devise 1.5.4 → 2.0.0.rc

data/.gitignore

@@ -8,5 +8,3 @@ rdoc/*
 pkg
 log
 test/tmp/*
-Gemfile.lock
-

data/CHANGELOG.rdoc

@@ -1,7 +1,20 @@
-== 1.5.4
+== 2.0.0.rc
 
-* bug fix
-  * Require string conversion for all values
+Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
+
+* enhancements
+  * Add support for e-mail reconfirmation on change (by github.com/Mandaryn and github.com/heimidal)
+  * Redirect users to sign in page after unlock (by github.com/nashby)
+
+* deprecation
+  * Devise.apply_schema is deprecated
+  * Devise migration helpers are deprecated
+  * Usage of Devise.remember_across_browsers was deprecated
+  * Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
+  * Usage of rememberable with remember_token was removed
+  * Usage of recoverable without reset_password_sent_at was removed
+  * Usage of Devise.case_insensitive_keys equals to false was removed
+  * Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
 
 == 1.5.3
 
@@ -10,13 +23,11 @@
   * Ensure passing :format => false to devise_for is not permanent
   * Ensure path checker does not check invalid routes
 
-* warden regression
-  * using warden 1.2.1 with Devise 1.5.3 introduces a regression for some types of functional tests (see github.com/plataformatec/devise/issues/1928).  Can peg warden to 1.2.0 in your Gemfile to fix this.
 == 1.5.2
 
 * enhancements
-  * Add support for rails 3.1 new mass assignment conventions (by github.com/kirs)
-  * Add timeout_in method to Timeoutable, it can be overriden in a model (by github.com/lest)
+  * Add support for Rails 3.1 new mass assignment conventions (by github.com/kirs)
+  * Add timeout_in method to Timeoutable, it can be overridden in a model (by github.com/lest)
 
 * bug fix
   * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)

data/Gemfile.lock

@@ -0,0 +1,168 @@
+PATH
+  remote: .
+  specs:
+    devise (1.5.2)
+      bcrypt-ruby (~> 3.0)
+      orm_adapter (~> 0.0.3)
+      warden (~> 1.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.1.3)
+      actionpack (= 3.1.3)
+      mail (~> 2.3.0)
+    actionpack (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.5)
+      rack-cache (~> 1.1)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.3)
+    activemodel (3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+    activesupport (3.1.3)
+      multi_json (~> 1.0)
+    addressable (2.2.6)
+    arel (2.2.1)
+    bcrypt-ruby (3.0.1)
+    bson (1.5.1)
+    bson_ext (1.3.1)
+    builder (3.0.0)
+    columnize (0.3.5)
+    erubis (2.7.0)
+    faraday (0.7.5)
+      addressable (~> 2.2.6)
+      multipart-post (~> 1.1.3)
+      rack (>= 1.1.0, < 2)
+    hashie (1.2.0)
+    hike (1.2.1)
+    i18n (0.6.0)
+    json (1.6.3)
+    linecache (0.46)
+      rbx-require-relative (> 0.0.4)
+    mail (2.3.0)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    metaclass (0.0.1)
+    mime-types (1.17.2)
+    mocha (0.10.0)
+      metaclass (~> 0.0.1)
+    mongo (1.3.1)
+      bson (>= 1.3.1)
+    mongoid (2.3.4)
+      activemodel (~> 3.1)
+      mongo (~> 1.3)
+      tzinfo (~> 0.3.22)
+    multi_json (1.0.4)
+    multipart-post (1.1.4)
+    nokogiri (1.5.0)
+    oauth2 (0.5.1)
+      faraday (~> 0.7.4)
+      multi_json (~> 1.0.3)
+    omniauth (1.0.1)
+      hashie (~> 1.2)
+      rack
+    omniauth-facebook (1.0.0)
+      omniauth-oauth2 (~> 1.0.0)
+    omniauth-oauth2 (1.0.0)
+      oauth2 (~> 0.5.0)
+      omniauth (~> 1.0)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    orm_adapter (0.0.5)
+    polyglot (0.3.3)
+    rack (1.3.5)
+    rack-cache (1.1)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.1.3)
+      actionmailer (= 3.1.3)
+      actionpack (= 3.1.3)
+      activerecord (= 3.1.3)
+      activeresource (= 3.1.3)
+      activesupport (= 3.1.3)
+      bundler (~> 1.0)
+      railties (= 3.1.3)
+    railties (3.1.3)
+      actionpack (= 3.1.3)
+      activesupport (= 3.1.3)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rbx-require-relative (0.0.5)
+    rdoc (3.11)
+      json (~> 1.4)
+    ruby-debug (0.10.4)
+      columnize (>= 0.1)
+      ruby-debug-base (~> 0.10.4.0)
+    ruby-debug-base (0.10.4)
+      linecache (>= 0.3)
+    ruby-openid (2.1.8)
+    sprockets (2.0.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.5)
+    sqlite3-ruby (1.3.3)
+      sqlite3 (>= 1.3.3)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    warden (1.1.0)
+      rack (>= 1.0)
+    webrat (0.7.2)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbc-adapter
+  activerecord-jdbcsqlite3-adapter
+  bson_ext (~> 1.3.0)
+  devise!
+  jruby-openssl
+  mocha
+  mongo (~> 1.3.0)
+  mongoid (~> 2.0)
+  omniauth (~> 1.0.0)
+  omniauth-facebook
+  omniauth-oauth2 (~> 1.0.0)
+  omniauth-openid (~> 1.0.1)
+  rails (~> 3.1.0)
+  rdoc
+  ruby-debug (>= 0.10.3)
+  sqlite3-ruby
+  webrat (= 0.7.2)

