devise 2.1.0.rc → 2.1.0.rc2

data/CHANGELOG.rdoc

@@ -1,4 +1,24 @@
-== 2.1.0.dev
+== trunk (2.1.0.rc2)
+
+* enhancements
+  * Devise model generator now works with engines
+  * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable)
+
+* deprecations
+  * Deprecations warnings added on Devise 2.0 are now removed with their features
+  * use_salt_as_remember_token and apply_schema does not have any effect since 2.0 and are now deprecated
+  * valid_for_authentication? must now return a boolean
+
+* bug fix
+  * Ensure the failure app still respects config.relative_url_root
+  * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium)
+  * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores)
+  * Added token expiration on timeout (by @antiarchitect)
+  * Do not accidentally mark `_prefixes` as private
+  * Better support for custom strategies on test helpers (by @mattconnolly)
+  * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
+
+== 2.1.0.rc
 
 * enhancements
   * Add check_fields! method on Devise::Models to check if the model includes the fields that Devise uses
@@ -7,6 +27,7 @@
 * bug fix
   * Ensure after sign in hook is not called without a resource
   * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
+  * Fixed redirect when authenticated mounted apps (by @hakanensari)
 
 * deprecation
   * All devise modules should have a required_fields(klass) module method to help gathering missing attributes
@@ -72,6 +93,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Move devise/shared/_links.erb to devise/_links.erb
   * Deprecated support of nested devise_for blocks
   * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
+  * Protected method render_with_scope was removed.
 
 == 1.5.3
 

data/Gemfile

@@ -25,7 +25,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3-ruby"
+  gem "sqlite3"
 
   group :mongoid do
     gem "mongo", "~> 1.3.0"

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    devise (2.0.4)
+    devise (2.1.0.rc)
       bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.0.3)
+      orm_adapter (~> 0.0.7)
       railties (~> 3.1)
       warden (~> 1.1.1)
 
@@ -87,7 +87,7 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.6)
+    orm_adapter (0.0.7)
     polyglot (0.3.3)
     rack (1.4.1)
     rack-cache (1.1)
@@ -129,8 +129,6 @@ GEM
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.5)
-    sqlite3-ruby (1.3.3)
-      sqlite3 (>= 1.3.3)
     thor (0.14.6)
     tilt (1.3.3)
     treetop (1.4.10)
@@ -163,5 +161,5 @@ DEPENDENCIES
   rails (~> 3.2.0)
   rdoc
   ruby-debug (>= 0.10.3)
-  sqlite3-ruby
+  sqlite3
   webrat (= 0.7.2)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009-2012 Plataforma Tecnologia. http://blog.plataformatec.com.br
+Copyright 2009-2012 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,3 +1,5 @@
+*IMPORTANT:* Devise 2.1 is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.1
+
 *IMPORTANT:* Devise 2.0 is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
 
 ## Devise
@@ -42,7 +44,7 @@ If you discover a problem with Devise, we would like to know about it. However,
 
 https://github.com/plataformatec/devise/wiki/Bug-reports
 
-If you found a security bug, do *NOT* use the GitHub issue tracker. Send email or a private GitHub message to the maintainers listed at the bottom of the README.
+If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to the maintainers listed at the bottom of the README.
 
 ### Mailing list
 
@@ -91,7 +93,9 @@ Once you have solidified your understanding of Rails and authentication mechanis
 
 Devise 2.0 works with Rails 3.1 onwards. You can add it to your Gemfile with:
 
-  gem 'devise'
+```ruby
+gem 'devise'
+```
 
 Run the bundle command to install it.
 
