devise 1.4.9 → 1.5.0.rc1

data/lib/devise/models/recoverable.rb

@@ -40,7 +40,7 @@ module Devise
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
         generate_reset_password_token! if should_generate_token?
-        ::Devise.mailer.reset_password_instructions(self).deliver
+        self.devise_mailer.reset_password_instructions(self).deliver
       end
 
       # Checks if the reset password token sent is within the limit time.
@@ -64,7 +64,7 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        return true unless respond_to?(:reset_password_sent_at) 
+        return true unless respond_to?(:reset_password_sent_at)
         reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
       end
 
@@ -121,7 +121,7 @@ module Devise
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) 
+              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end

data/lib/devise/models/trackable.rb

@@ -12,11 +12,11 @@ module Devise
     #
     module Trackable
       def update_tracked_fields!(request)
-        old_current, new_current = self.current_sign_in_at, Time.now
+        old_current, new_current = self.current_sign_in_at, Time.now.utc
         self.last_sign_in_at     = old_current || new_current
         self.current_sign_in_at  = new_current
 
-        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        old_current, new_current = self.current_sign_in_ip, request.ip
         self.last_sign_in_ip     = old_current || new_current
         self.current_sign_in_ip  = new_current
 

data/lib/devise/omniauth.rb

@@ -1,12 +1,13 @@
 begin
-  require "omniauth/core"
+  require "omniauth"
+  require 'omniauth/version'
 rescue LoadError => e
-  warn "Could not load 'omniauth/core'. Please ensure you have the oa-core gem installed and listed in your Gemfile."
+  warn "Could not load 'omniauth'. Please ensure you have the omniauth gem >= 1.0.0 installed and listed in your Gemfile."
   raise
 end
 
-unless OmniAuth.config.respond_to? :test_mode
-  raise "You are using an old OmniAuth version, please ensure you have 0.2.0.beta version or later installed."
+unless OmniAuth::VERSION =~ /^1\./
+  raise "You are using an old OmniAuth version, please ensure you have 1.0.0.pr2 version or later installed."
 end
 
 # Clean up the default path_prefix. It will be automatically set by Devise.

data/lib/devise/omniauth/config.rb

@@ -2,23 +2,45 @@ module Devise
   module OmniAuth
     class Config
       attr_accessor :strategy
-      attr_reader :args
+      attr_reader :args, :options, :provider
 
       def initialize(provider, args)
         @provider = provider
         @args     = args
         @strategy = nil
+        @options = @args.last.is_a?(Hash) ? @args.last : {}
       end
 
       # open_id strategy can have configurable name
       def strategy_name
-        options = @args.last.is_a?(Hash) && @args.last
-        options && options[:name] ? options[:name] : @provider
+        options[:name] || @provider
       end
 
       def strategy_class
-        ::OmniAuth::Strategies.const_get("#{::OmniAuth::Utils.camelize(@provider.to_s)}")
+        find_strategy || require_strategy
+      end
+
+      def find_strategy
+        ::OmniAuth.strategies.find do |strategy_class|
+          strategy_class.to_s =~ /#{::OmniAuth::Utils.camelize(strategy_name)}$/ ||
+            strategy_class.default_options[:name] == strategy_name
+        end
+      end
+
+      def require_strategy
+        if [:facebook, :github, :twitter].include?(provider.to_sym)
+          require "omniauth/strategies/#{provider}"
+        elsif options[:require]
+          require options[:require]
+        else
+          require "omniauth-#{provider}"
+        end
+        find_strategy || autoload_strategy
+      end
+
+      def autoload_strategy
+        ::OmniAuth::Strategies.const_get(::OmniAuth::Utils.camelize(provider.to_s))
       end
     end
   end
-end     
+end     

