devise 2.1.2 → 3.5.10

data/Rakefile

@@ -1,10 +1,11 @@
 # encoding: UTF-8
-require "bundler/gem_tasks"
+
+require 'bundler/gem_tasks'
 require 'rake/testtask'
 require 'rdoc/task'
 
 desc 'Default: run tests for all ORMs.'
-task :default => :test
+task default: :test
 
 desc 'Run Devise tests for all ORMs.'
 task :pre_commit do
@@ -22,6 +23,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
   t.pattern = 'test/**/*_test.rb'
   t.verbose = true
+  t.warning = false
 end
 
 desc 'Generate documentation for Devise.'

data/app/controllers/devise/confirmations_controller.rb

@@ -1,15 +1,16 @@
 class Devise::ConfirmationsController < DeviseController
   # GET /resource/confirmation/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/confirmation
   def create
     self.resource = resource_class.send_confirmation_instructions(resource_params)
+    yield resource if block_given?
 
     if successfully_sent?(resource)
-      respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+      respond_with({}, location: after_resending_confirmation_instructions_path_for(resource_name))
     else
       respond_with(resource)
     end
@@ -18,13 +19,13 @@ class Devise::ConfirmationsController < DeviseController
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
+    yield resource if block_given?
 
     if resource.errors.empty?
-      set_flash_message(:notice, :confirmed) if is_navigational_format?
-      sign_in(resource_name, resource)
+      set_flash_message(:notice, :confirmed) if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
-      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
+      respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
     end
   end
 
@@ -32,12 +33,19 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after resending confirmation instructions.
     def after_resending_confirmation_instructions_path_for(resource_name)
-      new_session_path(resource_name)
+      is_navigational_format? ? new_session_path(resource_name) : '/'
     end
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      after_sign_in_path_for(resource)
+      if signed_in?(resource_name)
+        signed_in_root_path(resource)
+      else
+        new_session_path(resource_name)
+      end
     end
 
+    def translation_scope
+      'devise.confirmations'
+    end
 end

data/app/controllers/devise/omniauth_callbacks_controller.rb

@@ -2,11 +2,11 @@ class Devise::OmniauthCallbacksController < DeviseController
   prepend_before_filter { request.env["devise.skip_timeout"] = true }
 
   def passthru
-    render :status => 404, :text => "Not found. Authentication passthru."
+    render status: 404, text: "Not found. Authentication passthru."
   end
 
   def failure
-    set_flash_message :alert, :failure, :kind => failed_strategy.name.to_s.humanize, :reason => failure_message
+    set_flash_message :alert, :failure, kind: OmniAuth::Utils.camelize(failed_strategy.name), reason: failure_message
     redirect_to after_omniauth_failure_path_for(resource_name)
   end
 
@@ -27,4 +27,8 @@ class Devise::OmniauthCallbacksController < DeviseController
   def after_omniauth_failure_path_for(scope)
     new_session_path(scope)
   end
+
+  def translation_scope
+    'devise.omniauth_callbacks'
+  end
 end

data/app/controllers/devise/passwords_controller.rb

@@ -1,19 +1,20 @@
 class Devise::PasswordsController < DeviseController
   prepend_before_filter :require_no_authentication
   # Render the #edit only if coming from a reset password email link
-  append_before_filter :assert_reset_token_passed, :only => :edit
+  append_before_filter :assert_reset_token_passed, only: :edit
 
   # GET /resource/password/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/password
   def create
     self.resource = resource_class.send_reset_password_instructions(resource_params)
+    yield resource if block_given?
 
     if successfully_sent?(resource)
-      respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name))
+      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
     else
       respond_with(resource)
     end
@@ -22,35 +23,58 @@ class Devise::PasswordsController < DeviseController
   # GET /resource/password/edit?reset_password_token=abcdef
   def edit
     self.resource = resource_class.new
+    set_minimum_password_length
     resource.reset_password_token = params[:reset_password_token]
   end
 
   # PUT /resource/password
   def update
     self.resource = resource_class.reset_password_by_token(resource_params)
+    yield resource if block_given?
 
     if resource.errors.empty?
-      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_navigational_format?
-      sign_in(resource_name, resource)
-      respond_with resource, :location => after_sign_in_path_for(resource)
+      resource.unlock_access! if unlockable?(resource)
+      if Devise.sign_in_after_reset_password
+        flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
+        set_flash_message(:notice, flash_message) if is_flashing_format?
+        sign_in(resource_name, resource)
+      else
+        set_flash_message(:notice, :updated_not_active) if is_flashing_format?
+      end
+      respond_with resource, location: after_resetting_password_path_for(resource)
     else
+      set_minimum_password_length
       respond_with resource
     end
   end
 
   protected
+    def after_resetting_password_path_for(resource)
+      Devise.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
+    end
 
     # The path used after sending reset password instructions
     def after_sending_reset_password_instructions_path_for(resource_name)
-      new_session_path(resource_name)
+      new_session_path(resource_name) if is_navigational_format?
     end
 
