devise 2.0.0.rc → 2.0.0.rc2

data/lib/devise.rb

@@ -16,10 +16,8 @@ module Devise
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
-    autoload :InternalHelpers, 'devise/controllers/internal_helpers'
     autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
-    autoload :SharedHelpers, 'devise/controllers/shared_helpers'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
@@ -202,9 +200,8 @@ module Devise
   @@skip_session_storage = []
 
   # Which formats should be treated as navigational.
-  # We need both :"*/*" and "*/*" to work on different Rails versions.
   mattr_accessor :navigational_formats
-  @@navigational_formats = [:"*/*", "*/*", :html]
+  @@navigational_formats = ["*/*", :html]
 
   # When set to true, signing out a user signs out all other scopes.
   mattr_accessor :sign_out_all_scopes
@@ -214,6 +211,18 @@ module Devise
   mattr_accessor :sign_out_via
   @@sign_out_via = :get
 
+  # The parent controller all Devise controllers inherits from.
+  # Defaults to ApplicationController. This should be set early
+  # in the initialization process and should be set to a string.
+  mattr_accessor :parent_controller
+  @@parent_controller = "ApplicationController"
+
+  # The router Devise should use to generate routes. Defaults
+  # to :main_app. Should be overriden by engines in order
+  # to provide custom routes.
+  mattr_accessor :router_name
+  @@router_name = :main_app
+
   # DEPRECATED CONFIG
 
   # If true, uses salt as remember token and does not create it in the database.
@@ -334,7 +343,7 @@ module Devise
   #
   def self.add_module(module_name, options = {})
     ALL << module_name
-    options.assert_valid_keys(:strategy, :model, :controller, :route)
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
 
     if strategy = options[:strategy]
       strategy = (strategy == true ? module_name : strategy)
@@ -346,7 +355,7 @@ module Devise
       CONTROLLERS[module_name] = controller
     end
 
-    NO_INPUT << strategy if strategy && controller != :sessions
+    NO_INPUT << strategy if options[:no_input]
 
     if route = options[:route]
       case route
@@ -413,11 +422,6 @@ module Devise
     end
   end
 
-  # Returns true if Rails version is bigger than 3.0.x
-  def self.rack_session?
-    Rails::VERSION::STRING[0,3] != "3.0"
-  end
-
   # Regenerates url helpers considering Devise.mapping
   def self.regenerate_helpers!
     Devise::Controllers::UrlHelpers.remove_helpers!

data/lib/devise/controllers/helpers.rb

@@ -168,7 +168,13 @@ module Devise
       def signed_in_root_path(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         home_path = "#{scope}_root_path"
-        respond_to?(home_path, true) ? send(home_path) : root_path
+        if respond_to?(home_path, true)
+          send(home_path)
+        elsif respond_to?(:root_path)
+          root_path
+        else
+          "/"
+        end
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -209,7 +215,7 @@ module Devise
       #
       # By default it is the root_path.
       def after_sign_out_path_for(resource_or_scope)
-        root_path
+        respond_to?(:root_path) ? root_path : "/"
       end
 
       # Sign in a user and tries to redirect first to the stored location and

data/lib/devise/controllers/scoped_views.rb

@@ -12,22 +12,6 @@ module Devise
           @scoped_views = value
         end
       end
-
-    protected
-
-      # Render a view for the specified scope. Turned off by default.
-      # Accepts just :controller as option.
-      def render_with_scope(action, path=self.controller_path)
-        if self.class.scoped_views?
-          begin
-            render :template => "#{devise_mapping.scoped_path}/#{path.split("/").last}/#{action}"
-          rescue ActionView::MissingTemplate
-            render :template => "#{path}/#{action}"
-          end
-        else
-          render :template => "#{path}/#{action}"
-        end
-      end
     end
   end
 end