data/lib/devise/param_filter.rb

@@ -0,0 +1,41 @@
+module Devise
+  class ParamFilter
+    def initialize(case_insensitive_keys, strip_whitespace_keys)
+      @case_insensitive_keys = case_insensitive_keys || []
+      @strip_whitespace_keys = strip_whitespace_keys || []
+    end
+
+    def filter(conditions)
+      conditions = stringify_params(conditions.dup)
+
+      @case_insensitive_keys.each do |k|
+        value = conditions[k]
+        next unless value.respond_to?(:downcase)
+        conditions[k] = value.downcase
+      end
+
+      @strip_whitespace_keys.each do |k|
+        value = conditions[k]
+        next unless value.respond_to?(:strip)
+        conditions[k] = value.strip
+      end
+
+      conditions
+    end
+
+    # Force keys to be string to avoid injection on mongoid related database.
+    def stringify_params(conditions)
+      return conditions unless conditions.is_a?(Hash)
+      conditions.each do |k, v|
+        conditions[k] = v.to_s if param_requires_string_conversion?(v)
+      end
+    end
+
+    private
+
+    # Determine which values should be transformed to string or passed as-is to the query builder underneath
+    def param_requires_string_conversion?(value)
+      true unless value.is_a?(TrueClass) || value.is_a?(FalseClass) || value.is_a?(Fixnum)
+    end
+  end
+end

data/lib/devise/rails.rb

@@ -17,17 +17,6 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
 
-    initializer "devise.auth_keys" do
-      if Devise.authentication_keys.size > 1
-        puts "[DEVISE] You are configuring Devise to use more than one authentication key. " \
-          "In previous versions, we automatically added #{Devise.authentication_keys[1..-1].inspect} " \
-          "as scope to your e-mail validation, but this was changed now. If you were relying in such " \
-          "behavior, you should remove :validatable from your models and add the validations manually. " \
-          "To get rid of this warning, you can comment config.authentication_keys in your initializer " \
-          "and pass the current values as key to the devise call in your model."
-      end
-    end
-
     initializer "devise.omniauth" do |app|
       Devise.omniauth_configs.each do |provider, config|
         app.middleware.use config.strategy_class, *config.args do |strategy|

data/lib/devise/rails/routes.rb

@@ -49,23 +49,23 @@ module ActionDispatch::Routing
     #
     # You can configure your routes with some options:
     #
-    #  * :class_name => setup a different class to be looked up by devise,
-    #                   if it cannot be correctly find by the route name.
+    #  * :class_name => setup a different class to be looked up by devise, if it cannot be
+    #    properly found by the route name.
     #
     #      devise_for :users, :class_name => 'Account'
     #
     #  * :path => allows you to setup path name that will be used, as rails routes does.
-    #             The following route configuration would setup your route as /accounts instead of /users:
+    #    The following route configuration would setup your route as /accounts instead of /users:
     #
     #      devise_for :users, :path => 'accounts'
     #
-    #  * :singular => setup the singular name for the given resource. This is used as the instance variable name in
-    #                 controller, as the name in routes and the scope given to warden.
+    #  * :singular => setup the singular name for the given resource. This is used as the instance variable
+    #    name in controller, as the name in routes and the scope given to warden.
     #
     #      devise_for :users, :singular => :user
     #
     #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
-    #                   :password, :confirmation, :unlock.
+    #    :password, :confirmation, :unlock.
     #
     #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification' }
     #
@@ -74,6 +74,9 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :controllers => { :sessions => "users/sessions" }
     #
+    #  * :failure_app => a rack app which is invoked whenever there is a failure. Strings representing a given
+    #    are also allowed as parameter.
+    #
     #  * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
@@ -354,7 +357,7 @@ module ActionDispatch::Routing
         path_prefix = "/#{mapping.path}/auth".squeeze("/")
 
         if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
-          warn "[DEVISE] You can only add :omniauthable behavior to one model."
+          raise "You can only add :omniauthable behavior to one Devise model"
         else
           ::OmniAuth.config.path_prefix = path_prefix
         end

