devise 1.1.rc2 → 1.1.0

data/lib/devise/encryptors/base.rb

@@ -12,7 +12,7 @@ module Devise
         raise NotImplemented
       end
 
-      def self.salt
+      def self.salt(stretches)
         Devise.friendly_token
       end
     end

data/lib/devise/encryptors/bcrypt.rb

@@ -11,8 +11,8 @@ module Devise
         ::BCrypt::Engine.hash_secret([password, pepper].join, salt, stretches)
       end
 
-      def self.salt
-        ::BCrypt::Engine.generate_salt
+      def self.salt(stretches)
+        ::BCrypt::Engine.generate_salt(stretches)
       end
     end
   end

data/lib/devise/failure_app.rb

@@ -47,7 +47,7 @@ module Devise
     def redirect
       store_location!
       flash[:alert] = i18n_message unless flash[:notice]
-      redirect_to send(:"new_#{scope}_session_path")
+      redirect_to redirect_url
     end
 
   protected
@@ -63,8 +63,12 @@ module Devise
       end
     end
 
+    def redirect_url
+      send(:"new_#{scope}_session_path")
+    end
+
     def http_auth?
-      !Devise.navigational_formats.include?(request.format.to_sym) || request.xhr?
+      !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr)
     end
 
     def http_auth_body

data/lib/devise/hooks/rememberable.rb

@@ -9,7 +9,7 @@ module Devise
         super
 
         if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
-          resource.remember_me!
+          resource.remember_me!(extend_remember_period?)
 
           configuration = {
             :value => resource.class.serialize_into_cookie(resource),
@@ -24,6 +24,14 @@ module Devise
 
     protected
 
+      def succeeded?
+        @result == :success
+      end
+
+      def extend_remember_period?
+        false
+      end
+
       def remember_me?
         valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
       end

data/lib/devise/mapping.rb

@@ -22,19 +22,9 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :singular, :plural, :path, :controllers, :path_names, :path_prefix, :class_name
+    attr_reader :singular, :plural, :path, :controllers, :path_names, :class_name
     alias :name :singular
 
-    # Loop through all mappings looking for a map that matches with the requested
-    # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
-    def self.find_by_path(path)
-      Devise.mappings.each_value do |mapping|
-        route = path.split("/")[mapping.segment_position]
-        return mapping if route && mapping.path == route.to_sym
-      end
-      nil
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
@@ -51,31 +41,22 @@ module Devise
     end
 
     def initialize(name, options) #:nodoc:
-      if as = options.delete(:as)
-        ActiveSupport::Deprecation.warn ":as is deprecated, please use :path instead."
-        options[:path] ||= as
-      end
+      @plural   = (options[:as] ? "#{options[:as]}_#{name}" : name).to_sym
+      @singular = (options[:singular] || @plural.to_s.singularize).to_sym
 
-      if scope = options.delete(:scope)
-        ActiveSupport::Deprecation.warn ":scope is deprecated, please use :singular instead."
-        options[:singular] ||= scope
-      end
-
-      @plural   = name.to_sym
-      @path     = (options.delete(:path) || name).to_sym
-      @singular = (options.delete(:singular) || name.to_s.singularize).to_sym
-
-      @class_name = (options.delete(:class_name) || name.to_s.classify).to_s
+      @class_name = (options[:class_name] || name.to_s.classify).to_s
       @ref = ActiveSupport::Dependencies.ref(@class_name)
 
-      @path_prefix = "/#{options.delete(:path_prefix)}/".squeeze("/")
+      @path = (options[:path] || name).to_s
+      @path_prefix = options[:path_prefix]
 
-      @controllers = Hash.new { |h,k| h[k] = "devise/#{k}" }
-      @controllers.merge!(options.delete(:controllers) || {})
+      mod = options[:module] || "devise"
+      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
+      @controllers.merge!(options[:controllers] || {})
 
-      @path_names  = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(:registration => "")
-      @path_names.merge!(options.delete(:path_names) || {})
+      @path_names.merge!(options[:path_names] || {})
     end
 
     # Return modules for the mapping.
@@ -96,30 +77,14 @@ module Devise
       @routes ||= ROUTES.values_at(*self.modules).compact.uniq
     end
 
