devise 2.1.0 → 2.1.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- data/CHANGELOG.rdoc +34 -17
- data/Gemfile +1 -1
- data/Gemfile.lock +45 -45
- data/README.md +23 -18
- data/Rakefile +1 -1
- data/app/controllers/devise/omniauth_callbacks_controller.rb +6 -0
- data/app/controllers/devise/passwords_controller.rb +9 -0
- data/app/controllers/devise/sessions_controller.rb +1 -0
- data/app/controllers/devise_controller.rb +16 -5
- data/app/views/devise/confirmations/new.html.erb +1 -1
- data/app/views/devise/passwords/edit.html.erb +1 -1
- data/app/views/devise/passwords/new.html.erb +1 -1
- data/app/views/devise/registrations/edit.html.erb +1 -1
- data/app/views/devise/registrations/new.html.erb +1 -1
- data/app/views/devise/sessions/new.html.erb +1 -1
- data/app/views/devise/unlocks/new.html.erb +1 -1
- data/config/locales/en.yml +1 -0
- data/devise.gemspec +2 -2
- data/lib/devise.rb +5 -1
- data/lib/devise/controllers/helpers.rb +11 -8
- data/lib/devise/hooks/timeoutable.rb +6 -3
- data/lib/devise/models.rb +5 -4
- data/lib/devise/models/authenticatable.rb +49 -12
- data/lib/devise/models/confirmable.rb +2 -2
- data/lib/devise/models/database_authenticatable.rb +1 -1
- data/lib/devise/models/lockable.rb +8 -4
- data/lib/devise/models/recoverable.rb +1 -1
- data/lib/devise/omniauth.rb +1 -1
- data/lib/devise/omniauth/url_helpers.rb +0 -15
- data/lib/devise/rails/routes.rb +59 -25
- data/lib/devise/strategies/authenticatable.rb +16 -5
- data/lib/devise/strategies/base.rb +5 -0
- data/lib/devise/strategies/database_authenticatable.rb +1 -2
- data/lib/devise/strategies/rememberable.rb +5 -3
- data/lib/devise/strategies/token_authenticatable.rb +1 -2
- data/lib/devise/version.rb +1 -1
- data/lib/generators/devise/views_generator.rb +6 -0
- data/lib/generators/mongoid/devise_generator.rb +5 -2
- data/lib/generators/templates/devise.rb +20 -4
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +3 -3
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +3 -3
- data/test/controllers/helpers_test.rb +6 -7
- data/test/controllers/sessions_controller_test.rb +22 -15
- data/test/integration/authenticatable_test.rb +109 -63
- data/test/integration/recoverable_test.rb +6 -0
- data/test/integration/timeoutable_test.rb +28 -2
- data/test/models/recoverable_test.rb +3 -3
- data/test/models_test.rb +3 -3
- data/test/omniauth/url_helpers_test.rb +1 -8
- data/test/rails_app/app/controllers/admins_controller.rb +5 -0
- data/test/rails_app/config/routes.rb +11 -1
- data/test/rails_app/db/migrate/20100401102949_create_tables.rb +3 -0
- data/test/support/assertions.rb +6 -8
- data/test/support/integration.rb +2 -1
- metadata +14 -19
@@ -9,7 +9,7 @@ module Devise
|
|
9
9
|
attr_accessor :authentication_hash, :authentication_type, :password
|
10
10
|
|
11
11
|
def store?
|
12
|
-
!mapping.to.skip_session_storage.include?(authentication_type)
|
12
|
+
super && !mapping.to.skip_session_storage.include?(authentication_type)
|
13
13
|
end
|
14
14
|
|
15
15
|
def valid?