@@ -379,4 +383,4 @@ https://github.com/plataformatec/devise/contributors
 
 ## License
 
-MIT License. Copyright 2012 Plataforma Tecnologia. http://blog.plataformatec.com.br
+MIT License. Copyright 2012 Plataformatec. http://plataformatec.com.br

data/Rakefile

@@ -1,5 +1,5 @@
 # encoding: UTF-8
-
+require "bundler/gem_tasks"
 require 'rake/testtask'
 require 'rdoc/task'
 

data/app/controllers/devise/sessions_controller.rb

@@ -4,7 +4,7 @@ class Devise::SessionsController < DeviseController
 
   # GET /resource/sign_in
   def new
-    resource = build_resource
+    resource = build_resource(nil, :unsafe => true)
     clean_up_passwords(resource)
     respond_with(resource, serialize_options(resource))
   end
@@ -28,9 +28,7 @@ class Devise::SessionsController < DeviseController
     respond_to do |format|
       format.any(*navigational_formats) { redirect_to redirect_path }
       format.all do
-        method = "to_#{request_format}"
-        text = {}.respond_to?(method) ? {}.send(method) : ""
-        render :text => text, :status => :ok
+        head :no_content
       end
     end
   end

data/app/controllers/devise/unlocks_controller.rb

@@ -11,7 +11,7 @@ class Devise::UnlocksController < DeviseController
     self.resource = resource_class.send_unlock_instructions(params[resource_name])
 
     if successfully_sent?(resource)
-      respond_with({}, :location => new_session_path(resource_name))
+      respond_with({}, :location => after_sending_unlock_instructions_path_for(resource))
     else
       respond_with(resource)
     end
@@ -23,9 +23,22 @@ class Devise::UnlocksController < DeviseController
 
     if resource.errors.empty?
       set_flash_message :notice, :unlocked if is_navigational_format?
-      respond_with_navigational(resource){ redirect_to new_session_path(resource) }
+      respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
     end
   end
+
+  protected
+
+    # The path used after sending unlock password instructions
+    def after_sending_unlock_instructions_path_for(resource)
+      new_session_path(resource)
+    end
+
+    # The path used after unlocking the resource
+    def after_unlock_path_for(resource)
+      new_session_path(resource)
+    end
+
 end

data/app/controllers/devise_controller.rb

@@ -38,6 +38,17 @@ class DeviseController < Devise.parent_controller.constantize
     @devise_mapping ||= request.env["devise.mapping"]
   end
 
+  # Override prefixes to consider the scoped view.
+  def _prefixes #:nodoc:
+    @_prefixes ||= if self.class.scoped_views? && devise_mapping
+      super.unshift("#{devise_mapping.scoped_path}/#{controller_name}")
+    else
+      super
+    end
+  end
+
+  hide_action :_prefixes
+
   protected
 
   # Checks whether it's a devise mapped resource or not.
@@ -68,9 +79,20 @@ MESSAGE
   end
 
   # Build a devise resource.
-  def build_resource(hash=nil)
+  # Assignment bypasses attribute protection when :unsafe option is passed
+  def build_resource(hash = nil, options = {})
     hash ||= params[resource_name] || {}
-    self.resource = resource_class.new(hash)
+
+    if options[:unsafe]
+      self.resource = resource_class.new.tap do |resource|
+        hash.each do |key, value|
+          setter = :"#{key}="
+          resource.send(setter, value) if resource.respond_to?(setter)
+        end
+      end
+    else
+      self.resource = resource_class.new(hash)
+    end
   end
 
   # Helper for use in before_filters where no authentication is required.
@@ -152,13 +174,4 @@ MESSAGE
   def is_navigational_format?
     Devise.navigational_formats.include?(request.format.try(:ref))
   end
-
-  # Override prefixes to consider the scoped view.
-  def _prefixes #:nodoc:
-    @_prefixes ||= if self.class.scoped_views? && devise_mapping
-      super.unshift("#{devise_mapping.scoped_path}/#{controller_name}")
-    else
-      super
-    end
-  end
 end

data/devise.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.add_dependency("warden", "~> 1.1.1")
-  s.add_dependency("orm_adapter", "~> 0.0.3")
+  s.add_dependency("orm_adapter", "~> 0.0.7")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
   s.add_dependency("railties", "~> 3.1")
 end

data/gemfiles/Gemfile.rails-3.1.x

@@ -25,7 +25,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3-ruby"
+  gem "sqlite3"
 
   group :mongoid do
     gem "mongo", "~> 1.3.0"