data/README.rdoc

@@ -1,3 +1,5 @@
+*IMPORTANT:* Devise 2.0.0.rc is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
+
 == Devise
 
 {<img src="https://secure.travis-ci.org/plataformatec/devise.png" />}[http://travis-ci.org/plataformatec/devise]

data/app/controllers/devise/registrations_controller.rb

@@ -41,7 +41,12 @@ class Devise::RegistrationsController < ApplicationController
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
 
     if resource.update_with_password(params[resource_name])
-      set_flash_message :notice, :updated if is_navigational_format?
+      if is_navigational_format?
+        if resource.respond_to?(:pending_reconfirmation?) && resource.pending_reconfirmation?
+          flash_key = :update_needs_confirmation
+        end
+        set_flash_message :notice, flash_key || :updated
+      end
       sign_in resource_name, resource, :bypass => true
       respond_with resource, :location => after_update_path_for(resource)
     else

data/app/controllers/devise/unlocks_controller.rb

@@ -25,8 +25,7 @@ class Devise::UnlocksController < ApplicationController
 
     if resource.errors.empty?
       set_flash_message :notice, :unlocked if is_navigational_format?
-      sign_in(resource_name, resource)
-      respond_with_navigational(resource){ redirect_to after_sign_in_path_for(resource) }
+      respond_with_navigational(resource){ redirect_to new_session_path(resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -1,5 +1,5 @@
 <p>Welcome <%= @resource.email %>!</p>
 
-<p>You can confirm your account through the link below:</p>
+<p>You can confirm your account email through the link below:</p>
 
 <p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

data/config/locales/en.yml

@@ -37,6 +37,7 @@ en:
       signed_up: 'Welcome! You have signed up successfully.'
       inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
       updated: 'You updated your account successfully.'
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm link to finalize confirming your new email address."
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
       reasons:
         inactive: 'inactive'

data/lib/devise.rb

@@ -84,7 +84,7 @@ module Devise
   # False by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
   @@case_insensitive_keys = false
-  
+
   # Keys that should have whitespace stripped.
   # False by default for backwards compatibility.
   mattr_accessor :strip_whitespace_keys
@@ -120,27 +120,23 @@ module Devise
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
 
-  # If true, a valid remember token can be re-used between multiple browsers.
-  mattr_accessor :remember_across_browsers
-  @@remember_across_browsers = true
-
   # If true, extends the user's remember period when remembered via cookie.
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false
 
-  # If true, uses salt as remember token and does not create it in the database.
-  # By default is false for backwards compatibility.
-  mattr_accessor :use_salt_as_remember_token
-  @@use_salt_as_remember_token = false
-
   # Time interval you can access your account before confirming your account.
-  mattr_accessor :confirm_within
-  @@confirm_within = 0.days
+  mattr_accessor :allow_unconfirmed_access_for
+  @@allow_unconfirmed_access_for = 0.days
 
-  # Defines which key will be used when confirming an account
+  # Defines which key will be used when confirming an account.
   mattr_accessor :confirmation_keys
   @@confirmation_keys = [ :email ]
 
+  # Defines if email should be reconfirmable.
+  # False by default for backwards compatibility.
+  mattr_accessor :reconfirmable
+  @@reconfirmable = false
+
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
@@ -153,11 +149,6 @@ module Devise
   mattr_accessor :encryptor
   @@encryptor = nil
 
-  # Tells if devise should apply the schema in ORMs where devise declaration
-  # and schema belongs to the same class (as Datamapper and Mongoid).
-  mattr_accessor :apply_schema
-  @@apply_schema = true
-
   # Scoped views. Since it relies on fallbacks to render default views, it's
   # turned off by default.
   mattr_accessor :scoped_views
@@ -190,6 +181,7 @@ module Devise
   @@reset_password_keys = [ :email ]
 
   # Time interval you can reset your password with a reset password key
+  # Nil by default for backwards compatibility.
   mattr_accessor :reset_password_within
   @@reset_password_within = nil
 
@@ -205,9 +197,9 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
-  # If true, authentication through token does not store user in session
-  mattr_accessor :stateless_token
-  @@stateless_token = false
+  # Skip session storage for the following strategies
+  mattr_accessor :skip_session_storage
+  @@skip_session_storage = []
 
   # Which formats should be treated as navigational.
   # We need both :"*/*" and "*/*" to work on different Rails versions.
@@ -222,6 +214,33 @@ module Devise
   mattr_accessor :sign_out_via
   @@sign_out_via = :get
 
