devise 1.4.9 → 1.5.0.rc1

data/lib/devise/controllers/internal_helpers.rb

@@ -91,6 +91,7 @@ MESSAGE
       # Example:
       #   before_filter :require_no_authentication, :only => :new
       def require_no_authentication
+        return unless is_navigational_format?
         no_input = devise_mapping.no_input_strategies
         args = no_input.dup.push :scope => resource_name
         if no_input.present? && warden.authenticate?(*args)
@@ -100,15 +101,20 @@ MESSAGE
         end
       end
 
-      # Helper for use to validate if an resource is errorless. If we are on paranoid mode, we always should assume it is
-      # and return false.
-      def successful_and_sane?(resource)
-        if Devise.paranoid
-          set_flash_message :notice, :send_paranoid_instructions if is_navigational_format?
+      # Helper for use after calling send_*_instructions methods on a resource.
+      # If we are in paranoid mode, we always act as if the resource was valid
+      # and instructions were sent.
+      def successfully_sent?(resource)
+        notice = if Devise.paranoid
           resource.errors.clear
-          false
-        else
-          resource.errors.empty?
+          :send_paranoid_instructions
+        elsif resource.errors.empty?
+          :send_instructions
+        end
+
+        if notice
+          set_flash_message :notice, notice if is_navigational_format?
+          true
         end
       end
 

data/lib/devise/delegator.rb

@@ -0,0 +1,16 @@
+module Devise
+  # Checks the scope in the given environment and returns the associated failure app.
+  class Delegator
+    def call(env)
+      failure_app(env).call(env)
+    end
+
+    def failure_app(env)
+      app = env["warden.options"] &&
+        (scope = env["warden.options"][:scope]) &&
+        Devise.mappings[scope].failure_app
+
+      app || Devise::FailureApp
+    end
+  end
+end

data/lib/devise/encryptors/authlogic_sha512.rb

@@ -7,7 +7,7 @@ module Devise
     # Warning: it uses Devise's stretches configuration to port Authlogic's one. Should be set to 20 in the initializer to simulate
     #  the default behavior.
     class AuthlogicSha512 < Base
-      # Gererates a default password digest based on salt, pepper and the
+      # Generates a default password digest based on salt, pepper and the
       # incoming password.
       def self.digest(password, stretches, salt, pepper)
         digest = [password, salt].flatten.join('')

data/lib/devise/encryptors/clearance_sha1.rb

@@ -7,7 +7,7 @@ module Devise
     # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
     # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES
     class ClearanceSha1 < Base
-      # Gererates a default password digest based on salt, pepper and the
+      # Generates a default password digest based on salt, pepper and the
       # incoming password.
       def self.digest(password, stretches, salt, pepper)
         Digest::SHA1.hexdigest("--#{salt}--#{password}--")

data/lib/devise/encryptors/restful_authentication_sha1.rb

@@ -9,7 +9,7 @@ module Devise
     # the initializer to simulate the default behavior.
     class RestfulAuthenticationSha1 < Base
 
-      # Gererates a default password digest based on salt, pepper and the
+      # Generates a default password digest based on salt, pepper and the
       # incoming password.
       def self.digest(password, stretches, salt, pepper)
         digest = pepper

data/lib/devise/encryptors/sha1.rb

@@ -5,7 +5,7 @@ module Devise
     # = Sha1
     # Uses the Sha1 hash algorithm to encrypt passwords.
     class Sha1 < Base
-      # Gererates a default password digest based on stretches, salt, pepper and the
+      # Generates a default password digest based on stretches, salt, pepper and the
       # incoming password.
       def self.digest(password, stretches, salt, pepper)
         digest = pepper

data/lib/devise/encryptors/sha512.rb

@@ -5,7 +5,7 @@ module Devise
     # = Sha512
     # Uses the Sha512 hash algorithm to encrypt passwords.
     class Sha512 < Base
-      # Gererates a default password digest based on salt, pepper and the
+      # Generates a default password digest based on salt, pepper and the
       # incoming password.
       def self.digest(password, stretches, salt, pepper)
         digest = pepper