|
@@ -18,13 +18,24 @@ module Devise
|
|
18
18
|
|
19
19
|
private
|
20
20
|
|
21
|
-
#
|
21
|
+
# Receives a resource and check if it is valid by calling valid_for_authentication?
|
22
|
+
# An optional block that will be triggered while validating can be optionally
|
23
|
+
# given as parameter. Check Devise::Models::Authenticable.valid_for_authentication?
|
24
|
+
# for more information.
|
25
|
+
#
|
26
|
+
# In case the resource can't be validated, it will fail with the given
|
27
|
+
# unauthenticated_message.
|
22
28
|
def validate(resource, &block)
|
29
|
+
unless resource
|
30
|
+
ActiveSupport::Deprecation.warn "an empty resource was given to #{self.class.name}#validate. " \
|
31
|
+
"Please ensure the resource is not nil", caller
|
32
|
+
end
|
33
|
+
|
23
34
|
result = resource && resource.valid_for_authentication?(&block)
|
24
35
|
|
25
36
|
case result
|
26
37
|
when Symbol, String
|
27
|
-
ActiveSupport::Deprecation.warn "valid_for_authentication should return a boolean value"
|
38
|
+
ActiveSupport::Deprecation.warn "valid_for_authentication? should return a boolean value"
|
28
39
|
fail!(result)
|
29
40
|
return false
|
30
41
|
end
|
@@ -84,8 +95,8 @@ module Devise
|
|
84
95
|
|
85
96
|
# Extract the appropriate subhash for authentication from params.
|
86
97
|
def params_auth_hash
|
87
|
-
|
88
|
-
|
98
|
+
params[scope]
|
99
|
+
end
|
89
100
|
|
90
101
|
# Extract a hash with attributes:values from the http params.
|
91
102
|
def http_auth_hash
|
@@ -2,6 +2,11 @@ module Devise
|
|
2
2
|
module Strategies
|
3
3
|
# Base strategy for Devise. Responsible for verifying correct scope and mapping.
|
4
4
|
class Base < ::Warden::Strategies::Base
|
5
|
+
# Whenever CSRF cannot be verified, we turn off any kind of storage
|
6
|
+
def store?
|
7
|
+
!env["devise.skip_storage"]
|
8
|
+
end
|
9
|
+
|
5
10
|
# Checks if a valid scope was given for devise and find mapping based on this scope.
|
6
11
|
def mapping
|
7
12
|
@mapping ||= begin
|
@@ -6,12 +6,11 @@ module Devise
|
|
6
6
|
class DatabaseAuthenticatable < Authenticatable
|
7
7
|
def authenticate!
|
8
8
|
resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
|
9
|
+
return fail(:invalid) unless resource
|
9
10
|
|
10
11
|
if validate(resource){ resource.valid_password?(password) }
|
11
12
|
resource.after_database_authentication
|
12
13
|
success!(resource)
|
13
|
-
elsif !halted?
|
14
|
-
fail(:invalid)
|
15
14
|
end
|
16
15
|
end
|
17
16
|
end
|
@@ -19,11 +19,13 @@ module Devise
|
|
19
19
|
def authenticate!
|
20
20
|
resource = mapping.to.serialize_from_cookie(*remember_cookie)
|
21
21
|
|
22
|
+
unless resource
|
23
|
+
cookies.delete(remember_key)
|
24
|
+
return pass
|
25
|
+
end
|
26
|
+
|
22
27
|
if validate(resource)
|
23
28
|
success!(resource)
|
24
|
-
elsif !halted?
|
25
|
-
cookies.delete(remember_key)
|
26
|
-
pass
|
27
29
|
end
|
28
30
|
end
|
29
31
|
|
@@ -16,12 +16,11 @@ module Devise
|
|
16
16
|
|
17
17
|
def authenticate!
|
18
18
|
resource = mapping.to.find_for_token_authentication(authentication_hash)
|
19
|
+
return fail(:invalid_token) unless resource
|
19
20
|
|
20
21
|
if validate(resource)
|
21
22
|
resource.after_token_authentication
|
22
23
|
success!(resource)
|
23
|
-
elsif !halted?