     # Check if a reset_password_token is provided in the request
     def assert_reset_token_passed
       if params[:reset_password_token].blank?
-        set_flash_message(:error, :no_token)
+        set_flash_message(:alert, :no_token)
         redirect_to new_session_path(resource_name)
       end
     end
+
+    # Check if proper Lockable module methods are present & unlock strategy
+    # allows to unlock resource on password reset
+    def unlockable?(resource)
+      resource.respond_to?(:unlock_access!) &&
+        resource.respond_to?(:unlock_strategy_enabled?) &&
+        resource.unlock_strategy_enabled?(:email)
+    end
+
+    def translation_scope
+      'devise.passwords'
+    end
 end

data/app/controllers/devise/registrations_controller.rb

@@ -1,29 +1,34 @@
 class Devise::RegistrationsController < DeviseController
-  prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ]
-  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
+  prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
+  prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]
 
   # GET /resource/sign_up
   def new
-    resource = build_resource({})
-    respond_with resource
+    build_resource({})
+    set_minimum_password_length
+    yield resource if block_given?
+    respond_with self.resource
   end
 
   # POST /resource
   def create
-    build_resource
+    build_resource(sign_up_params)
 
-    if resource.save
+    resource.save
+    yield resource if block_given?
+    if resource.persisted?
       if resource.active_for_authentication?
-        set_flash_message :notice, :signed_up if is_navigational_format?
-        sign_in(resource_name, resource)
-        respond_with resource, :location => after_sign_up_path_for(resource)
+        set_flash_message :notice, :signed_up if is_flashing_format?
+        sign_up(resource_name, resource)
+        respond_with resource, location: after_sign_up_path_for(resource)
       else
-        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-        expire_session_data_after_sign_in!
-        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
+        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+        expire_data_after_sign_in!
+        respond_with resource, location: after_inactive_sign_up_path_for(resource)
       end
     else
       clean_up_passwords resource
+      set_minimum_password_length
       respond_with resource
     end
   end
@@ -38,16 +43,18 @@ class Devise::RegistrationsController < DeviseController
   # the current user in place.
   def update
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
+    prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
-    if resource.update_with_password(resource_params)
-      if is_navigational_format?
-        if resource.respond_to?(:pending_reconfirmation?) && resource.pending_reconfirmation?
-          flash_key = :update_needs_confirmation
-        end
-        set_flash_message :notice, flash_key || :updated
+    resource_updated = update_resource(resource, account_update_params)
+    yield resource if block_given?
+    if resource_updated
+      if is_flashing_format?
+        flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
+          :update_needs_confirmation : :updated
+        set_flash_message :notice, flash_key
       end
-      sign_in resource_name, resource, :bypass => true
-      respond_with resource, :location => after_update_path_for(resource)
+      sign_in resource_name, resource, bypass: true
+      respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
       respond_with resource
@@ -58,7 +65,8 @@ class Devise::RegistrationsController < DeviseController
   def destroy
     resource.destroy
     Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
-    set_flash_message :notice, :destroyed if is_navigational_format?
+    set_flash_message :notice, :destroyed if is_flashing_format?
+    yield resource if block_given?
     respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
 
@@ -68,17 +76,34 @@ class Devise::RegistrationsController < DeviseController
   # cancel oauth signing in/up in the middle of the process,
   # removing all OAuth session data.
   def cancel
-    expire_session_data_after_sign_in!
+    expire_data_after_sign_in!
     redirect_to new_registration_path(resource_name)
   end
 
   protected
 
+  def update_needs_confirmation?(resource, previous)
+    resource.respond_to?(:pending_reconfirmation?) &&
+      resource.pending_reconfirmation? &&
+      previous != resource.unconfirmed_email
+  end
+
+  # By default we want to require a password checks on update.
+  # You can overwrite this method in your own RegistrationsController.
+  def update_resource(resource, params)
+    resource.update_with_password(params)
+  end
+
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
   def build_resource(hash=nil)
-    hash ||= resource_params || {}
-    self.resource = resource_class.new_with_session(hash, session)
+    self.resource = resource_class.new_with_session(hash || {}, session)
+  end
+
+  # Signs in a user on sign up. You can overwrite this method in your own
+  # RegistrationsController.
+  def sign_up(resource_name, resource)
+    sign_in(resource_name, resource)
   end
 
   # The path used after sign up. You need to overwrite this method
@@ -90,7 +115,10 @@ class Devise::RegistrationsController < DeviseController
   # The path used after sign up for inactive accounts. You need to overwrite
   # this method in your own RegistrationsController.
   def after_inactive_sign_up_path_for(resource)
-    respond_to?(:root_path) ? root_path : "/"
+    scope = Devise::Mapping.find_scope!(resource)
+    router_name = Devise.mappings[scope].router_name
+    context = router_name ? send(router_name) : self
+    context.respond_to?(:root_path) ? context.root_path : "/"
   end
 
   # The default url to be used after updating a resource. You need to overwrite
@@ -101,7 +129,19 @@ class Devise::RegistrationsController < DeviseController
 