-    # Keep a list of allowed controllers for this mapping. It's useful to ensure
-    # that an Admin cannot access the registrations controller unless it has
-    # :registerable in the model.
-    def allowed_controllers
-      @allowed_controllers ||= begin
-        canonical = CONTROLLERS.values_at(*self.modules).compact
-        @controllers.values_at(*canonical)
-      end
-    end
-
-    # Return in which position in the path prefix devise should find the as mapping.
-    def segment_position
-      self.path_prefix.count("/")
-    end
-
-    # Returns the raw path using path_prefix and as.
-    def full_path
-      path_prefix + path.to_s
-    end
-
     def authenticatable?
       @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
     end
 
+    def fullpath
+      "#{@path_prefix}/#{@path}".squeeze("/")
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

data/lib/devise/models/authenticatable.rb

@@ -112,6 +112,14 @@ module Devise
 
           record
         end
+
+        # Generate a token by looping and ensuring does not already exist.
+        def generate_token(column)
+          loop do
+            token = Devise.friendly_token
+            break token unless find(:first, :conditions => { column => token })
+          end
+        end
       end
     end
   end

data/lib/devise/models/confirmable.rb

@@ -45,12 +45,12 @@ module Devise
 
       # Verifies whether a user is confirmed or not
       def confirmed?
-        persisted? && !confirmed_at.nil?
+        !!confirmed_at
       end
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
-        generate_confirmation_token if self.confirmation_token.nil?
+        generate_confirmation_token! if self.confirmation_token.nil?
         ::Devise.mailer.confirmation_instructions(self).deliver
       end
 
@@ -75,15 +75,14 @@ module Devise
       # If you don't want confirmation to be sent on create, neither a code
       # to be generated, call skip_confirmation!
       def skip_confirmation!
-        self.confirmed_at  = Time.now
-        @skip_confirmation = true
+        self.confirmed_at = Time.now
       end
 
       protected
 
         # Callback to overwrite if confirmation is required or not.
         def confirmation_required?
-          !@skip_confirmation
+          !confirmed?
         end
 
         # Checks if the confirmation for the user is within the limit time.
@@ -128,6 +127,10 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
+        def generate_confirmation_token!
+          generate_confirmation_token && save(:validate => false)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
@@ -149,8 +152,9 @@ module Devise
           confirmable
         end
 
+        # Generate a token checking if one does not already exist in the database.
         def confirmation_token
-          Devise.friendly_token
+          generate_token(:confirmation_token)
         end
 
         Devise::Models.config(self, :confirm_within)

data/lib/devise/models/database_authenticatable.rb

@@ -37,7 +37,7 @@ module Devise
         @password = new_password
 
         if @password.present?
-          self.password_salt = self.class.encryptor_class.salt
+          self.password_salt = self.class.password_salt
           self.encrypted_password = password_digest(@password)
         end
       end
@@ -93,6 +93,14 @@ module Devise
           @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
         end
 
+        def password_salt
+          self.encryptor_class.salt(self.stretches)
+        end
+
+        # We assume this method already gets the sanitized values from the
+        # DatabaseAuthenticatable strategy. If you are using this method on
+        # your own, be sure to sanitize the conditions hash to only include
+        # the proper fields.
         def find_for_database_authentication(conditions)
           find_for_authentication(conditions)
         end

data/lib/devise/models/recoverable.rb

@@ -35,7 +35,7 @@ module Devise
 
         # Generates a new random token for reset password
         def generate_reset_password_token
-          self.reset_password_token = Devise.friendly_token
+          self.reset_password_token = self.class.reset_password_token
         end
 
         # Resets the reset password token with and save the record without
@@ -60,6 +60,11 @@ module Devise
           recoverable
         end
 