data/lib/devise/strategies/authenticatable.rb

@@ -85,17 +85,7 @@ module Devise
 
       # By default, a request is valid  if the controller is allowed and the VERB is POST.
       def valid_request?
-        if env["devise.allow_params_authentication"]
-          true
-        elsif request.post? && mapping.controllers[:sessions] == params[:controller]
-          ActiveSupport::Deprecation.warn "It seems that you are using a custom SessionsController. " \
-            "In order for it to work from Devise 1.4.6 forward, you need to add the following:" \
-            "\n\n  prepend_before_filter :allow_params_authentication!, :only => :create\n\n" \
-            "This will ensure your controller can authenticate from params for the create action.", caller
-          true
-        else
-          false
-        end
+        !!env["devise.allow_params_authentication"]
       end
 
       # If the request is valid, finally check if params_auth_hash returns a hash.

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.9".freeze
+  VERSION = "1.5.0.rc1".freeze
 end

data/lib/generators/active_record/templates/migration.rb

@@ -1,5 +1,9 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
+<% if ::Rails::VERSION::MAJOR == 3 && ::Rails::VERSION::MINOR >= 1 -%>
+  def change
+<% else -%>
   def self.up
+<% end -%>
     create_table(:<%= table_name %>) do |t|
       t.database_authenticatable :null => false
       t.recoverable
@@ -11,7 +15,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
       # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
       # t.token_authenticatable
 
-<% for attribute in attributes -%>
+<% attributes.each do |attribute| -%>
       t.<%= attribute.type %> :<%= attribute.name %>
 <% end -%>
 
@@ -25,7 +29,9 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
     # add_index :<%= table_name %>, :authentication_token, :unique => true
   end
 
+<% unless ::Rails::VERSION::MAJOR == 3 && ::Rails::VERSION::MINOR >= 1 -%>
   def self.down
     drop_table :<%= table_name %>
   end
+<% end -%>
 end

data/lib/generators/active_record/templates/migration_existing.rb

@@ -5,13 +5,13 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
       t.recoverable
       t.rememberable
       t.trackable
-    
+
       # t.encryptable
       # t.confirmable
       # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
       # t.token_authenticatable
 
-<% for attribute in attributes -%>
+<% attributes.each do |attribute| -%>
       t.<%= attribute.type %> :<%= attribute.name %>
 <% end -%>
 
@@ -29,6 +29,6 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
   def self.down
     # By default, we don't want to make any assumption about how to roll back a migration when your
     # model already existed. Please edit below which fields you would like to remove in this migration.
-    raise ActiveRecord::IrreversibleMigration   
+    raise ActiveRecord::IrreversibleMigration
   end
 end

data/lib/generators/devise/views_generator.rb

@@ -23,8 +23,8 @@ module Devise
 
       protected
 
-      def view_directory(name)
-        directory name.to_s, "#{target_path}/#{name}"
+      def view_directory(name, _target_path = nil)
+        directory name.to_s, _target_path || "#{target_path}/#{name}"
       end
 
       def target_path
@@ -39,7 +39,6 @@ module Devise
 
       # Override copy_views to just copy mailer and shared.
       def copy_views
-        view_directory :mailer
         view_directory :shared
       end
     end
@@ -56,6 +55,30 @@ module Devise
       desc "Copies simple form enabled views to your application."
     end
 
+    class ErbGenerator < Rails::Generators::Base #:nodoc:
+      include ViewPathTemplates
+      source_root File.expand_path("../../../../app/views/devise", __FILE__)
+      desc "Copies Devise mail erb views to your application."
+
+      def copy_views
+        view_directory :mailer
+      end
+    end
+
+    class MarkerbGenerator < Rails::Generators::Base #:nodoc:
+      include ViewPathTemplates
+      source_root File.expand_path("../../templates", __FILE__)
+      desc "Copies Devise mail markerb views to your application."
+
+      def copy_views
+        view_directory :markerb, target_path
+      end
+
+      def target_path
+        "app/views/#{scope || :devise}/mailer"
+      end
+    end
+
     class ViewsGenerator < Rails::Generators::Base
       desc "Copies Devise views to your application."
 