   # Authenticates the current scope and gets the current resource from the session.
   def authenticate_scope!
-    send(:"authenticate_#{resource_name}!", :force => true)
+    send(:"authenticate_#{resource_name}!", force: true)
     self.resource = send(:"current_#{resource_name}")
   end
+
+  def sign_up_params
+    devise_parameter_sanitizer.sanitize(:sign_up)
+  end
+
+  def account_update_params
+    devise_parameter_sanitizer.sanitize(:account_update)
+  end
+
+  def translation_scope
+    'devise.registrations'
+  end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -1,50 +1,81 @@
 class Devise::SessionsController < DeviseController
-  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
-  prepend_before_filter :allow_params_authentication!, :only => :create
-  prepend_before_filter { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter :require_no_authentication, only: [:new, :create]
+  prepend_before_filter :allow_params_authentication!, only: :create
+  prepend_before_filter :verify_signed_out_user, only: :destroy
+  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new
-    resource = build_resource(nil, :unsafe => true)
+    self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
+    yield resource if block_given?
     respond_with(resource, serialize_options(resource))
   end
 
   # POST /resource/sign_in
   def create
-    resource = warden.authenticate!(auth_options)
-    set_flash_message(:notice, :signed_in) if is_navigational_format?
+    self.resource = warden.authenticate!(auth_options)
+    set_flash_message(:notice, :signed_in) if is_flashing_format?
     sign_in(resource_name, resource)
-    respond_with resource, :location => after_sign_in_path_for(resource)
+    yield resource if block_given?
+    respond_with resource, location: after_sign_in_path_for(resource)
   end
 
   # DELETE /resource/sign_out
   def destroy
-    redirect_path = after_sign_out_path_for(resource_name)
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out
-
-    # We actually need to hardcode this as Rails default responder doesn't
-    # support returning empty response on GET request
-    respond_to do |format|
-      format.any(*navigational_formats) { redirect_to redirect_path }
-      format.all do
-        head :no_content
-      end
-    end
+    set_flash_message :notice, :signed_out if signed_out && is_flashing_format?
+    yield if block_given?
+    respond_to_on_destroy
   end
 
   protected
 
+  def sign_in_params
+    devise_parameter_sanitizer.sanitize(:sign_in)
+  end
+
   def serialize_options(resource)
     methods = resource_class.authentication_keys.dup
     methods = methods.keys if methods.is_a?(Hash)
     methods << :password if resource.respond_to?(:password)
-    { :methods => methods, :only => [:password] }
+    { methods: methods, only: [:password] }
   end
 
   def auth_options
-    { :scope => resource_name, :recall => "#{controller_path}#new" }
+    { scope: resource_name, recall: "#{controller_path}#new" }
   end
-end
 
+  def translation_scope
+    'devise.sessions'
+  end
+
+  private
+
+  # Check if there is no signed in user before doing the sign out.
+  #
+  # If there is no signed in user, it will set the flash message and redirect
+  # to the after_sign_out path.
+  def verify_signed_out_user
+    if all_signed_out?
+      set_flash_message :notice, :already_signed_out if is_flashing_format?
+
+      respond_to_on_destroy
+    end
+  end
+
+  def all_signed_out?
+    users = Devise.mappings.keys.map { |s| warden.user(scope: s, run_callbacks: false) }
+
+    users.all?(&:blank?)
+  end
+
+  def respond_to_on_destroy
+    # We actually need to hardcode this as Rails default responder doesn't
+    # support returning empty response on GET request
+    respond_to do |format|
+      format.all { head :no_content }
+      format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
+    end
+  end
+end

data/app/controllers/devise/unlocks_controller.rb

@@ -3,15 +3,16 @@ class Devise::UnlocksController < DeviseController
 
   # GET /resource/unlock/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/unlock
   def create
     self.resource = resource_class.send_unlock_instructions(resource_params)
+    yield resource if block_given?
 
     if successfully_sent?(resource)
-      respond_with({}, :location => after_sending_unlock_instructions_path_for(resource))
+      respond_with({}, location: after_sending_unlock_instructions_path_for(resource))
     else
       respond_with(resource)
     end
@@ -20,12 +21,13 @@ class Devise::UnlocksController < DeviseController
   # GET /resource/unlock?unlock_token=abcdef
   def show
     self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
+    yield resource if block_given?
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked if is_navigational_format?
+      set_flash_message :notice, :unlocked if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
-      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
+      respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
     end
   end
 
@@ -33,12 +35,15 @@ class Devise::UnlocksController < DeviseController
 
     # The path used after sending unlock password instructions
     def after_sending_unlock_instructions_path_for(resource)
-      new_session_path(resource)
+      new_session_path(resource) if is_navigational_format?
     end
 
     # The path used after unlocking the resource
     def after_unlock_path_for(resource)
-      new_session_path(resource)
+      new_session_path(resource)  if is_navigational_format?
     end
 
+    def translation_scope
+      'devise.unlocks'
+    end
 end