devise 1.4.2 → 1.4.3

data/lib/devise/mapping.rb

@@ -22,7 +22,8 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :singular, :scoped_path, :path, :controllers, :path_names, :class_name, :sign_out_via, :format
+    attr_reader :singular, :scoped_path, :path, :controllers, :path_names,
+                :class_name, :sign_out_via, :format, :used_routes
     alias :name :singular
 
     # Receives an object and find a scope for it. If a scope cannot be found,
@@ -72,6 +73,12 @@ module Devise
 
       @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
       @format = options[:format]
+
+      @used_routes = self.routes
+      if options.has_key?(:only)
+        @used_routes = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & @used_routes
+      end
+      @used_routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
     end
 
     # Return modules for the mapping.

data/lib/devise/models/authenticatable.rb

@@ -82,6 +82,15 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 
+        def serialize_into_session(record)
+          [record.to_key, record.authenticatable_salt]
+        end
+
+        def serialize_from_session(key, salt)
+          record = to_adapter.get(key)
+          record if record && record.authenticatable_salt == salt
+        end
+
         def params_authenticatable?(strategy)
           params_authenticatable.is_a?(Array) ?
             params_authenticatable.include?(strategy) : params_authenticatable

data/lib/devise/models/confirmable.rb

@@ -29,7 +29,7 @@ module Devise
         after_create  :send_confirmation_instructions, :if => :confirmation_required?
       end
 
-      # Confirm a user by setting it's confirmed_at to actual time. If the user
+      # Confirm a user by setting its confirmed_at to actual time. If the user
       # is already confirmed, add en error to email field
       def confirm!
         unless_confirmed do
@@ -127,8 +127,13 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
+
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user email
@@ -138,7 +143,7 @@ module Devise
           confirmable
         end
 
-        # Find a user by it's confirmation token and try to confirm it.
+        # Find a user by its confirmation token and try to confirm it.
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token

data/lib/devise/models/database_authenticatable.rb

@@ -10,6 +10,9 @@ module Devise
     #
     # DatabaseAuthenticable adds the following options to devise_for:
     #
+    #   * +pepper+: a random string used to provide a more secure hash. Use
+    #     `rake secret` to generate new keys.
+    #
     #   * +stretches+: the cost given to bcrypt.
     #
     # == Examples

data/lib/devise/models/lockable.rb

@@ -3,13 +3,13 @@ module Devise
     # Handles blocking a user access after a certain number of attempts.
     # Lockable accepts two different strategies to unlock a user after it's
     # blocked: email and time. The former will send an email to the user when
-    # the lock happens, containing a link to unlock it's account. The second
+    # the lock happens, containing a link to unlock its account. The second
     # will unlock the user automatically after some configured time (ie 2.hours).
     # It's also possible to setup lockable to use both email and time strategies.
     #
     # == Options
     #
-    # Lockable adds the following options to devise_for:
+    # Lockable adds the following options to +devise+:
     #
     #   * +maximum_attempts+: how many attempts should be accepted before blocking the user.
     #   * +lock_strategy+: lock the user account by :failed_attempts or :none.
@@ -22,7 +22,7 @@ module Devise
 
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
-      # Lock a user setting it's locked_at to actual time.
+      # Lock a user setting its locked_at to actual time.
       def lock_access!
         self.locked_at = Time.now
 
@@ -132,7 +132,7 @@ module Devise
         end
 
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user email
@@ -142,7 +142,7 @@ module Devise
          lockable
         end
 
-        # Find a user by it's unlock token and try to unlock it.
+        # Find a user by its unlock token and try to unlock it.
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token

data/lib/devise/models/recoverable.rb

@@ -29,7 +29,11 @@ module Devise
       def reset_password!(new_password, new_password_confirmation)
         self.password = new_password
         self.password_confirmation = new_password_confirmation
-        clear_reset_password_token if valid?
+        if valid?
+          clear_reset_password_token
+          after_password_reset
+        end
+
         save
       end
 
@@ -89,8 +93,11 @@ module Devise
           self.reset_password_sent_at = nil if respond_to?(:reset_password_sent_at=)
         end
 
+        def after_password_reset
+        end
+
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # password instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Attributes must contain the user email
@@ -105,7 +112,7 @@ module Devise
           generate_token(:reset_password_token)
         end
 
-        # Attempt to find a user by it's reset_password_token to reset its
+        # Attempt to find a user by its reset_password_token to reset its
         # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.