@@ -63,10 +86,13 @@ module Devise
                        :desc => "The scope to copy views to"
 
       invoke SharedViewsGenerator
-
       hook_for :form_builder, :aliases => "-b",
                               :desc => "Form builder to be used",
                               :default => defined?(SimpleForm) ? "simple_form_for" : "form_for"
+
+      hook_for :markerb,  :desc => "Generate markerb instead of erb mail views",
+                          :default => defined?(Markerb) ? :markerb : :erb,
+                          :type => :boolean
     end
   end
 end

data/lib/generators/templates/devise.rb

@@ -203,7 +203,6 @@ Devise.setup do |config|
   # change the failure app, you can configure them inside the config.warden block.
   #
   # config.warden do |manager|
-  #   manager.failure_app   = AnotherApp
   #   manager.intercept_401 = false
   #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
   # end

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -0,0 +1,5 @@
+Welcome <%= @resource.email %>!
+
+You can confirm your account through the link below:
+
+<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>

data/lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -0,0 +1,8 @@
+Hello <%= @resource.email %>!
+
+Someone has requested a link to change your password, and you can do this through the link below.
+
+<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+
+If you didn't request this, please ignore this email.
+Your password won't change until you access the link above and create a new one.

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -0,0 +1,7 @@
+Hello <%= @resource.email %>!
+
+Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+
+Click the link below to unlock your account:
+
+<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>

data/test/controllers/helpers_test.rb

@@ -128,6 +128,26 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     @controller.sign_in(user, :bypass => true)
   end
 
+  test 'sign out clears up any signed in user from all scopes' do
+    user = User.new
+    @mock_warden.expects(:user).times(Devise.mappings.size)
+    @mock_warden.expects(:logout).with().returns(true)
+    @controller.instance_variable_set(:@current_user, user)
+    @controller.instance_variable_set(:@current_admin, user)
+    @controller.sign_out
+    assert_equal nil, @controller.instance_variable_get(:@current_user)
+    assert_equal nil, @controller.instance_variable_get(:@current_admin)
+  end
+
+  test 'sign out clears up any signed in user by scope' do
+    user = User.new
+    @mock_warden.expects(:user).with(:user).returns(user)
+    @mock_warden.expects(:logout).with(:user).returns(true)
+    @controller.instance_variable_set(:@current_user, user)
+    @controller.sign_out(:user)
+    assert_equal nil, @controller.instance_variable_get(:@current_user)
+  end
+  
   test 'sign out proxy to logout on warden' do
     @mock_warden.expects(:user).with(:user).returns(true)
     @mock_warden.expects(:logout).with(:user).returns(true)
@@ -208,17 +228,6 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     @controller.sign_in_and_redirect(admin)
   end
 
-  test 'redirect_location returns the stored location if set' do
-    user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
-    assert_equal '/foo.bar', @controller.redirect_location('user', user)
-  end
-
-  test 'redirect_location returns the after sign in path by default' do
-    user = User.new
-    assert_equal @controller.after_sign_in_path_for(:user), @controller.redirect_location('user', user)
-  end
-
   test 'sign out and redirect uses the configured after sign out path when signing out only the current scope' do
     swap Devise, :sign_out_all_scopes => false do
       @mock_warden.expects(:user).with(:admin).returns(true)

data/test/devise_test.rb

@@ -25,7 +25,7 @@ class DeviseTest < ActiveSupport::TestCase
   end
 
   test 'stores warden configuration' do
-    assert_equal Devise::FailureApp, Devise.warden_config.failure_app
+    assert_kind_of Devise::Delegator, Devise.warden_config.failure_app
     assert_equal :user, Devise.warden_config.default_scope
   end