|
24
|
-
fail(:invalid_token)
|
25
24
|
end
|
26
25
|
end
|
27
26
|
|
data/lib/devise/version.rb
CHANGED
@@ -10,6 +10,11 @@ module Devise
|
|
10
10
|
argument :scope, :required => false, :default => nil,
|
11
11
|
:desc => "The scope to copy views to"
|
12
12
|
|
13
|
+
# Le sigh, ensure Thor won't handle opts as args
|
14
|
+
# It should be fixed in future Rails releases
|
15
|
+
class_option :form_builder, :aliases => "-b"
|
16
|
+
class_option :markerb
|
17
|
+
|
13
18
|
public_task :copy_views
|
14
19
|
end
|
15
20
|
|
@@ -98,6 +103,7 @@ module Devise
|
|
98
103
|
:desc => "The scope to copy views to"
|
99
104
|
|
100
105
|
invoke SharedViewsGenerator
|
106
|
+
|
101
107
|
hook_for :form_builder, :aliases => "-b",
|
102
108
|
:desc => "Form builder to be used",
|
103
109
|
:default => defined?(SimpleForm) ? "simple_form_for" : "form_for"
|
@@ -20,9 +20,12 @@ module Mongoid
|
|
20
20
|
def migration_data
|
21
21
|
<<RUBY
|
22
22
|
## Database authenticatable
|
23
|
-
field :email, :type => String, :
|
24
|
-
field :encrypted_password, :type => String, :
|
23
|
+
field :email, :type => String, :default => ""
|
24
|
+
field :encrypted_password, :type => String, :default => ""
|
25
25
|
|
26
|
+
validates_presence_of :email
|
27
|
+
validates_presence_of :encrypted_password
|
28
|
+
|
26
29
|
## Recoverable
|
27
30
|
field :reset_password_token, :type => String
|
28
31
|
field :reset_password_sent_at, :type => Time
|
@@ -125,6 +125,9 @@ Devise.setup do |config|
|
|
125
125
|
# The time you want to timeout the user session without activity. After this
|
126
126
|
# time the user will be asked for credentials again. Default is 30 minutes.
|
127
127
|
# config.timeout_in = 30.minutes
|
128
|
+
|
129
|
+
# If true, expires auth token on session timeout.
|
130
|
+
# config.expire_auth_token_on_timeout = false
|
128
131
|
|
129
132
|
# ==> Configuration for :lockable
|
130
133
|
# Defines which strategy will be used to lock an account.
|
@@ -181,9 +184,8 @@ Devise.setup do |config|
|
|
181
184
|
# devise role declared in your routes (usually :user).
|
182
185
|
# config.default_scope = :user
|
183
186
|
|
184
|
-
#
|
185
|
-
#
|
186
|
-
# The default is true, which means any logout action will sign out all active scopes.
|
187
|
+
# Set this configuration to false if you want /users/sign_out to sign out
|
188
|
+
# only the current scope. By default, Devise signs out all scopes.
|
187
189
|
# config.sign_out_all_scopes = true
|
188
190
|
|
189
191
|
# ==> Navigation configuration
|
@@ -213,4 +215,18 @@ Devise.setup do |config|
|
|
213
215
|
# manager.intercept_401 = false
|
214
216
|
# manager.default_strategies(:scope => :user).unshift :some_external_strategy
|
215
217
|
# end
|
216
|
-
|
218
|
+
|
219
|
+
# ==> Mountable engine configurations
|
220
|
+
# When using Devise inside an engine, let's call it `MyEngine`, and this engine
|
221
|
+
# is mountable, there are some extra configurations to be taken into account.
|
222
|
+
# The following options are available, assuming the engine is mounted as:
|
223
|
+
#
|
224
|
+
# mount MyEngine, at: "/my_engine"
|
225
|
+
#
|
226
|
+
# The router that invoked `devise_for`, in the example above, would be:
|
227
|
+
# config.router_name = :my_engine
|
228
|
+
#
|
229
|
+
# When using omniauth, Devise cannot automatically set Omniauth path,
|
230
|
+
# so you need to do it manually. For the users scope, it would be:
|
231
|
+
# config.omniauth_path_prefix = "/my_engine/users/auth"
|