data/lib/devise/controllers/url_helpers.rb

@@ -16,7 +16,15 @@ module Devise
     #   new_confirmation_path(:user) => new_user_confirmation_path
     #   confirmation_path(:user)     => user_confirmation_path
     #
-    # Those helpers are added to your ApplicationController.
+    # Those helpers are included by default to ActionController::Base.
+    #
+    # In case you want to add such helpers to another class, you can do
+    # that as long as this new class includes both url_helpers and
+    # mounted_helpers. Example:
+    #
+    #     include Rails.application.routes.url_helpers
+    #     include Rails.application.routes.mounted_helpers
+    #
     module UrlHelpers
       def self.remove_helpers!
         self.instance_methods.map(&:to_s).grep(/_(url|path)$/).each do |method|
@@ -39,7 +47,7 @@ module Devise
               class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
                 def #{method}(resource_or_scope, *args)
                   scope = Devise::Mapping.find_scope!(resource_or_scope)
-                  send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
+                  _devise_route_context.send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
                 end
               URL_HELPERS
             end
@@ -48,6 +56,12 @@ module Devise
       end
 
       generate_helpers!(Devise::URL_HELPERS)
+
+      private
+
+      def _devise_route_context
+        @_devise_route_context ||= send(Devise.router_name)
+      end
     end
   end
 end

data/lib/devise/failure_app.rb

@@ -9,8 +9,9 @@ module Devise
     include ActionController::RackDelegation
     include ActionController::UrlFor
     include ActionController::Redirecting
+
     include Rails.application.routes.url_helpers
-    include Devise::Controllers::SharedHelpers
+    include Rails.application.routes.mounted_helpers
 
     delegate :flash, :to => :request
 
@@ -20,7 +21,11 @@ module Devise
     end
 
     def self.default_url_options(*args)
-      ApplicationController.default_url_options(*args)
+      if defined?(ApplicationController)
+        ApplicationController.default_url_options(*args)
+      else
+        {}
+      end
     end
 
     def respond
@@ -48,32 +53,50 @@ module Devise
 
     def redirect
       store_location!
-      flash[:alert] = i18n_message
+      if flash[:timedout] && flash[:alert]
+        flash.keep(:timedout)
+        flash.keep(:alert)
+      else
+        flash[:alert] = i18n_message
+      end
       redirect_to redirect_url
     end
 
   protected
 
     def i18n_message(default = nil)
-      message = warden.message || warden_options[:message] || default || :unauthenticated
+      message = warden_message || default || :unauthenticated
 
       if message.is_a?(Symbol)
         I18n.t(:"#{scope}.#{message}", :resource_name => scope,
-               :scope => "devise.failure", :default => [message, message.to_s])
+               :scope => "devise.failure", :default => [message])
       else
         message.to_s
       end
     end
 
     def redirect_url
+      if warden_message == :timeout
+        flash[:timedout] = true
+        attempted_path || scope_path
+      else
+        scope_path
+      end
+    end
+
+    def scope_path
       opts  = {}
       route = :"new_#{scope}_session_path"
       opts[:format] = request_format unless skip_format?
 
-      if respond_to?(route)
-        send(route, opts)
-      else
+      context = send(Devise.router_name)
+
+      if context.respond_to?(route)
+        context.send(route, opts)
+      elsif respond_to?(:root_path)
         root_path(opts)
+      else
+        "/"
       end
     end
 
@@ -130,6 +153,10 @@ module Devise
       env['warden.options']
     end
 
+    def warden_message
+      @message ||= warden.message || warden_options[:message]
+    end
+
     def scope
       @scope ||= warden_options[:scope] || Devise.default_scope
     end
@@ -145,5 +172,13 @@ module Devise
     def store_location!
       session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
+
+    def is_navigational_format?
+      Devise.navigational_formats.include?(request_format)
+    end
+
+    def request_format
+      @request_format ||= request.format.try(:ref)
+    end
   end
 end

data/lib/devise/models.rb

@@ -48,7 +48,6 @@ module Devise
     # for a complete description on those values.
     #
     def devise(*modules)
-      include Devise::Models::Authenticatable
       options = modules.extract_options!.dup
 
       selected_modules = modules.map(&:to_sym).uniq.sort_by do |s|
@@ -56,6 +55,7 @@ module Devise
       end
 