+        # Generate a token checking if one does not already exist in the database.
+        def reset_password_token
+          generate_token(:reset_password_token)
+        end
+
         # Attempt to find a user by it's reset_password_token to reset it's
         # password. If a user is found, reset it's password and automatically
         # try saving the record. If not user is found, returns a new user

data/lib/devise/models/rememberable.rb

@@ -18,7 +18,15 @@ module Devise
     #                 blocked and will have to enter his credentials again.
     #                 This configuration is also used to calculate the expires
     #                 time for the cookie created to remember the user.
-    #                 By default remember_for is 2.weeks.
+    #                 2.weeks by default.
+    #
+    #   remember_across_browsers: if true, a valid remember token can be
+    #                             re-used between multiple browsers.
+    #                             True by default.
+    #
+    #   extend_remember_period: if true, extends the user's remember period
+    #                           when remembered via cookie.
+    #                           False by default.
     #
     # Examples:
     #
@@ -38,10 +46,11 @@ module Devise
         attr_accessor :remember_me
       end
 
-      # Generate a new remember token and save the record without validations.
-      def remember_me!
-        self.remember_token = Devise.friendly_token
-        self.remember_created_at = Time.now.utc
+      # Generate a new remember token and save the record without validations
+      # unless remember_across_browsers is true and the user already has a valid token.
+      def remember_me!(extend_period=false)
+        self.remember_token = self.class.remember_token if generate_remember_token?
+        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
         save(:validate => false)
       end
 
@@ -57,7 +66,7 @@ module Devise
 
       # Remember token should be expired if expiration time not overpass now.
       def remember_expired?
-        remember_expires_at <= Time.now.utc
+        remember_created_at && (remember_expires_at <= Time.now.utc)
       end
 
       # Remember token expires at created time + remember_for configuration
@@ -73,6 +82,20 @@ module Devise
         self.class.cookie_domain != false
       end
 
+    protected
+
+      # Generate a token unless remember_across_browsers is true and there is
+      # an existing remember_token or the existing remember_token has expried.
+      def generate_remember_token? #:nodoc:
+        !(self.class.remember_across_browsers && remember_token) || remember_expired?
+      end
+
+      # Generate a timestamp if extend_remember_period is true, if no remember_token
+      # exists, or if an existing remember token has expired.
+      def generate_remember_timestamp?(extend_period) #:nodoc:
+        extend_period || remember_created_at.nil? || remember_expired?
+      end
+
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
@@ -86,7 +109,13 @@ module Devise
           record if record && !record.remember_expired?
         end
 
-        Devise::Models.config(self, :remember_for, :cookie_domain)
+        # Generate a token checking if one does not already exist in the database.
+        def remember_token
+          generate_token(:remember_token)
+        end
+
+        Devise::Models.config(self, :remember_for, :remember_across_browsers,
+          :extend_remember_period, :cookie_domain)
       end
     end
   end

data/lib/devise/models/token_authenticatable.rb

@@ -44,16 +44,16 @@ module Devise
       end
 
       module ClassMethods
-        ::Devise::Models.config(self, :token_authentication_key)
-
         def find_for_token_authentication(conditions)
-          conditions[:authentication_token] ||= conditions.delete(token_authentication_key)
-          find_for_authentication(conditions)
+          find_for_authentication(:authentication_token => conditions[token_authentication_key])
         end
 
+        # Generate a token checking if one does not already exist in the database.
         def authentication_token
-          ::Devise.friendly_token
+          generate_token(:authentication_token)
         end
+
+        ::Devise::Models.config(self, :token_authentication_key)
       end
     end
   end

data/lib/devise/models/validatable.rb

@@ -16,7 +16,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|

data/lib/devise/path_checker.rb

@@ -2,12 +2,17 @@ module Devise
   class PathChecker
     include Rails.application.routes.url_helpers
 
+    def self.default_url_options(*args)
+      ApplicationController.default_url_options(*args)
+    end
+
     def initialize(env, scope)
-      @env, @scope = env, scope
+      @current_path = "/#{env["SCRIPT_NAME"]}/#{env["PATH_INFO"]}".squeeze("/")
+      @scope = scope
     end
 
     def signing_out?
-      @env["PATH_INFO"] == send("destroy_#{@scope}_session_path")
+      @current_path == send("destroy_#{@scope}_session_path")
     end
   end
 end

data/lib/devise/rails.rb

@@ -20,11 +20,16 @@ module Devise
       Devise.encryptor ||= begin
         warn "[WARNING] config.encryptor is not set in your config/initializers/devise.rb. " \
           "Devise will then set it to :bcrypt. If you were using the previous default " \
-          "encryptor, please add config.encryptor = :sha1 to your configuration file."
+          "encryptor, please add config.encryptor = :sha1 to your configuration file." if Devise.mailer_sender
         :bcrypt
       end
     end
 