data/lib/devise/failure_app.rb

@@ -15,7 +15,8 @@ module Devise
     delegate :flash, :to => :request
 
     def self.call(env)
-      action(:respond).call(env)
+      @respond ||= action(:respond)
+      @respond.call(env)
     end
 
     def self.default_url_options(*args)

data/lib/devise/hooks/timeoutable.rb

@@ -17,6 +17,8 @@ Warden::Manager.after_set_user do |record, warden, options|
       end
     end
 
-    warden.session(scope)['last_request_at'] = Time.now.utc
+    unless warden.request.env['devise.skip_trackable']
+      warden.session(scope)['last_request_at'] = Time.now.utc
+    end
   end
 end

data/lib/devise/mailers/helpers.rb

@@ -10,11 +10,6 @@ module Devise
 
       protected
 
-      def setup_mail(*args)
-        ActiveSupport::Deprecation.warn "setup_mail is deprecated, please use devise_mail instead", caller
-        devise_mail(*args)
-      end
-
       # Configure default email options
       def devise_mail(record, action)
         initialize_from_record(record)

data/lib/devise/mapping.rb

@@ -23,7 +23,9 @@ module Devise
   #
   class Mapping #:nodoc:
     attr_reader :singular, :scoped_path, :path, :controllers, :path_names,
-                :class_name, :sign_out_via, :format, :used_routes, :used_helpers
+                :class_name, :sign_out_via, :format, :used_routes, :used_helpers,
+                :constraints, :defaults, :failure_app
+
     alias :name :singular
 
     # Receives an object and find a scope for it. If a scope cannot be found,
@@ -51,46 +53,21 @@ module Devise
       @singular = (options[:singular] || @scoped_path.tr('/', '_').singularize).to_sym
 
       @class_name = (options[:class_name] || name.to_s.classify).to_s
-      @ref = Devise.ref(@class_name)
+      @klass = Devise.ref(@class_name)
 
       @path = (options[:path] || name).to_s
       @path_prefix = options[:path_prefix]
 
-      mod = options[:module] || "devise"
-      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
-      @controllers.merge!(options[:controllers] || {})
-      @controllers.each { |k,v| @controllers[k] = v.to_s }
-
-      @path_names = Hash.new { |h,k| h[k] = k.to_s }
-      @path_names.merge!(:registration => "")
-      @path_names.merge!(options[:path_names] || {})
-      
-      @constraints = Hash.new { |h,k| h[k] = k.to_s }
-      @constraints.merge!(options[:constraints] || {})
-
-      @defaults = Hash.new { |h,k| h[k] = k.to_s }
-      @defaults.merge!(options[:defaults] || {})
-
       @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
       @format = options[:format]
 
-      singularizer = lambda { |s| s.to_s.singularize.to_sym }
-
-      if options.has_key?(:only)
-        @used_routes = self.routes & Array(options[:only]).map(&singularizer)
-      elsif options[:skip] == :all
-        @used_routes = []
-      else
-        @used_routes = self.routes - Array(options[:skip]).map(&singularizer)
-      end
-
-      if options[:skip_helpers] == true
-        @used_helpers = @used_routes
-      elsif skip = options[:skip_helpers]
-        @used_helpers = self.routes - Array(skip).map(&singularizer)
-      else
-        @used_helpers = self.routes
-      end
+      default_failure_app(options)
+      default_controllers(options)
+      default_path_names(options)
+      default_constraints(options)
+      default_defaults(options)
+      default_used_route(options)
+      default_used_helpers(options)
     end
 
