devise 2.1.0 → 2.1.2

data/app/views/devise/sessions/new.html.erb

@@ -14,4 +14,4 @@
   <div><%= f.submit "Sign in" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>

data/app/views/devise/unlocks/new.html.erb

@@ -9,4 +9,4 @@
   <div><%= f.submit "Resend unlock instructions" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>

data/config/locales/en.yml

@@ -29,6 +29,7 @@ en:
       updated: 'Your password was changed successfully. You are now signed in.'
       updated_not_active: 'Your password was changed successfully.'
       send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
     confirmations:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.'

data/devise.gemspec

@@ -18,8 +18,8 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- test/*`.split("\n")
   s.require_paths = ["lib"]
 
-  s.add_dependency("warden", "~> 1.1.1")
-  s.add_dependency("orm_adapter", "~> 0.0.7")
+  s.add_dependency("warden", "~> 1.2.1")
+  s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
   s.add_dependency("railties", "~> 3.1")
 end

data/lib/devise.rb

@@ -10,7 +10,6 @@ module Devise
   autoload :FailureApp,  'devise/failure_app'
   autoload :OmniAuth,    'devise/omniauth'
   autoload :ParamFilter, 'devise/param_filter'
-  autoload :Schema,      'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
   module Controllers
@@ -200,6 +199,11 @@ module Devise
   # to provide custom routes.
   mattr_accessor :router_name
   @@router_name = nil
+  
+  # Set the omniauth path prefix so it can be overriden when
+  # Devise is used in a mountable engine
+  mattr_accessor :omniauth_path_prefix
+  @@omniauth_path_prefix = nil
 
   def self.encryptor=(value)
     warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"

data/lib/devise/controllers/helpers.rb

@@ -88,8 +88,8 @@ module Devise
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |scope|
-          warden.authenticate?(:scope => scope)
+        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+          warden.authenticate?(:scope => _scope)
         end
       end
 
@@ -126,8 +126,8 @@ module Devise
       end
 
       # Sign out a given user or scope. This helper is useful for signing out a user
-      # after deleting accounts. Returns true if there was a logout and false if there is no user logged in
-      # on the referred scope
+      # after deleting accounts. Returns true if there was a logout and false if there
+      # is no user logged in on the referred scope
       #
       # Examples:
       #
@@ -141,6 +141,7 @@ module Devise
 
         warden.raw_session.inspect # Without this inspect here. The session does not clear.
         warden.logout(scope)
+        warden.clear_strategies_cache!(:scope => scope)
         instance_variable_set(:"@current_#{scope}", nil)
 
         !!user
@@ -149,13 +150,15 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
       # and false if there was no user logged in on all scopes.
-      def sign_out_all_scopes
+      def sign_out_all_scopes(lock=true)
         users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
 
         warden.raw_session.inspect
         warden.logout
         expire_devise_cached_variables!
-        
+        warden.clear_strategies_cache!
+        warden.lock! if lock
+
         users.any?
       end
 
@@ -253,8 +256,8 @@ module Devise
       # Overwrite Rails' handle unverified request to sign out all scopes,
       # clear run strategies and remove cached variables.
       def handle_unverified_request
-        sign_out_all_scopes
-        warden.clear_strategies_cache!
+        sign_out_all_scopes(false)
+        request.env["devise.skip_storage"] = true
         expire_devise_cached_variables!
         super # call the default behaviour which resets the session
       end

data/lib/devise/hooks/timeoutable.rb

@@ -5,17 +5,20 @@
 # verify timeout in the following request.
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
+  env   = warden.request.env
 
   if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
     last_request_at = warden.session(scope)['last_request_at']
 
-    if record.timedout?(last_request_at)
+    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
       warden.logout(scope)
-      record.reset_authentication_token! if record.respond_to?(:reset_authentication_token!) && record.expire_auth_token_on_timeout
+      if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
+        record.reset_authentication_token!
+      end
       throw :warden, :scope => scope, :message => :timeout
     end
 