232
|
+
end
|
@@ -3,13 +3,13 @@
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => confirmation_path(resource_name), :html => { :method => :post }) do |f| %>
|
4
4
|
<%= f.error_notification %>
|
5
5
|
|
6
|
-
<div class="inputs">
|
6
|
+
<div class="form-inputs">
|
7
7
|
<%= f.input :email, :required => true %>
|
8
8
|
</div>
|
9
9
|
|
10
|
-
<div class="actions">
|
10
|
+
<div class="form-actions">
|
11
11
|
<%= f.button :submit, "Resend confirmation instructions" %>
|
12
12
|
</div>
|
13
13
|
<% end %>
|
14
14
|
|
15
|
-
<%= render
|
15
|
+
<%= render "devise/shared/links" %>
|
@@ -6,14 +6,14 @@
|
|
6
6
|
<%= f.input :reset_password_token, :as => :hidden %>
|
7
7
|
<%= f.full_error :reset_password_token %>
|
8
8
|
|
9
|
-
<div class="inputs">
|
9
|
+
<div class="form-inputs">
|
10
10
|
<%= f.input :password, :label => "New password", :required => true %>
|
11
11
|
<%= f.input :password_confirmation, :label => "Confirm your new password", :required => true %>
|
12
12
|
</div>
|
13
13
|
|
14
|
-
<div class="actions">
|
14
|
+
<div class="form-actions">
|
15
15
|
<%= f.button :submit, "Change my password" %>
|
16
16
|
</div>
|
17
17
|
<% end %>
|
18
18
|
|
19
|
-
<%= render
|
19
|
+
<%= render "devise/shared/links" %>
|
@@ -3,13 +3,13 @@
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %>
|
4
4
|
<%= f.error_notification %>
|
5
5
|
|
6
|
-
<div class="inputs">
|
6
|
+
<div class="form-inputs">
|
7
7
|
<%= f.input :email, :required => true %>
|
8
8
|
</div>
|
9
9
|
|
10
|
-
<div class="actions">
|
10
|
+
<div class="form-actions">
|
11
11
|
<%= f.button :submit, "Send me reset password instructions" %>
|
12
12
|
</div>
|
13
13
|
<% end %>
|
14
14
|
|
15
|
-
<%= render
|
15
|
+
<%= render "devise/shared/links" %>
|
@@ -3,20 +3,20 @@
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => registration_path(resource_name), :html => { :method => :put }) do |f| %>
|
4
4
|
<%= f.error_notification %>
|
5
5
|
|
6
|
-
<div class="inputs">
|
6
|
+
<div class="form-inputs">
|
7
7
|
<%= f.input :email, :required => true, :autofocus => true %>
|
8
8
|
<%= f.input :password, :autocomplete => "off", :hint => "leave it blank if you don't want to change it", :required => false %>
|
9
9
|
<%= f.input :password_confirmation, :required => false %>
|
10
10
|
<%= f.input :current_password, :hint => "we need your current password to confirm your changes", :required => true %>
|
11
11
|
</div>
|
12
12
|
|
13
|
-
<div class="actions">
|
13
|
+
<div class="form-actions">
|
14
14
|
<%= f.button :submit, "Update" %>
|
15
15
|
</div>
|
16
16
|
<% end %>
|
17
17
|
|
18
18
|
<h3>Cancel my account</h3>
|
19
19
|
|
20
|
-
<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :confirm => "Are you sure?", :method => :delete %>.</p>
|
20
|
+
<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.</p>
|
21
21
|
|
22
22
|
<%= link_to "Back", :back %>
|
@@ -3,15 +3,15 @@
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
|
4
4
|
<%= f.error_notification %>
|
5
5
|
|
6
|
-
<div class="inputs">
|
6
|
+
<div class="form-inputs">
|
7
7
|
<%= f.input :email, :required => true, :autofocus => true %>
|
8
8
|
<%= f.input :password, :required => true %>
|
9
9
|
<%= f.input :password_confirmation, :required => true %>
|
10
10
|
</div>
|
11
11
|
|
12
|
-
<div class="actions">
|
12
|
+
<div class="form-actions">
|
13
13
|
<%= f.button :submit, "Sign up" %>
|
14
14
|
</div>
|
15
15
|
<% end %>
|
16
16
|
|
17
|
-
<%= render
|
17
|
+
