devise 2.0.6 → 2.1.0.rc

data/lib/devise/models/confirmable.rb

@@ -36,6 +36,15 @@ module Devise
         after_update :send_confirmation_instructions, :if => :reconfirmation_required?
       end
 
+      def self.required_fields(klass)
+        required_methods = [:confirmation_token, :confirmed_at, :confirmation_sent_at]
+        if klass.reconfirmable
+          required_methods << :unconfirmed_email
+        end
+
+        required_methods
+      end
+
       # Confirm a user by setting it's confirmed_at to actual time. If the user
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
@@ -45,7 +54,7 @@ module Devise
           self.confirmed_at = Time.now.utc
 
           if self.class.reconfirmable && unconfirmed_email.present?
-            @bypass_postpone = true
+            skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
 
@@ -99,6 +108,12 @@ module Devise
         self.confirmed_at = Time.now.utc
       end
 
+      # If you don't want reconfirmation to be sent, neither a code
+      # to be generated, call skip_reconfirmation!
+      def skip_reconfirmation!
+        @bypass_postpone = true
+      end
+
       def headers_for(action)
         headers = super
         if action == :confirmation_instructions && pending_reconfirmation?
@@ -165,6 +180,11 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
+
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

data/lib/devise/models/database_authenticatable.rb

@@ -27,6 +27,10 @@ module Devise
         attr_accessor :password_confirmation
       end
 
+      def self.required_fields(klass)
+        [:encrypted_password] + klass.authentication_keys
+      end
+
       # Generates password encryption based on the given value.
       def password=(new_password)
         @password = new_password
@@ -36,9 +40,7 @@ module Devise
       # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
         return false if encrypted_password.blank?
-        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, self.encrypted_password)
+        encryptor_class.compare(encrypted_password, password, self.class.stretches, authenticatable_salt, self.class.pepper)
       end
 
       # Set password and password confirmation to nil
@@ -96,14 +98,18 @@ module Devise
 
       # A reliable way to expose the salt regardless of the implementation.
       def authenticatable_salt
-        self.encrypted_password[0,29] if self.encrypted_password
+        encrypted_password[0,29] if encrypted_password
       end
 
     protected
 
       # Digests the password using bcrypt.
       def password_digest(password)
-        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
+        encryptor_class.digest(password, self.class.stretches, ::BCrypt::Engine.generate_salt, self.class.pepper)
+      end
+
+      def encryptor_class
+        Devise::Encryptors::BCrypt
       end
 
       module ClassMethods

data/lib/devise/models/encryptable.rb

@@ -2,7 +2,8 @@ require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
-    # Encryptable Module adds support to several encryptors.
+    # Encryptable module adds support to several encryptors wrapping
+    # them in a salt and pepper mechanism to increase security.
     #
     # == Options
     #
@@ -24,30 +25,37 @@ module Devise
         attr_accessor :password_confirmation
       end
 
-      # Generates password salt.
+      def self.required_fields(klass)
+        [:password_salt]
+      end
+
+      # Generates password salt when setting the password.
       def password=(new_password)
         self.password_salt = self.class.password_salt if new_password.present?
         super
       end
 
+      # Overrides authenticatable salt to use the new password_salt
+      # column. authenticatable_salt is used by `valid_password?`
+      # and by other modules whenever there is a need for a random
+      # token based on the user password.
       def authenticatable_salt
         self.password_salt
       end
 
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
-      def valid_password?(incoming_password)
-        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
-      end
-
     protected
 
       # Digests the password using the configured encryptor.
       def password_digest(password)
-        if self.password_salt.present?
-          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        if password_salt.present?
+          encryptor_class.digest(password, self.class.stretches, authenticatable_salt, self.class.pepper)
         end
       end
 
+      def encryptor_class
+        self.class.encryptor_class
+      end
+
       module ClassMethods
         Devise::Models.config(self, :encryptor)
 

data/lib/devise/models/lockable.rb

@@ -22,6 +22,15 @@ module Devise
 
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
+      def self.required_fields(klass)
+        attributes = []
+        attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
+        attributes << :unlock_at if klass.unlock_strategy_enabled?(:time)
+        attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
+
+        attributes
+      end
+
       # Lock a user setting its locked_at to actual time.
       def lock_access!
         self.locked_at = Time.now.utc
@@ -88,7 +97,6 @@ module Devise
           self.failed_attempts += 1
           if attempts_exceeded?
             lock_access! unless access_locked?
-            return :locked
           else
             save(:validate => false)
           end
@@ -96,6 +104,14 @@ module Devise
         end
       end
 