+  # DEPRECATED CONFIG
+
+  # If true, uses salt as remember token and does not create it in the database.
+  # By default is false for backwards compatibility.
+  mattr_accessor :use_salt_as_remember_token
+  @@use_salt_as_remember_token = false
+
+  # Tells if devise should apply the schema in ORMs where devise declaration
+  # and schema belongs to the same class (as Datamapper and Mongoid).
+  mattr_accessor :apply_schema
+  @@apply_schema = true
+
+  def self.remember_across_browsers=(value)
+    warn "\n[DEVISE] Devise.remember_across_browsers is deprecated and has no effect. Please remove it.\n"
+  end
+
+  def self.confirm_within=(value)
+    warn "\n[DEVISE] Devise.confirm_within= is deprecated. Please set Devise.allow_unconfirmed_access_for= instead.\n"
+    Devise.allow_unconfirmed_access_for = value
+  end
+
+  def self.stateless_token=(value)
+    warn "\n[DEVISE] Devise.stateless_token= is deprecated. Please append :token_auth to Devise.skip_session_storage " \
+      "instead, for example: Devise.skip_session_storage << :token_auth\n"
+    Devise.skip_session_storage << :token_auth
+  end
+
   # PRIVATE CONFIGURATION
 
   # Store scopes mappings.
@@ -361,7 +380,7 @@ module Devise
   # initialization.
   #
   #  Devise.initialize do |config|
-  #    config.confirm_within = 2.days
+  #    config.allow_unconfirmed_access_for = 2.days
   #
   #    config.warden do |manager|
   #      # Configure warden to use other strategies, like oauth.

data/lib/devise/controllers/internal_helpers.rb

@@ -93,8 +93,15 @@ MESSAGE
       def require_no_authentication
         return unless is_navigational_format?
         no_input = devise_mapping.no_input_strategies
-        args = no_input.dup.push :scope => resource_name
-        if no_input.present? && warden.authenticate?(*args)
+
+        authenticated = if no_input.present?
+          args = no_input.dup.push :scope => resource_name
+          warden.authenticate?(*args)
+        else
+          warden.authenticated?(resource_name)
+        end
+
+        if authenticated
           resource = warden.user(resource_name)
           flash[:alert] = I18n.t("devise.failure.already_authenticated")
           redirect_to after_sign_in_path_for(resource)

data/lib/devise/models/authenticatable.rb

@@ -25,6 +25,11 @@ module Devise
     #   * +params_authenticatable+: if this model allows authentication through request params. By default true.
     #     It also accepts an array specifying the strategies that should allow params authentication.
     #
+    #   * +skip_session_storage+: By default Devise will store the user in session.
+    #     You can skip storage for http and token auth by appending values to array:
+    #     :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],
+    #     by default is set to :skip_session_storage => [:http_auth].
+    #
     # == active_for_authentication?
     #
     # After authenticating a user and in each request, Devise checks if your model is active by
@@ -52,6 +57,9 @@ module Devise
       included do
         class_attribute :devise_modules, :instance_writer => false
         self.devise_modules ||= []
+
+        before_validation :downcase_keys
+        before_validation :strip_whitespace
       end
 
       # Check if the current object is valid for authentication. This method and
@@ -79,8 +87,21 @@ module Devise
         Devise.mailer
       end
 
+      def headers_for(name)
+        {}
+      end
+
+      def downcase_keys
+        (self.class.case_insensitive_keys || []).each { |k| self[k].try(:downcase!) }
+      end
+
+      def strip_whitespace
+        (self.class.strip_whitespace_keys || []).each { |k| self[k].try(:strip!) }
+      end
+
       module ClassMethods
-        Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
+        Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
+          :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
 
         def serialize_into_session(record)
           [record.to_key, record.authenticatable_salt]
@@ -106,20 +127,17 @@ module Devise
         # namedscope to filter records while authenticating.
         # Example:
         #
-        #   def self.find_for_authentication(tainted_conditions)
-        #     find_first_by_auth_conditions(tainted_conditions, active: true)
+        #   def self.find_for_authentication(conditions={})
+        #     conditions[:active] = true
+        #     super
         #   end
         #
-        # Finally, notice that Devise also queries for users in other scenarios
-        # besides authentication, for example when retrieving an user to send
-        # an e-mail for password reset. In such cases, find_for_authentication
-        # is not called.
-        def find_for_authentication(tainted_conditions)
-          find_first_by_auth_conditions(tainted_conditions)
+        def find_for_authentication(conditions)
+          find_first_by_auth_conditions(conditions)
         end
 
-        def find_first_by_auth_conditions(tainted_conditions, opts={})
-          to_adapter.find_first(devise_param_filter.filter(tainted_conditions).merge(opts))
+        def find_first_by_auth_conditions(conditions)
+          to_adapter.find_first devise_param_filter.filter(conditions)
         end
 
         # Find an initialize a record setting an error if it can't be found.
@@ -165,4 +183,4 @@ module Devise
       end
     end
   end
-end
+end