+    initializer "devise.add_filters" do |app|
+      app.config.filter_parameters += [:password, :password_confirmation]
+      app.config.filter_parameters.uniq
+    end
+
     unless Rails.env.production?
       config.after_initialize do
         actions = [:confirmation_instructions, :reset_password_instructions, :unlock_instructions]

data/lib/devise/rails/routes.rb

@@ -15,9 +15,10 @@ module ActionDispatch::Routing
     # generate all needed routes for devise, based on what modules you have
     # defined in your model.
     #
-    # Examples: Let's say you have an User model configured to use
-    # authenticatable, confirmable and recoverable modules. After creating this
-    # inside your routes:
+    # ==== Examples
+    #
+    # Let's say you have an User model configured to use authenticatable,
+    # confirmable and recoverable modules. After creating this inside your routes:
     #
     #   devise_for :users
     #
@@ -25,20 +26,22 @@ module ActionDispatch::Routing
     # needed routes:
     #
     #  # Session routes for Authenticatable (default)
-    #       new_user_session GET  /users/sign_in                    {:controller=>"sessions", :action=>"new"}
-    #           user_session POST /users/sign_in                    {:controller=>"sessions", :action=>"create"}
-    #   destroy_user_session GET  /users/sign_out                   {:controller=>"sessions", :action=>"destroy"}
+    #       new_user_session GET  /users/sign_in                    {:controller=>"devise/sessions", :action=>"new"}
+    #           user_session POST /users/sign_in                    {:controller=>"devise/sessions", :action=>"create"}
+    #   destroy_user_session GET  /users/sign_out                   {:controller=>"devise/sessions", :action=>"destroy"}
     #
     #  # Password routes for Recoverable, if User model has :recoverable configured
-    #      new_user_password GET  /users/password/new(.:format)     {:controller=>"passwords", :action=>"new"}
-    #     edit_user_password GET  /users/password/edit(.:format)    {:controller=>"passwords", :action=>"edit"}
-    #          user_password PUT  /users/password(.:format)         {:controller=>"passwords", :action=>"update"}
-    #                        POST /users/password(.:format)         {:controller=>"passwords", :action=>"create"}
+    #      new_user_password GET  /users/password/new(.:format)     {:controller=>"devise/passwords", :action=>"new"}
+    #     edit_user_password GET  /users/password/edit(.:format)    {:controller=>"devise/passwords", :action=>"edit"}
+    #          user_password PUT  /users/password(.:format)         {:controller=>"devise/passwords", :action=>"update"}
+    #                        POST /users/password(.:format)         {:controller=>"devise/passwords", :action=>"create"}
     #
     #  # Confirmation routes for Confirmable, if User model has :confirmable configured
-    #  new_user_confirmation GET  /users/confirmation/new(.:format) {:controller=>"confirmations", :action=>"new"}
-    #      user_confirmation GET  /users/confirmation(.:format)     {:controller=>"confirmations", :action=>"show"}
-    #                        POST /users/confirmation(.:format)     {:controller=>"confirmations", :action=>"create"}
+    #  new_user_confirmation GET  /users/confirmation/new(.:format) {:controller=>"devise/confirmations", :action=>"new"}
+    #      user_confirmation GET  /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
+    #                        POST /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
+    #
+    # ==== Options
     #
     # You can configure your routes with some options:
     #
@@ -62,37 +65,84 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification' }
     #
-    #  * :path_prefix => the path prefix to be used in all routes.
+    #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
+    #    However, if you want them to point to custom controller, you should do:
     #
-    #      devise_for :users, :path_prefix => "/:locale"
+    #      devise_for :users, :controllers => { :sessions => "users/sessions" }
     #
-    #  If you are using a dynamic prefix, like :locale above, you need to configure default_url_options in your ApplicationController
-    #  class level, so Devise can pick it:
+    #  * :module => the namespace to find controlers. By default, devise will access devise/sessions,
+    #    devise/registrations and so on. If you want to namespace all at once, use module:
     #
-    #      class ApplicationController < ActionController::Base
-    #        def self.default_url_options
-    #          { :locale => I18n.locale }
-    #        end
-    #      end
+    #      devise_for :users, :module => "users"
     #
-    #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
-    #    However, if you want them to point to custom controller, you should do:
+    #    Notice that whenever you use namespace in the router DSL, it automatically sets the module.
+    #    So the following setup:
     #
-    #      devise_for :users, :controllers => { :sessions => "users/sessions" }
+    #      namespace :publisher
+    #        devise_for :account
+    #      end
+    #
+    #    Will use publisher/sessions controller instead of devise/sessions controller. You can revert
+    #    this by providing the :module option to devise_for.
     #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
     #      devise_for :users, :skip => :sessions
     #
+    # ==== Scoping
+    #
+    # Following Rails 3 routes DSL, you can nest devise_for calls inside a scope:
+    #
+    #   scope "/my" do
+    #     devise_for :users
+    #   end
+    #
+    # However, since Devise uses the request path to retrieve the current user, it has one caveats.
+    # If you are using a dynamic segment, as below:
+    #
+    #   scope ":locale" do
+    #     devise_for :users
+    #   end
+    #
+    # You are required to configure default_url_options in your ApplicationController class level, so
+    # Devise can pick it:
+    #
+    #   class ApplicationController < ActionController::Base
+    #     def self.default_url_options
+    #       { :locale => I18n.locale }
+    #     end
+    #   end
+    #
     def devise_for(*resources)
       options = resources.extract_options!
+
+      if as = options.delete(:as)
+        ActiveSupport::Deprecation.warn ":as is deprecated, please use :path instead."
+        options[:path] ||= as
+      end
+
+      if scope = options.delete(:scope)
+        ActiveSupport::Deprecation.warn ":scope is deprecated, please use :singular instead."
+        options[:singular] ||= scope
+      end
+
+      options[:as]          ||= @scope[:as]     if @scope[:as].present?
+      options[:module]      ||= @scope[:module] if @scope[:module].present?
+      options[:path_prefix] ||= @scope[:path]   if @scope[:path].present?
+      options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
+
       resources.map!(&:to_sym)
 