<%= render "devise/shared/links" %>
|
@@ -1,15 +1,15 @@
|
|
1
1
|
<h2>Sign in</h2>
|
2
2
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
|
4
|
-
<div class="inputs">
|
4
|
+
<div class="form-inputs">
|
5
5
|
<%= f.input :email, :required => false, :autofocus => true %>
|
6
6
|
<%= f.input :password, :required => false %>
|
7
7
|
<%= f.input :remember_me, :as => :boolean if devise_mapping.rememberable? %>
|
8
8
|
</div>
|
9
9
|
|
10
|
-
<div class="actions">
|
10
|
+
<div class="form-actions">
|
11
11
|
<%= f.button :submit, "Sign in" %>
|
12
12
|
</div>
|
13
13
|
<% end %>
|
14
14
|
|
15
|
-
<%= render
|
15
|
+
<%= render "devise/shared/links" %>
|
@@ -3,13 +3,13 @@
|
|
3
3
|
<%= simple_form_for(resource, :as => resource_name, :url => unlock_path(resource_name), :html => { :method => :post }) do |f| %>
|
4
4
|
<%= f.error_notification %>
|
5
5
|
|
6
|
-
<div class="inputs">
|
6
|
+
<div class="form-inputs">
|
7
7
|
<%= f.input :email, :required => true %>
|
8
8
|
</div>
|
9
9
|
|
10
|
-
<div class="actions">
|
10
|
+
<div class="form-actions">
|
11
11
|
<%= f.button :submit, "Resend unlock instructions" %>
|
12
12
|
</div>
|
13
13
|
<% end %>
|
14
14
|
|
15
|
-
<%= render
|
15
|
+
<%= render "devise/shared/links" %>
|
@@ -139,30 +139,27 @@ class ControllerAuthenticatableTest < ActionController::TestCase
|
|
139
139
|
assert_equal nil, @controller.instance_variable_get(:@current_admin)
|
140
140
|
end
|
141
141
|
|
142
|
-
test 'sign out clears up any signed in user by scope' do
|
142
|
+
test 'sign out logs out and clears up any signed in user by scope' do
|
143
143
|
user = User.new
|
144
144
|
@mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(user)
|
145
145
|
@mock_warden.expects(:logout).with(:user).returns(true)
|
146
|
+
@mock_warden.expects(:clear_strategies_cache!).with(:scope => :user).returns(true)
|
146
147
|
@controller.instance_variable_set(:@current_user, user)
|
147
148
|
@controller.sign_out(:user)
|
148
149
|
assert_equal nil, @controller.instance_variable_get(:@current_user)
|
149
150
|
end
|
150
|
-
|
151
|
-
test 'sign out proxy to logout on warden' do
|
152
|
-
@mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(true)
|
153
|
-
@mock_warden.expects(:logout).with(:user).returns(true)
|
154
|
-
@controller.sign_out(:user)
|
155
|
-
end
|
156
151
|
|
157
152
|
test 'sign out accepts a resource as argument' do
|
158
153
|
@mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(true)
|
159
154
|
@mock_warden.expects(:logout).with(:user).returns(true)
|
155
|
+
@mock_warden.expects(:clear_strategies_cache!).with(:scope => :user).returns(true)
|
160
156
|
@controller.sign_out(User.new)
|
161
157
|
end
|
162
158
|
|
163
159
|
test 'sign out without args proxy to sign out all scopes' do
|
164
160
|
@mock_warden.expects(:user).times(Devise.mappings.size)
|
165
161
|
@mock_warden.expects(:logout).with().returns(true)
|
162
|
+
@mock_warden.expects(:clear_strategies_cache!).with().returns(true)
|
166
163
|
@controller.sign_out
|
167
164
|
end
|
168
165
|
|
@@ -232,6 +229,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
|
|
232
229
|
swap Devise, :sign_out_all_scopes => false do
|
233
230
|
@mock_warden.expects(:user).with(:scope => :admin, :run_callbacks => false).returns(true)
|
234
231
|
@mock_warden.expects(:logout).with(:admin).returns(true)
|
232
|
+
@mock_warden.expects(:clear_strategies_cache!).with(:scope => :admin).returns(true)
|
235
233
|
@controller.expects(:redirect_to).with(admin_root_path)