       devise_modules_hook! do
+        include Devise::Models::Authenticatable
         selected_modules.each do |m|
           mod = Devise::Models.const_get(m.to_s.classify)
 

data/lib/devise/models/confirmable.rb

@@ -40,15 +40,17 @@ module Devise
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
       def confirm!
-        unless_confirmed do
+        pending_any_confirmation do
           self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
-          if self.class.reconfirmable
+          if self.class.reconfirmable && unconfirmed_email.present?
             @bypass_postpone = true
-            self.email = unconfirmed_email if unconfirmed_email.present?
+            self.email = unconfirmed_email
             self.unconfirmed_email = nil
-            save
+
+            # We need to validate in such cases to enforce e-mail uniqueness
+            save(:validate => true)
           else
             save(:validate => false)
           end
@@ -66,14 +68,16 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
+        self.confirmation_token = nil if reconfirmation_required?
         @reconfirmation_required = false
+
         generate_confirmation_token! if self.confirmation_token.blank?
         self.devise_mailer.confirmation_instructions(self).deliver
       end
 
       # Resend confirmation token. This method does not need to generate a new token.
       def resend_confirmation_token
-        unless_confirmed { send_confirmation_instructions }
+        pending_any_confirmation { send_confirmation_instructions }
       end
 
       # Overwrites active_for_authentication? for confirmation
@@ -133,10 +137,9 @@ module Devise
           confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
-        # Checks whether the record is confirmed or not or a new email has been added, yielding to the block
-        # if it's already confirmed, otherwise adds an error to email.
-        def unless_confirmed
-          unless confirmed? && !pending_reconfirmation?
+        # Checks whether the record requires any confirmation.
+        def pending_any_confirmation
+          if !confirmed? || pending_reconfirmation?
             yield
           else
             self.errors.add(:email, :already_confirmed)

data/lib/devise/models/lockable.rb

@@ -79,7 +79,7 @@ module Devise
         # if the user can login or not (wrong password, etc)
         unlock_access! if lock_expired?
 
-        if super
+        if super && !access_locked?
           self.failed_attempts = 0
           save(:validate => false)
           true

data/lib/devise/models/serializable.rb

@@ -9,8 +9,11 @@ module Devise
     module Serializable
       extend ActiveSupport::Concern
 
-      # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
-      %w(to_xml serializable_hash).each do |method|
+      array = %w(serializable_hash)
+      # to_xml does not call serializable_hash on 3.1
+      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
+
+      array.each do |method|
         class_eval <<-RUBY, __FILE__, __LINE__
           def #{method}(options=nil)
             options ||= {}

data/lib/devise/modules.rb

@@ -5,8 +5,8 @@ Devise.with_options :model => true do |d|
   d.with_options :strategy => true do |s|
     routes = [nil, :new, :destroy]
     s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
-    s.add_module :token_authenticatable
-    s.add_module :rememberable
+    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }, :no_input => true
+    s.add_module :rememberable, :no_input => true
   end
 
   # Other authentications

data/lib/devise/param_filter.rb

@@ -35,7 +35,7 @@ module Devise
 
     # Determine which values should be transformed to string or passed as-is to the query builder underneath
     def param_requires_string_conversion?(value)
-      true unless value.is_a?(TrueClass) || value.is_a?(FalseClass) || value.is_a?(Fixnum)
+      [Fixnum, TrueClass, FalseClass, Regexp].none? {|clz| value.is_a? clz }
     end
   end
 end

data/lib/devise/path_checker.rb

@@ -3,7 +3,11 @@ module Devise
     include Rails.application.routes.url_helpers
 
     def self.default_url_options(*args)
-      ApplicationController.default_url_options(*args)
+      if defined?(ApplicationController)
+        ApplicationController.default_url_options(*args)
+      else
+        {}
+      end
     end
 
     def initialize(env, scope)