       resources.each do |resource|
-        mapping = Devise.add_model(resource, options)
+        mapping = Devise.add_mapping(resource, options)
 
         begin
           raise_no_devise_method_error!(mapping.class_name) unless mapping.to.respond_to?(:devise)
+        rescue NameError => e
+          raise unless mapping.class_name == resource.to_s.classify
+          warn "[WARNING] You provided devise_for #{resource.inspect} but there is " <<
+            "no model #{mapping.class_name} defined in your application"
+          next
         rescue NoMethodError => e
           raise unless e.message.include?("undefined method `devise'")
           raise_no_devise_method_error!(mapping.class_name)
@@ -101,12 +151,21 @@ module ActionDispatch::Routing
         routes  = mapping.routes
         routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
 
-        routes.each do |mod|
-          send(:"devise_#{mod}", mapping, mapping.controllers)
+        devise_scope mapping.name do
+          yield if block_given?
+          with_devise_exclusive_scope mapping.fullpath, mapping.name do
+            routes.each { |mod| send(:"devise_#{mod}", mapping, mapping.controllers) }
+          end
         end
       end
     end
 
+    # Allow you to add authentication request from the router:
+    #
+    #   authenticate(:user) do
+    #     resources :post
+    #   end
+    #
     def authenticate(scope)
       constraint = lambda do |request|
         request.env["warden"].authenticate!(:scope => scope)
@@ -117,42 +176,70 @@ module ActionDispatch::Routing
       end
     end
 