-    unless warden.request.env['devise.skip_trackable']
+    unless env['devise.skip_trackable']
       warden.session(scope)['last_request_at'] = Time.now.utc
     end
   end

data/lib/devise/models.rb

@@ -27,7 +27,7 @@ module Devise
     # inside the given class.
     #
     def self.config(mod, *accessors) #:nodoc:
-      (class << mod; self; end).send :attr_accessor, :available_configs
+      class << mod; attr_accessor :available_configs; end
       mod.available_configs = accessors
 
       accessors.each do |accessor|
@@ -51,12 +51,13 @@ module Devise
 
     def self.check_fields!(klass)
       failed_attributes = []
+      instance = klass.new
 
       klass.devise_modules.each do |mod|
-        instance = klass.new
+        constant = const_get(mod.to_s.classify)
 
-        if const_get(mod.to_s.classify).respond_to?(:required_fields)
-          const_get(mod.to_s.classify).required_fields(klass).each do |field|
+        if constant.respond_to?(:required_fields)
+          constant.required_fields(klass).each do |field|
             failed_attributes << field unless instance.respond_to?(field)
           end
         else

data/lib/devise/models/authenticatable.rb

@@ -93,22 +93,10 @@ module Devise
       def authenticatable_salt
       end
 
-      def devise_mailer
-        Devise.mailer
-      end
-
       def headers_for(name)
         {}
       end
 
-      def downcase_keys
-        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
-      end
-
-      def strip_whitespace
-        self.class.strip_whitespace_keys.each { |k| self[k].try(:strip!) }
-      end
-
       array = %w(serializable_hash)
       # to_xml does not call serializable_hash on 3.1
       array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
@@ -134,6 +122,55 @@ module Devise
         RUBY
       end
 
+      protected
+
+      def devise_mailer
+        Devise.mailer
+      end
+
+      # This is an internal method called every time Devise needs
+      # to send a notification/mail. This can be overriden if you
+      # need to customize the e-mail delivery logic. For instance,
+      # if you are using a queue to deliver e-mails (delayed job,
+      # sidekiq, resque, etc), you must add the delivery to the queue
+      # just after the transaction was committed. To achieve this,
+      # you can override send_devise_notification to store the
+      # deliveries until the after_commit callback is triggered:
+      #
+      #     class User
+      #       devise :database_authenticatable, :confirmable
+      #
+      #       after_commit :send_pending_notifications
+      #
+      #       protected
+      #
+      #       def send_devise_notification(notification)
+      #         pending_notifications << notification
+      #       end
+      #
+      #       def send_pending_notifications
+      #         pending_notifications.each do |n|
+      #           devise_mailer.send(n, self).deliver
+      #         end
+      #       end
+      #
+      #       def pending_notifications
+      #         @pending_notifications ||= []
+      #       end
+      #     end
+      #
+      def send_devise_notification(notification)
+        devise_mailer.send(notification, self).deliver
+      end
+
+      def downcase_keys
+        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
+      end
+
+      def strip_whitespace
+        self.class.strip_whitespace_keys.each { |k| self[k].try(:strip!) }
+      end
+
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
           :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)

data/lib/devise/models/confirmable.rb

@@ -78,7 +78,7 @@ module Devise
         @reconfirmation_required = false
 
         generate_confirmation_token! if self.confirmation_token.blank?
-        self.devise_mailer.confirmation_instructions(self).deliver
+        send_devise_notification(:confirmation_instructions)
       end
 
       # Resend confirmation token. This method does not need to generate a new token.
@@ -125,7 +125,7 @@ module Devise
         # instructions on creation. This can be overriden
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
-          self.devise_mailer.confirmation_instructions(self).deliver
+          send_devise_notification(:confirmation_instructions)
         end
 
