)
-    end
 
-    if options[:controller]
-      Devise::CONTROLLERS[module_name] = options[:controller].to_sym
+      if value.is_a?(Hash)
+        value[module_name] = name
+      else
+        value << name unless value.include?(name)
+      end
     end
 
     if options[:model]
@@ -165,7 +212,7 @@ module Devise
       Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, model_path)
     end
 
-    Devise::Mapping.register module_name
+    Devise::Mapping.add_module module_name
   end
 
   # Sets warden configuration using a block that will be invoked on warden
@@ -180,19 +227,13 @@ module Devise
   #    end
   #  end
   def self.warden(&block)
-    @warden_config = block
+    @@warden_config_block = block
   end
 
   # A method used internally to setup warden manager from the Rails initialize
   # block.
-  def self.configure_warden(config) #:nodoc:
-    config.default_strategies *Devise::STRATEGIES
-    config.failure_app = Devise::FailureApp
-    config.silence_missing_strategies!
-    config.default_scope = Devise.default_scope
-
-    # If the user provided a warden hook, call it now.
-    @warden_config.try :call, config
+  def self.configure_warden! #:nodoc:
+    @@warden_config_block.try :call, Devise.warden_config
   end
 
   # Generate a friendly string randomically to be used as token.

data/lib/devise/controllers/helpers.rb

@@ -23,18 +23,6 @@ module Devise
         false
       end
 
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # but does not redirect in case of failures.
-      def authenticate(scope)
-        warden.authenticate(:scope => scope)
-      end
-
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # redirecting in case of failures.
-      def authenticate!(scope)
-        warden.authenticate!(:scope => scope)
-      end
-
       # Check if the given scope is signed in session, without running
       # authentication hooks.
       def signed_in?(scope)
@@ -79,7 +67,7 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
+        session.delete(:"#{scope}_return_to")
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -129,10 +117,10 @@ module Devise
       #
       # If just a symbol is given, consider that the user was already signed in
       # through other means and just perform the redirection.
-      def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
+      def sign_in_and_redirect(resource_or_scope, resource=nil)
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
-        sign_in(scope, resource) unless skip
+        sign_in(scope, resource) unless warden.user(scope) == resource
         redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
@@ -150,9 +138,9 @@ module Devise
       # access that specific controller/action.
       # Example:
       #
-      #   Maps:
-      #     User => :authenticatable
-      #     Admin => :authenticatable
+      #   Roles:
+      #     User
+      #     Admin
       #
       #   Generated methods:
       #     authenticate_user!  # Signs user in or redirect

data/lib/devise/controllers/internal_helpers.rb

@@ -8,13 +8,14 @@ module Devise
       include Devise::Controllers::ScopedViews
 
       included do
-        helpers = [:resource, :scope_name, :resource_name,
-                  :resource_class, :devise_mapping, :devise_controller?]
+        unloadable
 
+        helpers = %w(resource scope_name resource_name
+                     resource_class devise_mapping devise_controller?)
         hide_action *helpers
         helper_method *helpers
 
-        before_filter :is_devise_resource?
+        prepend_before_filter :is_devise_resource?
         skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
       end
 
@@ -62,8 +63,9 @@ module Devise
       end
 
       # Build a devise resource.
-      def build_resource
-        self.resource = resource_class.new(params[resource_name] || {})
+      def build_resource(hash=nil)
+        hash ||= params[resource_name] || {}
+        self.resource = resource_class.new(hash)
       end
 
       # Helper for use in before_filters where no authentication is required.
@@ -88,17 +90,14 @@ module Devise
       #
       # Please refer to README or en.yml locale file to check what messages are
       # available.
-      def set_flash_message(key, kind, now=false)
-        flash_hash = now ? flash.now : flash
-        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
+      def set_flash_message(key, kind)
+        flash[key] = I18n.t(:"#{resource_name}.#{kind}", :resource_name => resource_name,
                             :scope => [:devise, controller_name.to_sym], :default => kind)
       end
 