+      def unauthenticated_message
+        if lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+          :locked
+        else
+          super
+        end
+      end
+
       protected
 
         def attempts_exceeded?

data/lib/devise/models/omniauthable.rb

@@ -15,6 +15,10 @@ module Devise
     module Omniauthable
       extend ActiveSupport::Concern
 
+      def self.required_fields(klass)
+        []
+      end
+
       module ClassMethods
         Devise::Models.config(self, :omniauth_providers)
       end

data/lib/devise/models/recoverable.rb

@@ -24,6 +24,10 @@ module Devise
     module Recoverable
       extend ActiveSupport::Concern
 
+      def self.required_fields(klass)
+        [:reset_password_sent_at, :reset_password_token]
+      end
+
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
       def reset_password!(new_password, new_password_confirmation)

data/lib/devise/models/registerable.rb

@@ -5,6 +5,10 @@ module Devise
     module Registerable
       extend ActiveSupport::Concern
 
+      def self.required_fields(klass)
+        []
+      end
+
       module ClassMethods
         # A convenience method that receives both parameters and session to
         # initialize a user. This can be used by OAuth, for example, to send

data/lib/devise/models/rememberable.rb

@@ -24,7 +24,7 @@ module Devise
     #   * +extend_remember_period+: if true, extends the user's remember period
     #     when remembered via cookie. False by default.
     #
-    #   * +cookie_options+: configuration options passed to the created cookie.
+    #   * +rememberable_options+: configuration options passed to the created cookie.
     #
     # == Examples
     #
@@ -41,6 +41,10 @@ module Devise
 
       attr_accessor :remember_me, :extend_remember_period
 
+      def self.required_fields(klass)
+        [:remember_created_at, :remember_token]
+      end
+
       # Generate a new remember token and save the record without validations
       # unless remember_across_browsers is true and the user already has a valid token.
       def remember_me!(extend_period=false)
@@ -71,7 +75,7 @@ module Devise
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif salt = authenticatable_salt
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
           salt
         else
           raise "authenticable_salt returned nil for the #{self.class.name} model. " \

data/lib/devise/models/timeoutable.rb

@@ -20,6 +20,10 @@ module Devise
     module Timeoutable
       extend ActiveSupport::Concern
 
+      def self.required_fields(klass)
+        []
+      end
+
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
         return false if remember_exists_and_not_expired?

data/lib/devise/models/token_authenticatable.rb

@@ -27,6 +27,10 @@ module Devise
     module TokenAuthenticatable
       extend ActiveSupport::Concern
 
+      def self.required_fields(klass)
+        [:authentication_token]
+      end
+
       # Generate new authentication token (a.k.a. "single access token").
       def reset_authentication_token
         self.authentication_token = self.class.authentication_token
@@ -52,6 +56,7 @@ module Devise
       def after_token_authentication
       end
 
+
       module ClassMethods
         def find_for_token_authentication(conditions)
           find_for_authentication(:authentication_token => conditions[token_authentication_key])

data/lib/devise/models/trackable.rb

@@ -11,6 +11,10 @@ module Devise
     # * last_sign_in_ip    - Holds the remote ip of the previous sign in
     #
     module Trackable
+      def self.required_fields(klass)
+        [:current_sign_in_at, :current_sign_in_ip, :last_sign_in_at, :last_sign_in_ip, :sign_in_count]
+      end
+
       def update_tracked_fields!(request)
         old_current, new_current = self.current_sign_in_at, Time.now.utc
         self.last_sign_in_at     = old_current || new_current

data/lib/devise/models/validatable.rb

@@ -17,6 +17,10 @@ module Devise
       VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
                       :validates_confirmation_of, :validates_length_of ].freeze
 