+    # Sets the devise scope to be used in the controller. If you have custom routes,
+    # you are required to call this method (also aliased as :as) in order to specify
+    # to which controller it is targetted.
+    #
+    #   as :user do
+    #     get "sign_in", :to => "devise/sessions#new"
+    #   end
+    #
+    # Notice you cannot have two scopes mapping to the same URL. And remember, if
+    # you try to access a devise controller without specifying a scope, it will
+    # raise ActionNotFound error.
+    def devise_scope(scope)
+      constraint = lambda do |request|
+        request.env["devise.mapping"] = Devise.mappings[scope]
+        true
+      end
+
+      constraints(constraint) do
+        yield
+      end
+    end
+    alias :as :devise_scope
+
     protected
 
-      def devise_session(mapping, controllers)
-        scope mapping.full_path do
-          get  mapping.path_names[:sign_in],  :to => "#{controllers[:sessions]}#new",     :as => :"new_#{mapping.name}_session"
-          post mapping.path_names[:sign_in],  :to => "#{controllers[:sessions]}#create",  :as => :"#{mapping.name}_session"
-          get  mapping.path_names[:sign_out], :to => "#{controllers[:sessions]}#destroy", :as => :"destroy_#{mapping.name}_session"
+      def devise_session(mapping, controllers) #:nodoc:
+        scope :controller => controllers[:sessions], :as => :session do
+          get  :new,     :path => mapping.path_names[:sign_in]
+          post :create,  :path => mapping.path_names[:sign_in], :as => ""
+          get  :destroy, :path => mapping.path_names[:sign_out]
         end
       end
  
-      def devise_password(mapping, controllers)
-        scope mapping.full_path, :name_prefix => mapping.name do
-          resource :password, :only => [:new, :create, :edit, :update], :path => mapping.path_names[:password], :controller => controllers[:passwords]
-        end
+      def devise_password(mapping, controllers) #:nodoc:
+        resource :password, :only => [:new, :create, :edit, :update],
+          :path => mapping.path_names[:password], :controller => controllers[:passwords]
       end
  
-      def devise_confirmation(mapping, controllers)
-        scope mapping.full_path, :name_prefix => mapping.name do
-          resource :confirmation, :only => [:new, :create, :show], :path => mapping.path_names[:confirmation], :controller => controllers[:confirmations]
-        end
+      def devise_confirmation(mapping, controllers) #:nodoc:
+        resource :confirmation, :only => [:new, :create, :show],
+          :path => mapping.path_names[:confirmation], :controller => controllers[:confirmations]
       end
  
-      def devise_unlock(mapping, controllers)
-        scope mapping.full_path, :name_prefix => mapping.name do
-          resource :unlock, :only => [:new, :create, :show], :path => mapping.path_names[:unlock], :controller => controllers[:unlocks]
+      def devise_unlock(mapping, controllers) #:nodoc:
+        if mapping.to.unlock_strategy_enabled?(:email)
+          resource :unlock, :only => [:new, :create, :show],
+            :path => mapping.path_names[:unlock], :controller => controllers[:unlocks]
         end
       end
 
-      def devise_registration(mapping, controllers)
-        scope mapping.full_path[1..-1], :name_prefix => mapping.name do
-          resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
-                   :path_names => { :new => mapping.path_names[:sign_up] }, :controller => controllers[:registrations]
-        end
+      def devise_registration(mapping, controllers) #:nodoc:
+        resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
+                 :path_names => { :new => mapping.path_names[:sign_up] }, :controller => controllers[:registrations]
+      end
+
+      def with_devise_exclusive_scope(new_path, new_as) #:nodoc:
+        old_as, old_path, old_module = @scope[:as], @scope[:path], @scope[:module]
+        @scope[:as], @scope[:path], @scope[:module] = new_as, new_path, nil
+        yield
+      ensure
+        @scope[:as], @scope[:path], @scope[:module] = old_as, old_path, old_module
       end
 
-      def raise_no_devise_method_error!(klass)
+      def raise_no_devise_method_error!(klass) #:nodoc:
         raise "#{klass} does not respond to 'devise' method. This usually means you haven't " <<
           "loaded your ORM file or it's being loaded too late. To fix it, be sure to require 'devise/orm/YOUR_ORM' " <<
           "inside 'config/initializers/devise.rb' or before your application definition in 'config/application.rb'"