         # Callback to overwrite if confirmation is required or not.

data/lib/devise/models/database_authenticatable.rb

@@ -64,7 +64,7 @@ module Devise
         result = if valid_password?(current_password)
           update_attributes(params, *options)
         else
-          self.attributes = params
+          self.assign_attributes(params, *options)
           self.valid?
           self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false

data/lib/devise/models/lockable.rb

@@ -38,11 +38,11 @@ module Devise
         self.locked_at = Time.now.utc
 
         if unlock_strategy_enabled?(:email)
-          generate_unlock_token
+          generate_unlock_token!
           send_unlock_instructions
+        else
+          save(:validate => false)
         end
-
-        save(:validate => false)
       end
 
       # Unlock a user by cleaning locked_at and failed_attempts.
@@ -60,7 +60,7 @@ module Devise
 
       # Send unlock instructions by email
       def send_unlock_instructions
-        self.devise_mailer.unlock_instructions(self).deliver
+        send_devise_notification(:unlock_instructions)
       end
 
       # Resend the unlock instructions if the user is locked.
@@ -123,6 +123,10 @@ module Devise
           self.unlock_token = self.class.unlock_token
         end
 
+        def generate_unlock_token!
+          generate_unlock_token && save(:validate => false)
+        end
+
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)

data/lib/devise/models/recoverable.rb

@@ -45,7 +45,7 @@ module Devise
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
         generate_reset_password_token! if should_generate_reset_token?
-        self.devise_mailer.reset_password_instructions(self).deliver
+        send_devise_notification(:reset_password_instructions)
       end
 
       # Checks if the reset password token sent is within the limit time.

data/lib/devise/omniauth.rb

@@ -1,7 +1,7 @@
 begin
   require "omniauth"
   require "omniauth/version"
-rescue LoadError => e
+rescue LoadError
   warn "Could not load 'omniauth'. Please ensure you have the omniauth gem >= 1.0.0 installed and listed in your Gemfile."
   raise
 end

data/lib/devise/omniauth/url_helpers.rb

@@ -2,21 +2,6 @@ module Devise
   module OmniAuth
     module UrlHelpers
       def self.define_helpers(mapping)
-        return unless mapping.omniauthable?
-
-        class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-          def #{mapping.name}_omniauth_authorize_path(provider, params = {})
-            if Devise.omniauth_configs[provider.to_sym]
-              script_name = request.env["SCRIPT_NAME"]
-
-              path = "\#{script_name}/#{mapping.path}/auth/\#{provider}\".squeeze("/")
-              path << '?' + params.to_param if params.present?
-              path
-            else
-              raise ArgumentError, "Could not find omniauth provider \#{provider.inspect}"
-            end
-          end
-        URL_HELPERS
       end
 
       def omniauth_authorize_path(resource_or_scope, *args)

data/lib/devise/rails/routes.rb

@@ -1,4 +1,5 @@
 require "active_support/core_ext/object/try"
+require "active_support/core_ext/hash/slice"
 
 module ActionDispatch::Routing
   class RouteSet #:nodoc:
@@ -236,7 +237,9 @@ module ActionDispatch::Routing
       end
     end
 
-    # Allow you to add authentication request from the router:
+    # Allow you to add authentication request from the router.
+    # Takes an optional scope and block to provide constraints
+    # on the model instance itself.
     #
     #   authenticate do
     #     resources :post
@@ -246,9 +249,13 @@ module ActionDispatch::Routing
     #     resources :users
     #   end
     #
-    def authenticate(scope=nil)
+    #   authenticate :user, lambda {|u| u.role == "admin"} do
+    #     root :to => "admin/dashboard#show"
+    #   end
+    #
+    def authenticate(scope=nil, block=nil)
       constraint = lambda do |request|
-        request.env["warden"].authenticate!(:scope => scope)
+        request.env["warden"].authenticate!(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
       end
 
       constraints(constraint) do
@@ -257,7 +264,8 @@ module ActionDispatch::Routing
     end
 