+      def self.required_fields(klass)
+        []
+      end
+
       def self.included(base)
         base.extend ClassMethods
         assert_validations_api!(base)

data/lib/devise/param_filter.rb

@@ -33,8 +33,9 @@ module Devise
 
     private
 
+    # Determine which values should be transformed to string or passed as-is to the query builder underneath
     def param_requires_string_conversion?(value)
-      true
+      [Fixnum, TrueClass, FalseClass, Regexp].none? {|clz| value.is_a? clz }
     end
   end
 end

data/lib/devise/rails/routes.rb

@@ -184,7 +184,7 @@ module ActionDispatch::Routing
     #
     # In order to get Devise to recognize the deactivate action, your devise_for entry should look like this,
     #
-    #     devise_for :owners, :controllers => { :registrations => "registrations" } do
+    #     devise_scope :owner do
     #       post "deactivate", :to => "registrations#deactivate", :as => "deactivate_registration"
     #     end
     #
@@ -198,7 +198,8 @@ module ActionDispatch::Routing
       options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
       options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
       options[:defaults]      = (@scope[:defaults] || {}).merge(options[:defaults] || {})
-      options[:options]       = (@scope[:options] || {}).merge({:format => false}) if options[:format] == false
+      options[:options]       = @scope[:options] || {}
+      options[:options][:format] = false if options[:format] == false
 
       resources.map!(&:to_sym)
 

data/lib/devise/strategies/authenticatable.rb

@@ -23,14 +23,20 @@ module Devise
         result = resource && resource.valid_for_authentication?(&block)
 
         case result
-        when String, Symbol
+        when Symbol, String
+          ActiveSupport::Deprecation.warn "valid_for_authentication should return a boolean value"
           fail!(result)
-          false
-        when TrueClass
+          return false
+        end
+
+        if result
           decorate(resource)
           true
         else
-          result
+          if resource
+            fail!(resource.unauthenticated_message)
+          end
+          false
         end
       end
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.0.6".freeze
+  VERSION = "2.1.0.rc".freeze
 end

data/lib/generators/devise/views_generator.rb

@@ -39,6 +39,18 @@ module Devise
       end
     end
 
+    class SharedViewsGenerator < Rails::Generators::Base #:nodoc:
+      include ViewPathTemplates
+      source_root File.expand_path("../../../../app/views/devise", __FILE__)
+      desc "Copies shared Devise views to your application."
+      hide!
+
+      # Override copy_views to just copy mailer and shared.
+      def copy_views
+        view_directory :shared
+      end
+    end
+
     class FormForGenerator < Rails::Generators::Base #:nodoc:
       include ViewPathTemplates
       source_root File.expand_path("../../../../app/views/devise", __FILE__)
@@ -80,15 +92,12 @@ module Devise
     end
 
     class ViewsGenerator < Rails::Generators::Base
-      include ViewPathTemplates
-
-      source_root File.expand_path("../../../../app/views/devise", __FILE__)
       desc "Copies Devise views to your application."
 
-      def copy_views
-        copy_file "_links.erb", "#{target_path}/_links.erb"
-      end
+      argument :scope, :required => false, :default => nil,
+                       :desc => "The scope to copy views to"
 
+      invoke SharedViewsGenerator
       hook_for :form_builder, :aliases => "-b",
                               :desc => "Form builder to be used",
                               :default => defined?(SimpleForm) ? "simple_form_for" : "form_for"

data/lib/generators/templates/devise.rb

@@ -117,7 +117,7 @@ Devise.setup do |config|
 
   # Options to be passed to the created cookie. For instance, you can set
   # :secure => true in order to force SSL only cookies.
-  # config.cookie_options = {}
+  # config.rememberable_options = {}
 
   # ==> Configuration for :validatable
   # Range for password length. Default is 6..128.

data/lib/generators/templates/simple_form_for/confirmations/new.html.erb

@@ -12,4 +12,4 @@
   </div>
 <% end %>
 
-<%= render "links" %>
+<%= render :partial => "devise/shared/links" %>

data/lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -16,4 +16,4 @@
   </div>
 <% end %>
 
-<%= render "links" %>
+<%= render :partial => "devise/shared/links" %>

data/lib/generators/templates/simple_form_for/passwords/new.html.erb

@@ -12,4 +12,4 @@
   </div>
 <% end %>
 
-<%= render "links" %>
+<%= render :partial => "devise/shared/links" %>

data/lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -14,4 +14,4 @@
   </div>
 <% end %>
 
-<%= render "links" %>
+<%= render :partial => "devise/shared/links" %>