     # Return modules for the mapping.
@@ -100,7 +77,7 @@ module Devise
 
     # Gives the class the mapping points to.
     def to
-      @ref.get
+      @klass.get
     end
 
     def strategies
@@ -122,15 +99,7 @@ module Devise
     def fullpath
       "/#{@path_prefix}/#{@path}".squeeze("/")
     end
-    
-    def constraints
-      @constraints
-    end
-    
-    def defaults
-      @defaults
-    end
-    
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #
@@ -145,5 +114,62 @@ module Devise
         end
       METHOD
     end
+
+    private
+
+    def default_failure_app(options)
+      @failure_app = options[:failure_app] || Devise::FailureApp
+      if @failure_app.is_a?(String)
+        ref = Devise.ref(@failure_app)
+        @failure_app = lambda { |env| ref.get.call(env) }
+      end
+    end
+
+    def default_controllers(options)
+      mod = options[:module] || "devise"
+      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
+      @controllers.merge!(options[:controllers]) if options[:controllers]
+      @controllers.each { |k,v| @controllers[k] = v.to_s }
+    end
+
+    def default_path_names(options)
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names[:registration] = ""
+      @path_names.merge!(options[:path_names]) if options[:path_names]
+    end
+
+    def default_constraints(options)
+      @constraints = Hash.new
+      @constraints.merge!(options[:constraints]) if options[:constraints]
+    end
+
+    def default_defaults(options)
+      @defaults = Hash.new
+      @defaults.merge!(options[:defaults]) if options[:defaults]
+    end
+
+    def default_used_route(options)
+      singularizer = lambda { |s| s.to_s.singularize.to_sym }
+
+      if options.has_key?(:only)
+        @used_routes = self.routes & Array(options[:only]).map(&singularizer)
+      elsif options[:skip] == :all
+        @used_routes = []
+      else
+        @used_routes = self.routes - Array(options[:skip]).map(&singularizer)
+      end
+    end
+
+    def default_used_helpers(options)
+      singularizer = lambda { |s| s.to_s.singularize.to_sym }
+
+      if options[:skip_helpers] == true
+        @used_helpers = @used_routes
+      elsif skip = options[:skip_helpers]
+        @used_helpers = self.routes - Array(skip).map(&singularizer)
+      else
+        @used_helpers = self.routes
+      end
+    end
   end
 end

data/lib/devise/models/authenticatable.rb

@@ -27,7 +27,7 @@ module Devise
     #
     # == active_for_authentication?
     #
-    # Before authenticating a user and in each request, Devise checks if your model is active by
+    # After authenticating a user and in each request, Devise checks if your model is active by
     # calling model.active_for_authentication?. This method is overwriten by other devise modules. For instance,
     # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
     #
@@ -61,11 +61,7 @@ module Devise
       # However, you should not overwrite this method, you should overwrite active_for_authentication?
       # and inactive_message instead.
       def valid_for_authentication?
-        if active_for_authentication?
-          block_given? ? yield : true
-        else
-          inactive_message
-        end
+        block_given? ? yield : true
       end
 
       def active_for_authentication?
@@ -79,6 +75,10 @@ module Devise
       def authenticatable_salt
       end
 
+      def devise_mailer
+        Devise.mailer
+      end
+
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 
@@ -112,10 +112,11 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
-          conditions = filter_auth_params(conditions.dup)
-          (case_insensitive_keys || []).each { |k| conditions[k].try(:downcase!) }
-          (strip_whitespace_keys || []).each { |k| conditions[k].try(:strip!) }
-          to_adapter.find_first(conditions)
+          find_first_by_auth_conditions(conditions)
+        end
+
+        def find_first_by_auth_conditions(conditions)
+          to_adapter.find_first devise_param_filter.filter(conditions)
         end
 