|
236
234
|
@controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
|
237
235
|
@controller.sign_out_and_redirect(:admin)
|
@@ -242,6 +240,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
|
|
242
240
|
swap Devise, :sign_out_all_scopes => true do
|
243
241
|
@mock_warden.expects(:user).times(Devise.mappings.size)
|
244
242
|
@mock_warden.expects(:logout).with().returns(true)
|
243
|
+
@mock_warden.expects(:clear_strategies_cache!).with().returns(true)
|
245
244
|
@controller.expects(:redirect_to).with(admin_root_path)
|
246
245
|
@controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
|
247
246
|
@controller.sign_out_and_redirect(:admin)
|
@@ -4,6 +4,15 @@ class SessionsControllerTest < ActionController::TestCase
|
|
4
4
|
tests Devise::SessionsController
|
5
5
|
include Devise::TestHelpers
|
6
6
|
|
7
|
+
test "#create works even with scoped views" do
|
8
|
+
swap Devise, :scoped_views => true do
|
9
|
+
request.env["devise.mapping"] = Devise.mappings[:user]
|
10
|
+
post :create
|
11
|
+
assert_equal 200, @response.status
|
12
|
+
assert_template "users/sessions/new"
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
7
16
|
test "#create doesn't raise exception after Warden authentication fails when TestHelpers included" do
|
8
17
|
request.env["devise.mapping"] = Devise.mappings[:user]
|
9
18
|
post :create, :user => {
|
@@ -13,23 +22,21 @@ class SessionsControllerTest < ActionController::TestCase
|
|
13
22
|
assert_equal 200, @response.status
|
14
23
|
assert_template "devise/sessions/new"
|
15
24
|
end
|
16
|
-
|
17
|
-
if defined?(ActiveRecord)
|
18
|
-
if ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
|
19
|
-
test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
|
20
|
-
request.env["devise.mapping"] = Devise.mappings[:user]
|
21
25
|
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
26
|
+
if defined?(ActiveRecord) && ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
|
27
|
+
test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
|
28
|
+
request.env["devise.mapping"] = Devise.mappings[:user]
|
29
|
+
|
30
|
+
ActiveRecord::Base.mass_assignment_sanitizer = :strict
|
31
|
+
User.class_eval { attr_protected :email }
|
32
|
+
|
33
|
+
begin
|
34
|
+
assert_nothing_raised ActiveModel::MassAssignmentSecurity::Error do
|
35
|
+
get :new, :user => { :email => "allez viens!" }
|
32
36
|
end
|
37
|
+
ensure
|
38
|
+
ActiveRecord::Base.mass_assignment_sanitizer = :logger
|
39
|
+
User.class_eval { attr_accessible :email }
|
33
40
|
end
|
34
41
|
end
|
35
42
|
end
|
@@ -75,13 +75,73 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
|
|
75
75
|
assert_not warden.authenticated?(:admin)
|
76
76
|
end
|
77
77
|
|
78
|
-
test '
|
78
|
+
test 'signed in as user should not be able to access admins actions' do
|
79
|
+
sign_in_as_user
|
80
|
+
assert warden.authenticated?(:user)
|
81
|
+
assert_not warden.authenticated?(:admin)
|
82
|
+
|
83
|
+
get admins_path
|
84
|
+
assert_redirected_to new_admin_session_path
|
85
|
+
end
|
86
|
+
|
87
|
+
test 'signed in as admin should be able to access admin actions' do
|
88
|
+
sign_in_as_admin
|
89
|
+
assert warden.authenticated?(:admin)
|
90
|
+
assert_not warden.authenticated?(:user)
|
91
|
+
|
92
|
+
get admins_path
|
93
|
+
|
94
|
+
assert_response :success
|
95
|
+
assert_template 'admins/index'
|
96
|
+
assert_contain 'Welcome Admin'
|
97
|
+
end
|
98
|
+
|
99
|
+
test 'authenticated admin should not be able to sign as admin again' do