data/lib/devise/models/trackable.rb

@@ -8,7 +8,7 @@ module Devise
     # * current_sign_in_at - A tiemstamp updated when the user signs in
     # * last_sign_in_at    - Holds the timestamp of the previous sign in
     # * current_sign_in_ip - The remote ip updated when the user sign in
-    # * last_sign_in_at    - Holds the remote ip of the previous sign in
+    # * last_sign_in_ip    - Holds the remote ip of the previous sign in
     #
     module Trackable
       def update_tracked_fields!(request)

data/lib/devise/models/validatable.rb

@@ -2,7 +2,7 @@ module Devise
   module Models
     # Validatable creates all needed validations for a user email and password.
     # It's optional, given you may want to create the validations by yourself.
-    # Automatically validate if the email is present, unique and it's format is
+    # Automatically validate if the email is present, unique and its format is
     # valid. Also tests presence of password, confirmation and length.
     #
     # == Options

data/lib/devise/rails.rb

@@ -39,5 +39,18 @@ module Devise
         Devise.include_helpers(Devise::OmniAuth)
       end
     end
+
+    initializer "devise.mongoid_version_warning" do
+      if defined?(Mongoid)
+        require 'mongoid/version'
+        if Mongoid::VERSION.to_f < 2.1
+          puts "\n[DEVISE] Please note that Mongoid versions prior to 2.1 handle dirty model " \
+            "object attributes in such a way that the Devise `validatable` module will not apply " \
+            "its usual uniqueness and format validations for the email field. It is recommended " \
+            "that you upgrade to Mongoid 2.1+ for this and other fixes, but if for some reason you " \
+            "are unable to do so, you should add these validations manually.\n"
+        end
+      end
+    end
   end
 end

data/lib/devise/rails/routes.rb

@@ -5,6 +5,7 @@ module ActionDispatch::Routing
     def finalize_with_devise!
       finalize_without_devise!
       Devise.configure_warden!
+      Devise.regenerate_helpers!
     end
     alias_method_chain :finalize!, :devise
   end
@@ -93,7 +94,7 @@ module ActionDispatch::Routing
     #
     #    Also pay attention that when you use a namespace it will affect all the helpers and methods for controllers
     #    and views. For example, using the above setup you'll end with following methods:
-    #    current_publisher_account, authenticate_publisher_account!, pusblisher_account_signed_in, etc.
+    #    current_publisher_account, authenticate_publisher_account!, publisher_account_signed_in, etc.
     #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
@@ -188,11 +189,7 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name)
         end
 
-        routes  = mapping.routes
-        if options.has_key?(:only)
-          routes  = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & mapping.routes
-        end
-        routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
+        routes  = mapping.used_routes
 
         devise_scope mapping.name do
           yield if block_given?
@@ -205,11 +202,15 @@ module ActionDispatch::Routing
 
     # Allow you to add authentication request from the router:
     #
-    #   authenticate(:user) do
+    #   authenticate do
     #     resources :post
     #   end
     #
-    def authenticate(scope)
+    #   authenticate(:admin) do
+    #     resources :users
+    #   end
+    #
+    def authenticate(scope=nil)
       constraint = lambda do |request|
         request.env["warden"].authenticate!(:scope => scope)
       end
@@ -274,6 +275,17 @@ module ActionDispatch::Routing
     # Notice you cannot have two scopes mapping to the same URL. And remember, if
     # you try to access a devise controller without specifying a scope, it will
     # raise ActionNotFound error.
+    #
+    # Also be aware of that 'devise_scope' and 'as' use the singular form of the
+    # noun where other devise route commands expect the plural form. This would be a
+    # good and working example.
+    #
+    #  devise_scope :user do
+    #    match "/some/route" => "some_devise_controller"
+    #  end
+    #  devise_for :users
+    #
+    # Notice and be aware of the differences above between :user and :users
     def devise_scope(scope)
       constraint = lambda do |request|
         request.env["devise.mapping"] = Devise.mappings[scope]
@@ -319,7 +331,7 @@ module ActionDispatch::Routing
           :cancel => mapping.path_names[:cancel]
         }
 
-        resource :registration, :except => :show, :path => mapping.path_names[:registration],
+        resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
                  :path_names => path_names, :controller => controllers[:registrations] do
           get :cancel
         end
@@ -335,7 +347,7 @@ module ActionDispatch::Routing
           ::OmniAuth.config.path_prefix = path_prefix
         end
 