data/gemfiles/Gemfile.rails-3.1.x.lock

@@ -1,45 +1,45 @@
 PATH
   remote: ..
   specs:
-    devise (2.0.2)
+    devise (2.1.0.rc2)
       bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.0.3)
+      orm_adapter (~> 0.0.7)
       railties (~> 3.1)
       warden (~> 1.1.1)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.1.3)
-      actionpack (= 3.1.3)
+    actionmailer (3.1.4)
+      actionpack (= 3.1.4)
       mail (~> 2.3.0)
-    actionpack (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
+    actionpack (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       i18n (~> 0.6)
-      rack (~> 1.3.5)
+      rack (~> 1.3.6)
       rack-cache (~> 1.1)
       rack-mount (~> 0.8.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.0.3)
-    activemodel (3.1.3)
-      activesupport (= 3.1.3)
+    activemodel (3.1.4)
+      activesupport (= 3.1.4)
       builder (~> 3.0.0)
       i18n (~> 0.6)
-    activerecord (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
-      arel (~> 2.2.1)
+    activerecord (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
+      arel (~> 2.2.3)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
-    activesupport (3.1.3)
+    activeresource (3.1.4)
+      activemodel (= 3.1.4)
+      activesupport (= 3.1.4)
+    activesupport (3.1.4)
       multi_json (~> 1.0)
     addressable (2.2.7)
-    arel (2.2.1)
+    arel (2.2.3)
     bcrypt-ruby (3.0.1)
     bson (1.5.2)
     bson_ext (1.3.1)
@@ -53,15 +53,15 @@ GEM
     hashie (1.2.0)
     hike (1.2.1)
     i18n (0.6.0)
-    json (1.6.5)
+    json (1.7.0)
     linecache (0.46)
       rbx-require-relative (> 0.0.4)
-    mail (2.3.0)
+    mail (2.3.3)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.17.2)
+    mime-types (1.18)
     mocha (0.10.4)
       metaclass (~> 0.0.1)
     mongo (1.3.1)
@@ -70,7 +70,7 @@ GEM
       activemodel (~> 3.1)
       mongo (~> 1.3)
       tzinfo (~> 0.3.22)
-    multi_json (1.0.4)
+    multi_json (1.3.4)
     multipart-post (1.1.5)
     nokogiri (1.5.0)
     oauth2 (0.5.2)
@@ -87,10 +87,10 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.6)
+    orm_adapter (0.0.7)
     polyglot (0.3.3)
     rack (1.3.6)
-    rack-cache (1.1)
+    rack-cache (1.2)
       rack (>= 0.4)
     rack-mount (0.8.3)
       rack (>= 1.0.0)
@@ -101,17 +101,17 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.1.3)
-      actionmailer (= 3.1.3)
-      actionpack (= 3.1.3)
-      activerecord (= 3.1.3)
-      activeresource (= 3.1.3)
-      activesupport (= 3.1.3)
+    rails (3.1.4)
+      actionmailer (= 3.1.4)
+      actionpack (= 3.1.4)
+      activerecord (= 3.1.4)
+      activeresource (= 3.1.4)
+      activesupport (= 3.1.4)
       bundler (~> 1.0)
-      railties (= 3.1.3)
-    railties (3.1.3)
-      actionpack (= 3.1.3)
-      activesupport (= 3.1.3)
+      railties (= 3.1.4)
+    railties (3.1.4)
+      actionpack (= 3.1.4)
+      activesupport (= 3.1.4)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -126,19 +126,17 @@ GEM
     ruby-debug-base (0.10.4)
       linecache (>= 0.3)
     ruby-openid (2.1.8)
-    sprockets (2.0.3)
+    sprockets (2.0.4)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.5)
-    sqlite3-ruby (1.3.3)
-      sqlite3 (>= 1.3.3)
     thor (0.14.6)
     tilt (1.3.3)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.31)
+    tzinfo (0.3.33)
     warden (1.1.1)
       rack (>= 1.0)
     webrat (0.7.2)
@@ -165,5 +163,5 @@ DEPENDENCIES
   rails (~> 3.1.0)
   rdoc
   ruby-debug (>= 0.10.3)
-  sqlite3-ruby
+  sqlite3
   webrat (= 0.7.2)