|
100
|
+
sign_in_as_admin
|
101
|
+
get new_admin_session_path
|
102
|
+
|
103
|
+
assert_response :redirect
|
104
|
+
assert_redirected_to admin_root_path
|
105
|
+
assert warden.authenticated?(:admin)
|
106
|
+
end
|
107
|
+
|
108
|
+
test 'authenticated admin should be able to sign out' do
|
109
|
+
sign_in_as_admin
|
110
|
+
assert warden.authenticated?(:admin)
|
111
|
+
|
112
|
+
get destroy_admin_session_path
|
113
|
+
assert_response :redirect
|
114
|
+
assert_redirected_to root_path
|
115
|
+
|
116
|
+
get root_path
|
117
|
+
assert_contain 'Signed out successfully'
|
118
|
+
assert_not warden.authenticated?(:admin)
|
119
|
+
end
|
120
|
+
|
121
|
+
test 'unauthenticated admin does not set message on sign out' do
|
122
|
+
get destroy_admin_session_path
|
123
|
+
assert_response :redirect
|
124
|
+
assert_redirected_to root_path
|
125
|
+
|
126
|
+
get root_path
|
127
|
+
assert_not_contain 'Signed out successfully'
|
128
|
+
end
|
129
|
+
|
130
|
+
test 'scope uses custom failure app' do
|
131
|
+
put "/en/accounts/management"
|
132
|
+
assert_equal "Oops, not found", response.body
|
133
|
+
assert_equal 404, response.status
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
class AuthenticationRoutesRestrictions < ActionController::IntegrationTest
|
138
|
+
test 'not signed in should not be able to access private route (authenticate denied)' do
|
79
139
|
get private_path
|
80
140
|
assert_redirected_to new_admin_session_path
|
81
141
|
assert_not warden.authenticated?(:admin)
|
82
142
|
end
|
83
143
|
|
84
|
-
test 'signed in as user should not be able to access private route restricted to admins' do
|
144
|
+
test 'signed in as user should not be able to access private route restricted to admins (authenticate denied)' do
|
85
145
|
sign_in_as_user
|
86
146
|
assert warden.authenticated?(:user)
|
87
147
|
assert_not warden.authenticated?(:admin)
|
@@ -89,7 +149,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
|
|
89
149
|
assert_redirected_to new_admin_session_path
|
90
150
|
end
|
91
151
|
|
92
|
-
test 'signed in as admin should be able to access private route restricted to admins' do
|
152
|
+
test 'signed in as admin should be able to access private route restricted to admins (authenticate accepted)' do
|
93
153
|
sign_in_as_admin
|
94
154
|
assert warden.authenticated?(:admin)
|
95
155
|
assert_not warden.authenticated?(:user)
|
@@ -101,7 +161,29 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
|
|
101
161
|
assert_contain 'Private!'
|
102
162
|
end
|
103
163
|
|
104
|
-
test 'signed in as admin should
|
164
|
+
test 'signed in as inactive admin should not be able to access private/active route restricted to active admins (authenticate denied)' do
|
165
|
+
sign_in_as_admin(:active => false)
|
166
|
+
assert warden.authenticated?(:admin)
|
167
|
+
assert_not warden.authenticated?(:user)
|
168
|
+
|
169
|
+
assert_raises ActionController::RoutingError do
|
170
|
+
get "/private/active"
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
test 'signed in as active admin should be able to access private/active route restricted to active admins (authenticate accepted)' do
|
175
|
+
sign_in_as_admin(:active => true)
|
176
|
+
assert warden.authenticated?(:admin)
|
177
|
+
assert_not warden.authenticated?(:user)
|
178
|
+
|
179
|
+
get private_active_path
|
180
|
+
|
181
|
+
assert_response :success
|
182
|
+
assert_template 'home/private'
|
183
|
+
assert_contain 'Private!'