-        match "#{path_prefix}/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
+        match "#{path_prefix}/:action/callback", :constraints => { :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)) },
           :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
       ensure
         @scope[:path] = path

data/lib/devise/rails/warden_compat.rb

@@ -15,21 +15,16 @@ end
 
 class Warden::SessionSerializer
   def serialize(record)
-    [record.class.name, record.to_key, record.authenticatable_salt]
+    klass = record.class
+    array = klass.serialize_into_session(record)
+    array.unshift(klass.name)
   end
 
   def deserialize(keys)
-    if keys.size == 2
-      raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your secret_token or cleaning up your " <<
-        "database sessions if you are using a db store."
-    end
-
-    klass, id, salt = keys
+    klass, *args = keys
 
     begin
-      record = ActiveSupport::Inflector.constantize(klass).to_adapter.get(id)
-      record if record && record.authenticatable_salt == salt
+      ActiveSupport::Inflector.constantize(klass).serialize_from_session(*args)
     rescue NameError => e
       if e.message =~ /uninitialized constant/
         Rails.logger.debug "[Devise] Trying to deserialize invalid class #{klass}"

data/lib/devise/schema.rb

@@ -3,11 +3,12 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
-    # Creates email when enabled (on by default), encrypted_password and password_salt.
+    # Creates encrypted_password, and email when it is used as an authentication
+    # key (default).
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :default - Should be set to "" when :null is false.
+    # * :default - Set to "" when :null is false, unless overridden.
     #
     # == Notes
     # For Datamapper compatibility, we explicitly hardcode the limit for the
@@ -21,7 +22,8 @@ module Devise
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
     end
 
-    # Creates password salt for encryption support.
+    # Creates password salt for encryption support when using encryptors other
+    # than the database_authenticable default of bcrypt.
     def encryptable
       apply_devise_schema :password_salt, String
     end

data/lib/devise/strategies/token_authenticatable.rb

@@ -39,7 +39,11 @@ module Devise
 
       # Try both scoped and non scoped keys.
       def params_auth_hash
-        params[scope] || params
+        if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
+          params[scope]
+        else
+          params
+        end
       end
 
       # Overwrite authentication keys to use token_authentication_key.

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.2".freeze
+  VERSION = "1.4.3".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -1,6 +1,7 @@
 require 'rails/generators/active_record'
 require 'generators/devise/orm_helpers'
 
+
 module ActiveRecord
   module Generators
     class DeviseGenerator < ActiveRecord::Generators::Base
@@ -9,14 +10,18 @@ module ActiveRecord
       include Devise::Generators::OrmHelpers
       source_root File.expand_path("../templates", __FILE__)
 
-      def generate_model
-        invoke "active_record:model", [name], :migration => false unless model_exists? && behavior == :invoke
-      end
-
       def copy_devise_migration
-        migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
+        if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
+          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}"
+        else
+          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
+        end
       end
 
+      def generate_model
+        invoke "active_record:model", [name], :migration => false unless model_exists? && behavior == :invoke
+      end
+      
       def inject_devise_content
         inject_into_class(model_path, class_name, model_contents + <<CONTENT) if model_exists?
   # Setup accessible (or protected) attributes for your model

data/lib/generators/active_record/templates/migration_existing.rb

@@ -0,0 +1,34 @@
+class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def self.up
+    change_table(:<%= table_name %>) do |t|
+      t.database_authenticatable :null => false
+      t.recoverable
+      t.rememberable
+      t.trackable
+    
+      # t.encryptable
+      # t.confirmable
+      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
+      # t.token_authenticatable
+
+<% for attribute in attributes -%>
+      t.<%= attribute.type %> :<%= attribute.name %>
+<% end -%>
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :<%= table_name %>, :email,                :unique => true
+    add_index :<%= table_name %>, :reset_password_token, :unique => true
+    # add_index :<%= table_name %>, :confirmation_token,   :unique => true
+    # add_index :<%= table_name %>, :unlock_token,         :unique => true
+    # add_index :<%= table_name %>, :authentication_token, :unique => true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration   
+  end
+end

data/lib/generators/devise/orm_helpers.rb

@@ -14,6 +14,14 @@ CONTENT
       def model_exists?
         File.exists?(File.join(destination_root, model_path))
       end
+      
+      def migration_exists?(table_name)
+        Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_to_#{table_name}.rb$/).first
+      end
+      
+      def migration_path
+        @migration_path ||= File.join("db", "migrate")
+      end
 
       def model_path
         @model_path ||= File.join("app", "models", "#{file_path}.rb")

data/lib/generators/templates/devise.rb

@@ -2,7 +2,8 @@
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|
   # ==> Mailer Configuration
-  # Configure the e-mail address which will be shown in DeviseMailer.
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
   # Configure the class responsible to send e-mails.
@@ -35,7 +36,7 @@ Devise.setup do |config|
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
   config.case_insensitive_keys = [ :email ]
-  
+
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
@@ -61,7 +62,11 @@ Devise.setup do |config|
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
-  config.stretches = 10
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments.
+  config.stretches = Rails.env.test? ? 1 : 10
 
   # Setup a pepper to generate the encrypted password.
   # config.pepper = <%= SecureRandom.hex(64).inspect %>
@@ -100,8 +105,10 @@ Devise.setup do |config|
   # Range for password length. Default is 6..128.
   # config.password_length = 6..128
 
-  # Regex to use to validate the email address
-  # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this