-      # Shortcut to set flash.now message. Same rules applied from set_flash_message
-      def set_now_flash_message(key, kind)
-        set_flash_message(key, kind, true)
+      def clean_up_passwords(object)
+        object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
       end
-
     end
   end
 end

data/lib/devise/controllers/scoped_views.rb

@@ -4,7 +4,7 @@ module Devise
       extend ActiveSupport::Concern
 
       module ClassMethods
-        def scoped_views
+        def scoped_views?
           defined?(@scoped_views) ? @scoped_views : Devise.scoped_views
         end
 
@@ -20,7 +20,7 @@ module Devise
       def render_with_scope(action, options={})
         controller_name = options.delete(:controller) || self.controller_name
 
-        if self.class.scoped_views
+        if self.class.scoped_views?
           begin
             render :template => "#{devise_mapping.as}/#{controller_name}/#{action}"
           rescue ActionView::MissingTemplate

data/lib/devise/controllers/url_helpers.rb

@@ -19,7 +19,7 @@ module Devise
     # Those helpers are added to your ApplicationController.
     module UrlHelpers
 
-      Devise::ROUTES.each do |module_name|
+      Devise::ROUTES.values.uniq.each do |module_name|
         [:path, :url].each do |path_or_url|
           actions = [ nil, :new_ ]
           actions << :edit_    if [:password, :registration].include?(module_name)

data/lib/devise/failure_app.rb

@@ -10,8 +10,7 @@ module Devise
     include ActionController::UrlFor
     include ActionController::Redirecting
 
-    mattr_accessor :default_message
-    self.default_message = :unauthenticated
+    delegate :flash, :to => :request
 
     def self.call(env)
       action(:respond).call(env)
@@ -22,27 +21,60 @@ module Devise
     end
 
     def respond
-      scope = warden_options[:scope]
-      store_location!(scope)
-      redirect_to send(:"new_#{scope}_session_path", query_string_params)
+      if http_auth?
+        http_auth
+      elsif warden_options[:recall]
+        recall
+      else
+        redirect
+      end
+    end
+
+    def http_auth
+      self.status = 401
+      self.headers["WWW-Authenticate"] = %(Basic realm=#{Devise.http_authentication_realm.inspect})
+      self.content_type = request.format.to_s
+      self.response_body = http_auth_body
+    end
+
+    def recall
+      env["PATH_INFO"]  = attempted_path
+      flash.now[:alert] = i18n_message(:invalid)
+      self.response = recall_controller.action(warden_options[:recall]).call(env)
+    end
+
+    def redirect
+      store_location!
+      flash[:alert] = i18n_message unless flash[:notice]
+      redirect_to send(:"new_#{scope}_session_path")
     end
 
   protected
 
-    # Build the proper query string based on the given message.
-    def query_string_params
-      message = warden.try(:message) || warden_options[:message] || self.class.default_message
+    def i18n_message(default = nil)
+      message = warden.message || warden_options[:message] || default || :unauthenticated
 
-      case message
-      when Symbol
-        { message => true }
-      when String
-        { :message => message }
+      if message.is_a?(Symbol)
+        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
+               :scope => "devise.failure", :default => [message, message.to_s])
       else
-        {}
+        message.to_s
       end
     end
 
+    def http_auth?
+      request.authorization
+    end
+
+    def http_auth_body
+      method = :"to_#{request.format.to_sym}"
+      {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
+    end
+
+    def recall_controller
+      "#{params[:controller].camelize}Controller".constantize
+    end
+
     def warden
       env['warden']
     end
@@ -51,12 +83,20 @@ module Devise
       env['warden.options']
     end
 
+    def scope
+      @scope ||= warden_options[:scope]
+    end
+
+    def attempted_path
+      warden_options[:attempted_path]
+    end
+
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
-    def store_location!(scope)
-      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
+    def store_location!
+      session[:"#{scope}_return_to"] = attempted_path if request && request.get?
     end
   end
 end