|
184
|
+
end
|
185
|
+
|
186
|
+
test 'signed in as admin should get admin dashboard (authenticated accepted)' do
|
105
187
|
sign_in_as_admin
|
106
188
|
assert warden.authenticated?(:admin)
|
107
189
|
assert_not warden.authenticated?(:user)
|
@@ -113,7 +195,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
|
|
113
195
|
assert_contain 'Admin dashboard'
|
114
196
|
end
|
115
197
|
|
116
|
-
test 'signed in as user should get user dashboard' do
|
198
|
+
test 'signed in as user should get user dashboard (authenticated accepted)' do
|
117
199
|
sign_in_as_user
|
118
200
|
assert warden.authenticated?(:user)
|
119
201
|
assert_not warden.authenticated?(:admin)
|
@@ -125,86 +207,50 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
|
|
125
207
|
assert_contain 'User dashboard'
|
126
208
|
end
|
127
209
|
|
128
|
-
test 'not signed in should get no dashboard' do
|
210
|
+
test 'not signed in should get no dashboard (authenticated denied)' do
|
129
211
|
assert_raises ActionController::RoutingError do
|
130
212
|
get dashboard_path
|
131
213
|
end
|
132
214
|
end
|
133
215
|
|
134
|
-
test 'signed in
|
135
|
-
|
136
|
-
assert warden.authenticated?(:
|
137
|
-
assert_not warden.authenticated?(:
|
216
|
+
test 'signed in as inactive admin should not be able to access dashboard/active route restricted to active admins (authenticated denied)' do
|
217
|
+
sign_in_as_admin(:active => false)
|
218
|
+
assert warden.authenticated?(:admin)
|
219
|
+
assert_not warden.authenticated?(:user)
|
138
220
|
|
139
221
|
assert_raises ActionController::RoutingError do
|
140
|
-
get
|
222
|
+
get "/dashboard/active"
|
141
223
|
end
|
142
224
|
end
|
143
225
|
|
144
|
-
test '
|
145
|
-
|
226
|
+
test 'signed in as active admin should be able to access dashboard/active route restricted to active admins (authenticated accepted)' do
|
227
|
+
sign_in_as_admin(:active => true)
|
228
|
+
assert warden.authenticated?(:admin)
|
229
|
+
assert_not warden.authenticated?(:user)
|
230
|
+
|
231
|
+
get dashboard_active_path
|
146
232
|
|
147
233
|
assert_response :success
|
148
|
-
assert_template 'home/
|
149
|
-
assert_contain '
|
234
|
+
assert_template 'home/admin_dashboard'
|
235
|
+
assert_contain 'Admin dashboard'
|
150
236
|
end
|
151
237
|
|
152
|
-
test 'signed in
|
238
|
+
test 'signed in user should not see unauthenticated page (unauthenticated denied)' do
|
153
239
|
sign_in_as_user
|
154
240
|
assert warden.authenticated?(:user)
|
155
241
|
assert_not warden.authenticated?(:admin)
|
156
242
|
|
157
|
-
|
158
|
-
|
243
|
+
assert_raises ActionController::RoutingError do
|
244
|
+
get join_path
|
245
|
+
end
|
159
246
|
end
|
160
247
|
|
161
|
-
test 'signed in
|
162
|
-
|
163
|
-
assert warden.authenticated?(:admin)
|
164
|
-
assert_not warden.authenticated?(:user)
|
165
|
-
|
166
|
-
get admins_path
|
248
|
+
test 'not signed in users should see unautheticated page (unauthenticated accepted)' do
|
249
|
+
get join_path
|
167
250
|
|
168
251
|
assert_response :success
|
169
|
-
assert_template '
|
170
|
-
assert_contain '
|
171
|
-
end
|
172
|
-
|
173
|
-
test 'authenticated admin should not be able to sign as admin again' do
|
174
|
-
sign_in_as_admin
|
175
|
-
get new_admin_session_path
|
176
|
-
|
177
|
-
assert_response :redirect
|
178
|
-
assert_redirected_to admin_root_path
|
179
|
-
assert warden.authenticated?(:admin)
|
180
|
-
end
|
181
|
-
|
182
|
-
test 'authenticated admin should be able to sign out' do
|
183
|
-
sign_in_as_admin
|
184
|
-
assert warden.authenticated?(:admin)
|
185
|
-
|
186
|
-
get destroy_admin_session_path
|
187
|
-
assert_response :redirect
|
188
|
-
assert_redirected_to root_path
|
189
|
-
|
190
|
-
get root_path
|
191
|
-
assert_contain 'Signed out successfully'
|
192
|
-
assert_not warden.authenticated?(:admin)
|
193
|
-
end
|
194
|
-
|
195
|
-
test 'unauthenticated admin does not set message on sign out' do
|
196
|
-
get destroy_admin_session_path
|
197
|
-
assert_response :redirect
|
198
|
-
assert_redirected_to root_path
|
199
|
-
|
200
|
-
get root_path
|
201
|
-
assert_not_contain 'Signed out successfully'
|
202
|
-
end
|
203
|
-
|
204
|
-
test 'scope uses custom failure app' do
|
205
|
-
put "/en/accounts/management"
|
206
|
-
assert_equal "Oops, not found", response.body
|
207
|
-
assert_equal 404, response.status
|
252
|
+
assert_template 'home/join'
|
253
|
+
assert_contain 'Join'
|
208
254
|
end
|
209
255
|
end
|
210
256
|
|