data/lib/devise.rb

@@ -20,16 +20,6 @@ module Devise
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
-  module Encryptors
-    autoload :Base, 'devise/encryptors/base'
-    autoload :AuthlogicSha512, 'devise/encryptors/authlogic_sha512'
-    autoload :BCrypt, 'devise/encryptors/bcrypt'
-    autoload :ClearanceSha1, 'devise/encryptors/clearance_sha1'
-    autoload :RestfulAuthenticationSha1, 'devise/encryptors/restful_authentication_sha1'
-    autoload :Sha512, 'devise/encryptors/sha512'
-    autoload :Sha1, 'devise/encryptors/sha1'
-  end
-
   module Mailers
     autoload :Helpers, 'devise/mailers/helpers'
   end
@@ -53,15 +43,6 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
-  # Declare encryptors length which are used in migrations.
-  ENCRYPTORS_LENGTH = {
-    :sha1   => 40,
-    :sha512 => 128,
-    :clearance_sha1 => 40,
-    :restful_authentication_sha1 => 40,
-    :authlogic_sha512 => 128
-  }
-
   # Custom domain for cookies. Not set by default
   mattr_accessor :rememberable_options
   @@rememberable_options = {}
@@ -79,14 +60,12 @@ module Devise
   @@request_keys = []
 
   # Keys that should be case-insensitive.
-  # False by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = false
+  @@case_insensitive_keys = [ :email ]
 
   # Keys that should have whitespace stripped.
-  # False by default for backwards compatibility.
   mattr_accessor :strip_whitespace_keys
-  @@strip_whitespace_keys = false
+  @@strip_whitespace_keys = []
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -139,14 +118,14 @@ module Devise
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
 
+  # Authentication token expiration on timeout
+  mattr_accessor :expire_auth_token_on_timeout
+  @@expire_auth_token_on_timeout = false
+
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
 
-  # Used to define the password encryption algorithm.
-  mattr_accessor :encryptor
-  @@encryptor = nil
-
   # Scoped views. Since it relies on fallbacks to render default views, it's
   # turned off by default.
   mattr_accessor :scoped_views
@@ -179,9 +158,8 @@ module Devise
   @@reset_password_keys = [ :email ]
 
   # Time interval you can reset your password with a reset password key
-  # Nil by default for backwards compatibility.
   mattr_accessor :reset_password_within
-  @@reset_password_within = nil
+  @@reset_password_within = 6.hours
 
   # The default scope which is used by warden.
   mattr_accessor :default_scope
@@ -223,36 +201,16 @@ module Devise
   mattr_accessor :router_name
   @@router_name = nil
 
-  # DEPRECATED CONFIG
-
-  # If true, uses salt as remember token and does not create it in the database.
-  # By default is false for backwards compatibility.
-  mattr_accessor :use_salt_as_remember_token
-  @@use_salt_as_remember_token = false
-
-  # Tells if devise should apply the schema in ORMs where devise declaration
-  # and schema belongs to the same class (as Datamapper and Mongoid).
-  mattr_accessor :apply_schema
-  @@apply_schema = true
-
-  def self.remember_across_browsers=(value)
-    warn "\n[DEVISE] Devise.remember_across_browsers is deprecated and has no effect. Please remove it.\n"
-  end
-
-  def self.confirm_within=(value)
-    warn "\n[DEVISE] Devise.confirm_within= is deprecated. Please set Devise.allow_unconfirmed_access_for= instead.\n"
-    Devise.allow_unconfirmed_access_for = value
+  def self.encryptor=(value)
+    warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
   end
 
-  def self.cookie_options=(value)
-    warn "\n[DEVISE] Devise.cookie_options= is deprecated. Please set Devise.rememberable_options= instead.\n"
-    Devise.rememberable_options = value
+  def self.use_salt_as_remember_token=(value)
+    warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
   end
 
-  def self.stateless_token=(value)
-    warn "\n[DEVISE] Devise.stateless_token= is deprecated. Please append :token_auth to Devise.skip_session_storage " \
-      "instead, for example: Devise.skip_session_storage << :token_auth\n"
-    Devise.skip_session_storage << :token_auth
+  def self.apply_schema=(value)
+    warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
   end
 
   # PRIVATE CONFIGURATION