     # Allow you to route based on whether a scope is authenticated. You
-    # can optionally specify which scope.
+    # can optionally specify which scope and a block. The block accepts
+    # a model and allows extra constraints to be done on the instance.
     #
     #   authenticated :admin do
     #     root :to => 'admin/dashboard#show'
@@ -267,11 +275,15 @@ module ActionDispatch::Routing
     #     root :to => 'dashboard#show'
     #   end
     #
+    #   authenticated :user, lambda {|u| u.role == "admin"} do
+    #     root :to => "admin/dashboard#show"
+    #   end
+    #
     #   root :to => 'landing#show'
     #
-    def authenticated(scope=nil)
+    def authenticated(scope=nil, block=nil)
       constraint = lambda do |request|
-        request.env["warden"].authenticate? :scope => scope
+        request.env["warden"].authenticate?(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
       end
 
       constraints(constraint) do
@@ -367,40 +379,62 @@ module ActionDispatch::Routing
           :cancel => mapping.path_names[:cancel]
         }
 
-        resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
-                 :path_names => path_names, :controller => controllers[:registrations] do
+        options = {
+          :only => [:new, :create, :edit, :update, :destroy],
+          :path => mapping.path_names[:registration],
+          :path_names => path_names,
+          :controller => controllers[:registrations]
+        }
+
+        resource :registration, options do
           get :cancel
         end
       end
 
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
         path, @scope[:path] = @scope[:path], nil
-        path_prefix = "/#{mapping.path}/auth".squeeze("/")
+        path_prefix = Devise.omniauth_path_prefix || "/#{mapping.path}/auth".squeeze("/")
+        set_omniauth_path_prefix!(path_prefix)
 
-        if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
-          raise "Wrong OmniAuth configuration. If you are getting this exception, it means that either:\n\n" \
-            "1) You are manually setting OmniAuth.config.path_prefix and it doesn't match the Devise one\n" \
-            "2) You are setting :omniauthable in more than one model\n" \
-            "3) You changed your Devise routes/OmniAuth setting and haven't restarted your server"
-        else
-          ::OmniAuth.config.path_prefix = path_prefix
-        end
+        providers = Regexp.union(mapping.to.omniauth_providers.map(&:to_s))
 
-        match "#{path_prefix}/:action/callback", :constraints => { :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)) },
-          :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
+        match "#{path_prefix}/:provider",
+          :constraints => { :provider => providers },
+          :to => "#{controllers[:omniauth_callbacks]}#passthru",
+          :as => :omniauth_authorize
+
+        match "#{path_prefix}/:action/callback",
+          :constraints => { :action => providers },
+          :to => controllers[:omniauth_callbacks],
+          :as => :omniauth_callback
       ensure
         @scope[:path] = path
       end
 
+      DEVISE_SCOPE_KEYS = [:as, :path, :module, :constraints, :defaults, :options]
+
       def with_devise_exclusive_scope(new_path, new_as, options) #:nodoc:
-        old_as, old_path, old_module, old_constraints, old_defaults, old_options =
-          *@scope.values_at(:as, :path, :module, :constraints, :defaults, :options)
-        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints], @scope[:defaults], @scope[:options] =
-          new_as, new_path, nil, *options.values_at(:constraints, :defaults, :options)
+        old = {}
+        DEVISE_SCOPE_KEYS.each { |k| old[k] = @scope[k] }
+
+        new = { :as => new_as, :path => new_path, :module => nil }
+        new.merge!(options.slice(:constraints, :defaults, :options))
+
+        @scope.merge!(new)
         yield
       ensure
-        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints], @scope[:defaults], @scope[:options] =
-          old_as, old_path, old_module, old_constraints, old_defaults, old_options
+        @scope.merge!(old)
+      end
+
+      def set_omniauth_path_prefix!(path_prefix) #:nodoc:
+        if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
+          raise "Wrong OmniAuth configuration. If you are getting this exception, it means that either:\n\n" \
+            "1) You are manually setting OmniAuth.config.path_prefix and it doesn't match the Devise one\n" \
+            "2) You are setting :omniauthable in more than one model\n" \
+            "3) You changed your Devise routes/OmniAuth setting and haven't restarted your server"
+        else
+          ::OmniAuth.config.path_prefix = path_prefix
+        end
       end
 
       def raise_no_devise_method_error!(klass) #:nodoc: