devise 2.1.4 → 2.2.0.rc

data/app/controllers/devise/sessions_controller.rb

@@ -5,14 +5,14 @@ class Devise::SessionsController < DeviseController
 
   # GET /resource/sign_in
   def new
-    resource = build_resource(nil, :unsafe => true)
+    self.resource = build_resource(nil, :unsafe => true)
     clean_up_passwords(resource)
     respond_with(resource, serialize_options(resource))
   end
 
   # POST /resource/sign_in
   def create
-    resource = warden.authenticate!(auth_options)
+    self.resource = warden.authenticate!(auth_options)
     set_flash_message(:notice, :signed_in) if is_navigational_format?
     sign_in(resource_name, resource)
     respond_with resource, :location => after_sign_in_path_for(resource)
@@ -22,7 +22,7 @@ class Devise::SessionsController < DeviseController
   def destroy
     redirect_path = after_sign_out_path_for(resource_name)
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out
+    set_flash_message :notice, :signed_out if signed_out && is_navigational_format?
 
     # We actually need to hardcode this as Rails default responder doesn't
     # support returning empty response on GET request

data/app/controllers/devise_controller.rb

@@ -10,7 +10,7 @@ class DeviseController < Devise.parent_controller.constantize
   helper_method *helpers
 
   prepend_before_filter :assert_is_devise_resource!
-  respond_to *Mime::SET.map(&:to_sym) if mimes_for_respond_to.empty?
+  respond_to :html if mimes_for_respond_to.empty?
 
   # Gets the actual resource stored in the instance variable
   def resource
@@ -72,7 +72,7 @@ This may happen for two reasons:
 
 2) You are testing a Devise controller bypassing the router.
    If so, you can explicitly tell Devise which mapping to use:
-   
+
    @request.env["devise.mapping"] = Devise.mappings[:user]
 
 MESSAGE
@@ -168,7 +168,7 @@ MESSAGE
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
     options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-    message = I18n.t("#{resource_name}.#{kind}", options)
+    message = I18n.t("#{options[:resource_name]}.#{kind}", options)
     flash[key] = message if message.present?
   end
 
@@ -181,12 +181,4 @@ MESSAGE
       format.any(*navigational_formats, &block)
     end
   end
-
-  def request_format
-    @request_format ||= request.format.try(:ref)
-  end
-
-  def is_navigational_format?
-    Devise.navigational_formats.include?(request.format.try(:ref))
-  end
 end

data/app/views/devise/confirmations/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
 
   <div><%= f.submit "Resend confirmation instructions" %></div>
 <% end %>

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -1,4 +1,4 @@
-<p>Welcome <%= @resource.email %>!</p>
+<p>Welcome <%= @email %>!</p>
 
 <p>You can confirm your account email through the link below:</p>
 

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -1,6 +1,6 @@
 <p>Hello <%= @resource.email %>!</p>
 
-<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
 
 <p>Click the link below to unlock your account:</p>
 

data/app/views/devise/passwords/edit.html.erb

@@ -5,7 +5,7 @@
   <%= f.hidden_field :reset_password_token %>
 
   <div><%= f.label :password, "New password" %><br />
-  <%= f.password_field :password %></div>
+  <%= f.password_field :password, :autofocus => true %></div>
 
   <div><%= f.label :password_confirmation, "Confirm new password" %><br />
   <%= f.password_field :password_confirmation %></div>

data/app/views/devise/passwords/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
 
   <div><%= f.submit "Send me reset password instructions" %></div>
 <% end %>

data/app/views/devise/registrations/edit.html.erb

@@ -4,7 +4,11 @@
   <%= devise_error_messages! %>
 
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
+
+  <% if resource.class.reconfirmable && resource.unconfirmed_email.present? %>
+    <div>Currently waiting confirmation for: <%= resource.unconfirmed_email %></div>
+  <% end %>
 
   <div><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
   <%= f.password_field :password, :autocomplete => "off" %></div>

data/app/views/devise/registrations/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
 
   <div><%= f.label :password %><br />
   <%= f.password_field :password %></div>

data/app/views/devise/sessions/new.html.erb

@@ -2,7 +2,7 @@
 
 <%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
 
   <div><%= f.label :password %><br />
   <%= f.password_field :password %></div>

data/app/views/devise/unlocks/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
+  <%= f.email_field :email, :autofocus => true %></div>
 
   <div><%= f.submit "Resend unlock instructions" %></div>
 <% end %>

data/config/locales/en.yml

@@ -10,6 +10,7 @@ en:
       not_saved:
         one: "1 error prohibited this %{resource} from being saved:"
         other: "%{count} errors prohibited this %{resource} from being saved:"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
 
   devise:
     failure:
@@ -17,6 +18,7 @@ en:
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'
+      not_found_in_database: 'Invalid email or password.'
       invalid: 'Invalid email or password.'
       invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'

data/gemfiles/Gemfile.rails-3.1.x

@@ -28,8 +28,6 @@ platforms :ruby do
   gem "sqlite3"
 
   group :mongoid do
-    gem "mongo", "~> 1.3.0"
-    gem "mongoid", "~> 2.0"
-    gem "bson_ext", "~> 1.3.0"
+    gem "mongoid", "~> 3.0"
   end
 end

data/gemfiles/Gemfile.rails-3.1.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (2.1.4)
+    devise (2.1.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
@@ -40,9 +40,7 @@ GEM
       multi_json (~> 1.0)
     addressable (2.2.7)
     arel (2.2.3)
-    bcrypt-ruby (3.1.1)
-    bson (1.5.2)
-    bson_ext (1.3.1)
+    bcrypt-ruby (3.0.1)
     builder (3.0.0)
     columnize (0.3.6)
     erubis (2.7.0)
@@ -64,12 +62,12 @@ GEM
     mime-types (1.18)
     mocha (0.10.4)
       metaclass (~> 0.0.1)
-    mongo (1.3.1)
-      bson (>= 1.3.1)
-    mongoid (2.4.4)
+    mongoid (3.0.12)
       activemodel (~> 3.1)
-      mongo (~> 1.3)
+      moped (~> 1.1)
+      origin (~> 1.0)
       tzinfo (~> 0.3.22)
+    moped (1.2.9)
     multi_json (1.3.4)
     multipart-post (1.1.5)
     nokogiri (1.5.0)
@@ -87,6 +85,7 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
+    origin (1.0.10)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
     rack (1.3.6)
@@ -137,7 +136,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.33)
-    warden (1.2.3)
+    warden (1.2.1)
       rack (>= 1.0)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
@@ -150,12 +149,10 @@ PLATFORMS
 DEPENDENCIES
   activerecord-jdbc-adapter
   activerecord-jdbcsqlite3-adapter
-  bson_ext (~> 1.3.0)
   devise!
   jruby-openssl
   mocha
-  mongo (~> 1.3.0)
-  mongoid (~> 2.0)
+  mongoid (~> 3.0)
   omniauth (~> 1.0.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)

data/lib/devise.rb

@@ -6,11 +6,12 @@ require 'set'
 require 'securerandom'
 
 module Devise
-  autoload :Delegator,   'devise/delegator'
-  autoload :FailureApp,  'devise/failure_app'
-  autoload :OmniAuth,    'devise/omniauth'
-  autoload :ParamFilter, 'devise/param_filter'
-  autoload :TestHelpers, 'devise/test_helpers'
+  autoload :Delegator,     'devise/delegator'
+  autoload :FailureApp,    'devise/failure_app'
+  autoload :OmniAuth,      'devise/omniauth'
+  autoload :ParamFilter,   'devise/param_filter'
+  autoload :TestHelpers,   'devise/test_helpers'
+  autoload :TimeInflector, 'devise/time_inflector'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -86,7 +87,7 @@ module Devise
   # an one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   mattr_accessor :email_regexp
-  @@email_regexp = /\A[^@]+@([^@\.]+\.)+[^@\.]+\z/
+  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\s]+\z/
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -104,6 +105,10 @@ module Devise
   mattr_accessor :allow_unconfirmed_access_for
   @@allow_unconfirmed_access_for = 0.days
 
+  # Time interval the confirmation token is valid. nil = unlimited
+  mattr_accessor :confirm_within
+  @@confirm_within = nil
+
   # Defines which key will be used when confirming an account.
   mattr_accessor :confirmation_keys
   @@confirmation_keys = [ :email ]
@@ -199,7 +204,7 @@ module Devise
   # to provide custom routes.
   mattr_accessor :router_name
   @@router_name = nil
-  
+
   # Set the omniauth path prefix so it can be overriden when
   # Devise is used in a mountable engine
   mattr_accessor :omniauth_path_prefix

data/lib/devise/controllers/helpers.rb

@@ -162,8 +162,8 @@ module Devise
         users.any?
       end
 
-      # Returns and delete the url stored in the session for the given scope. Useful
-      # for giving redirect backs after sign up:
+      # Returns and delete (if it's navigational format) the url stored in the session for
+      # the given scope. Useful for giving redirect backs after sign up:
       #
       # Example:
       #
@@ -171,7 +171,12 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete("#{scope}_return_to")
+
+        if is_navigational_format?
+          session.delete("#{scope}_return_to")
+        else
+          session["#{scope}_return_to"]
+        end
       end
 
       # The scope root url to be used when he's signed in. By default, it first
@@ -262,6 +267,14 @@ module Devise
         super # call the default behaviour which resets the session
       end
 
+      def request_format
+        @request_format ||= request.format.try(:ref)
+      end
+
+      def is_navigational_format?
+        Devise.navigational_formats.include?(request_format)
+      end
+
       private
 
       def expire_devise_cached_variables!

data/lib/devise/mailers/helpers.rb

@@ -28,8 +28,9 @@ module Devise
       def headers_for(action)
         headers = {
           :subject       => translate(devise_mapping, action),
-          :from          => mailer_sender(devise_mapping),
           :to            => resource.email,
+          :from          => mailer_sender(devise_mapping),
+          :reply_to      => mailer_reply_to(devise_mapping),
           :template_path => template_paths
         }
 
@@ -37,16 +38,21 @@ module Devise
           headers.merge!(resource.headers_for(action))
         end
 
-        unless headers.key?(:reply_to)
-          headers[:reply_to] = headers[:from]
-        end
-
+        @email = headers[:to]
         headers
       end
 
-      def mailer_sender(mapping)
-        if default_params[:from].present?
-          default_params[:from]
+      def mailer_reply_to(mapping)
+        mailer_sender(mapping, :reply_to)
+      end
+
+      def mailer_from(mapping)
+        mailer_sender(mapping, :from)
+      end
+
+      def mailer_sender(mapping, sender = :from)
+        if default_params[sender].present?
+          default_params[sender]
         elsif Devise.mailer_sender.is_a?(Proc)
           Devise.mailer_sender.call(mapping.name)
         else

data/lib/devise/models/authenticatable.rb

@@ -164,11 +164,15 @@ module Devise
       end
 
       def downcase_keys
-        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
+        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase!) }
       end
 
       def strip_whitespace
-        self.class.strip_whitespace_keys.each { |k| self[k].try(:strip!) }
+        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip!) }
+      end
+
+      def apply_to_attribute_or_variable(attr, method)
+        (self[attr] || send(attr)).try(method)
       end
 
       module ClassMethods
@@ -199,26 +203,27 @@ module Devise
         # it may be wrapped as well. For instance, database authenticatable
         # provides a `find_for_database_authentication` that wraps a call to
         # this method. This allows you to customize both database authenticatable
-        # or the whole authenticate stack by customize `find_for_authentication.` 
+        # or the whole authenticate stack by customize `find_for_authentication.`
         #
         # Overwrite to add customized conditions, create a join, or maybe use a
         # namedscope to filter records while authenticating.
         # Example:
         #
-        #   def self.find_for_authentication(tainted_conditions)
-        #     find_first_by_auth_conditions(tainted_conditions, :active => true)
+        #   def self.find_for_authentication(conditions={})
+        #     conditions[:active] = true
+        #     super
         #   end
         #
         # Finally, notice that Devise also queries for users in other scenarios
         # besides authentication, for example when retrieving an user to send
         # an e-mail for password reset. In such cases, find_for_authentication
         # is not called.
-        def find_for_authentication(tainted_conditions)
-          find_first_by_auth_conditions(tainted_conditions)
+        def find_for_authentication(conditions)
+          find_first_by_auth_conditions(conditions)
         end
 
-        def find_first_by_auth_conditions(tainted_conditions, opts={})
-          to_adapter.find_first(devise_param_filter.filter(tainted_conditions).merge(opts))
+        def find_first_by_auth_conditions(conditions)
+          to_adapter.find_first devise_param_filter.filter(conditions)
         end
 
         # Find an initialize a record setting an error if it can't be found.

data/lib/devise/models/confirmable.rb

@@ -19,6 +19,8 @@ module Devise
     #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
     #     stored in unconfirmed email column, and copied to email column on successful
     #     confirmation.
+    #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
+    #     You can use this to force the user to confirm within a set period of time.
     #
     # == Examples
     #
@@ -28,6 +30,7 @@ module Devise
     #
     module Confirmable
       extend ActiveSupport::Concern
+      include ActionView::Helpers::DateHelper
 
       included do
         before_create :generate_confirmation_token, :if => :confirmation_required?
@@ -47,6 +50,12 @@ module Devise
       # add errors
       def confirm!
         pending_any_confirmation do
+          if confirmation_period_expired?
+            self.errors.add(:email, :confirmation_period_expired,
+              :period => Devise::TimeInflector.time_ago_in_words(self.class.confirm_within.ago))
+            return false
+          end
+
           self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
@@ -83,7 +92,10 @@ module Devise
 
       # Resend confirmation token. This method does not need to generate a new token.
       def resend_confirmation_token
-        pending_any_confirmation { send_confirmation_instructions }
+        pending_any_confirmation do
+          self.confirmation_token = nil if confirmation_period_expired?
+          send_confirmation_instructions
+        end
       end
 
       # Overwrites active_for_authentication? for confirmation
@@ -156,9 +168,25 @@ module Devise
           confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
+        # Checks if the user confirmation happens before the token becomes invalid
+        # Examples:
+        #
+        #   # confirm_within = 3.days and confirmation_sent_at = 2.days.ago
+        #   confirmation_period_expired?  # returns false
+        #
+        #   # confirm_within = 3.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_expired?  # returns true
+        #
+        #   # confirm_within = nil
+        #   confirmation_period_expired?  # will always return false
+        #
+        def confirmation_period_expired?
+          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
+        end
+
         # Checks whether the record requires any confirmation.
         def pending_any_confirmation
-          if !confirmed? || pending_reconfirmation?
+          if (!confirmed? || pending_reconfirmation?)
             yield
           else
             self.errors.add(:email, :already_confirmed)
@@ -177,6 +205,11 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
+
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email
@@ -230,7 +263,7 @@ module Devise
           find_or_initialize_with_errors(unconfirmed_required_attributes, unconfirmed_attributes, :not_found)
         end
 
-        Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable)
+        Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable, :confirm_within)
       end
     end
   end