data/lib/devise/rails.rb

@@ -42,6 +42,15 @@ module Devise
       end
     end
 
+    initializer "devise.fix_routes_proxy_missing_respond_to_bug" do
+      # We can get rid of this once we support Rails > 3.2
+      ActionDispatch::Routing::RoutesProxy.class_eval do
+        def respond_to?(method, include_private = false)
+          super || routes.url_helpers.respond_to?(method)
+        end
+      end
+    end
+
     initializer "devise.deprecations" do
       unless defined?(Rails::Generators)
         if Devise.case_insensitive_keys == false
@@ -71,6 +80,18 @@ module Devise
             "your Devise models (if they don't have one already).\n"
         end
       end
+
+      config.after_initialize do
+        if I18n.t(:"devise.registrations.reasons", :default => {}).present?
+          warn "\n[DEVISE] devise.registrations.reasons in yml files is deprecated, " \
+            "please use devise.registrations.signed_up_but_REASON instead.\n"
+        end
+
+        if I18n.t(:"devise.registrations.inactive_signed_up", :default => "").present?
+          warn "\n[DEVISE] devise.registrations.inactive_signed_up in yml files is deprecated, " \
+            "please use devise.registrations.signed_up_but_inactive instead.\n"
+        end
+      end
     end
   end
 end

data/lib/devise/rails/routes.rb

@@ -84,15 +84,16 @@ module ActionDispatch::Routing
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #
-    #  * :module => the namespace to find controlers. By default, devise will access devise/sessions,
-    #    devise/registrations and so on. If you want to namespace all at once, use module:
+    #  * :module => the namespace to find controllers (default: "devise", thus
+    #    accessing devise/sessions, devise/registrations, and so on). If you want
+    #    to namespace all at once, use module:
     #
     #      devise_for :users, :module => "users"
     #
     #    Notice that whenever you use namespace in the router DSL, it automatically sets the module.
     #    So the following setup:
     #
-    #      namespace :publisher
+    #      namespace :publisher do
     #        devise_for :account
     #      end
     #
@@ -135,15 +136,15 @@ module ActionDispatch::Routing
     #     devise_for :users
     #   end
     #
-    # However, since Devise uses the request path to retrieve the current user, it has one caveats.
-    # If you are using a dynamic segment, as below:
+    # However, since Devise uses the request path to retrieve the current user,
+    # this has one caveat: If you are using a dynamic segment, like so ...
     #
     #   scope ":locale" do
     #     devise_for :users
     #   end
     #
-    # You are required to configure default_url_options in your ApplicationController class level, so
-    # Devise can pick it:
+    # you are required to configure default_url_options in your
+    # ApplicationController class, so Devise can pick it:
     #
     #   class ApplicationController < ActionController::Base
     #     def self.default_url_options
@@ -207,7 +208,12 @@ module ActionDispatch::Routing
         routes  = mapping.used_routes
 
         devise_scope mapping.name do
-          yield if block_given?
+          if block_given?
+            ActiveSupport::Deprecation.warn "Passing a block to devise_for is deprecated. " \
+              "Please call devise_scope :#{mapping.name} do ... end with the block instead", caller
+            yield
+          end
+
           with_devise_exclusive_scope mapping.fullpath, mapping.name, options do
             routes.each { |mod| send("devise_#{mod}", mapping, mapping.controllers) }
           end
@@ -369,13 +375,13 @@ module ActionDispatch::Routing
       end
 
       def with_devise_exclusive_scope(new_path, new_as, options) #:nodoc:
-        old_as, old_path, old_module, old_constraints, old_defaults, old_options = 
+        old_as, old_path, old_module, old_constraints, old_defaults, old_options =
           *@scope.values_at(:as, :path, :module, :constraints, :defaults, :options)
         @scope[:as], @scope[:path], @scope[:module], @scope[:constraints], @scope[:defaults], @scope[:options] =
           new_as, new_path, nil, *options.values_at(:constraints, :defaults, :options)
         yield
       ensure
-        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints], @scope[:defaults], @scope[:options] = 
+        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints], @scope[:defaults], @scope[:options] =
           old_as, old_path, old_module, old_constraints, old_defaults, old_options
       end