         # Find an initialize a record setting an error if it can't be found.
@@ -125,14 +126,11 @@ module Devise
 
         # Find an initialize a group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          (case_insensitive_keys || []).each { |k| attributes[k].try(:downcase!) }
-          (strip_whitespace_keys || []).each { |k| attributes[k].try(:strip!) }
-
           attributes = attributes.slice(*required_attributes)
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = to_adapter.find_first(filter_auth_params(attributes))
+            record = find_first_by_auth_conditions(attributes)
           end
 
           unless record
@@ -150,16 +148,8 @@ module Devise
 
         protected
 
-        # Force keys to be string to avoid injection on mongoid related database.
-        def filter_auth_params(conditions)
-          conditions.each do |k, v|
-            conditions[k] = v.to_s if auth_param_requires_string_conversion?(v)
-          end if conditions.is_a?(Hash)
-        end
-        
-        # Determine which values should be transformed to string or passed as-is to the query builder underneath
-        def auth_param_requires_string_conversion?(value)
-          true unless value.is_a?(TrueClass) || value.is_a?(FalseClass) || value.is_a?(Fixnum)
+        def devise_param_filter
+          @devise_param_filter ||= Devise::ParamFilter.new(case_insensitive_keys, strip_whitespace_keys)
         end
 
         # Generate a token by looping and ensuring does not already exist.

data/lib/devise/models/confirmable.rb

@@ -34,7 +34,7 @@ module Devise
       def confirm!
         unless_confirmed do
           self.confirmation_token = nil
-          self.confirmed_at = Time.now
+          self.confirmed_at = Time.now.utc
           save(:validate => false)
         end
       end
@@ -47,7 +47,7 @@ module Devise
       # Send confirmation instructions by email
       def send_confirmation_instructions
         generate_confirmation_token! if self.confirmation_token.nil?
-        ::Devise.mailer.confirmation_instructions(self).deliver
+        self.devise_mailer.confirmation_instructions(self).deliver
       end
 
       # Resend confirmation token. This method does not need to generate a new token.
@@ -71,7 +71,7 @@ module Devise
       # If you don't want confirmation to be sent on create, neither a code
       # to be generated, call skip_confirmation!
       def skip_confirmation!
-        self.confirmed_at = Time.now
+        self.confirmed_at = Time.now.utc
       end
 
       protected

data/lib/devise/models/database_authenticatable.rb

@@ -73,7 +73,17 @@ module Devise
       end
 
       # Updates record attributes without asking for the current password.
-      # Never allows to change the current password
+      # Never allows to change the current password. If you are using this
+      # method, you should probably override this method to protect other
+      # attributes you would not like to be updated without a password.
+      #
+      # Example:
+      #
+      #   def update_without_password(params={})
+      #     params.delete(:email)
+      #     super(params)
+      #   end
+      #
       def update_without_password(params={})
         params.delete(:password)
         params.delete(:password_confirmation)

data/lib/devise/models/lockable.rb

@@ -24,7 +24,7 @@ module Devise
 
       # Lock a user setting its locked_at to actual time.
       def lock_access!
-        self.locked_at = Time.now
+        self.locked_at = Time.now.utc
 
         if unlock_strategy_enabled?(:email)
           generate_unlock_token
@@ -49,7 +49,7 @@ module Devise
 
       # Send unlock instructions by email
       def send_unlock_instructions
-        ::Devise.mailer.unlock_instructions(self).deliver
+        self.devise_mailer.unlock_instructions(self).deliver
       end
 
       # Resend the unlock instructions if the user is locked.
@@ -79,25 +79,21 @@ module Devise
         # if the user can login or not (wrong password, etc)
         unlock_access! if lock_expired?
 
-        case (result = super)
-        when Symbol
-          return result
-        when TrueClass
+        if super
           self.failed_attempts = 0
           save(:validate => false)
-        when FalseClass
-          # PostgreSQL uses nil as the default value for integer columns set to 0
+          true
+        else
           self.failed_attempts ||= 0
           self.failed_attempts += 1
           if attempts_exceeded?
-            lock_access!
+            lock_access! unless access_locked?
             return :locked
           else
             save(:validate => false)
           end
+          false
         end
-
-        result
       end
 
       protected