devise 2.1.4 → 2.2.0.rc

data/lib/devise/models/database_authenticatable.rb

@@ -64,6 +64,7 @@ module Devise
         result = if valid_password?(current_password)
           update_attributes(params, *options)
         else
+          params.delete(:password)
           self.assign_attributes(params, *options)
           self.valid?
           self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
@@ -75,7 +76,7 @@ module Devise
       end
 
       # Updates record attributes without asking for the current password.
-      # Never allows to change the current password. If you are using this
+      # Never allows a change to the current password. If you are using this
       # method, you should probably override this method to protect other
       # attributes you would not like to be updated without a password.
       #

data/lib/devise/models/lockable.rb

@@ -27,7 +27,7 @@ module Devise
       def self.required_fields(klass)
         attributes = []
         attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
-        attributes << :unlock_at if klass.unlock_strategy_enabled?(:time)
+        attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
         attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
 
         attributes
@@ -105,7 +105,11 @@ module Devise
       end
 
       def unauthenticated_message
-        if lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        # If set to paranoid mode, do not show the locked message because it
+        # leaks the existence of an account.
+        if Devise.paranoid
+          super
+        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
           :locked
         else
           super

data/lib/devise/models/recoverable.rb

@@ -102,9 +102,9 @@ module Devise
 
       module ClassMethods
         # Attempt to find a user by its email. If a record is found, send new
-        # password instructions to it. If not user is found, returns a new user
+        # password instructions to it. If user is not found, returns a new user
         # with an email not found error.
-        # Attributes must contain the user email
+        # Attributes must contain the user's email
         def send_reset_password_instructions(attributes={})
           recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?

data/lib/devise/models/token_authenticatable.rb

@@ -18,6 +18,18 @@ module Devise
     # If you want to delete the token after it is used, you can do so in the
     # after_token_authentication callback.
     #
+    # == APIs
+    #
+    # If you are using token authentication with APIs and using trackable. Every
+    # request will be considered as a new sign in (since there is no session in
+    # APIs). You can disable this by creating a before filter as follow:
+    #
+    #   before_filter :skip_trackable
+    #
+    #   def skip_trackable
+    #     request.env['devise.skip_trackable'] = true
+    #   end
+    #
     # == Options
     #
     # TokenAuthenticatable adds the following options to devise_for:

data/lib/devise/models/trackable.rb

@@ -20,7 +20,7 @@ module Devise
         self.last_sign_in_at     = old_current || new_current
         self.current_sign_in_at  = new_current
 
-        old_current, new_current = self.current_sign_in_ip, request.ip
+        old_current, new_current = self.current_sign_in_ip, request.remote_ip
         self.last_sign_in_ip     = old_current || new_current
         self.current_sign_in_ip  = new_current
 

data/lib/devise/models/validatable.rb

@@ -10,7 +10,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 6..128.
+    #   * +password_length+: a range expressing password length. Defaults to 8..128.
     #
     module Validatable
       # All validations used by this module.

data/lib/devise/param_filter.rb

@@ -33,8 +33,9 @@ module Devise
 
     private
 
+    # Determine which values should be transformed to string or passed as-is to the query builder underneath
     def param_requires_string_conversion?(value)
-      true
+      [Fixnum, TrueClass, FalseClass, Regexp].none? {|clz| value.is_a? clz }
     end
   end
 end

data/lib/devise/rails/routes.rb

@@ -43,20 +43,20 @@ module ActionDispatch::Routing
     # needed routes:
     #
     #  # Session routes for Authenticatable (default)
-    #       new_user_session GET  /users/sign_in                    {:controller=>"devise/sessions", :action=>"new"}
-    #           user_session POST /users/sign_in                    {:controller=>"devise/sessions", :action=>"create"}
-    #   destroy_user_session GET  /users/sign_out                   {:controller=>"devise/sessions", :action=>"destroy"}
+    #       new_user_session GET    /users/sign_in                    {:controller=>"devise/sessions", :action=>"new"}
+    #           user_session POST   /users/sign_in                    {:controller=>"devise/sessions", :action=>"create"}
+    #   destroy_user_session DELETE /users/sign_out                   {:controller=>"devise/sessions", :action=>"destroy"}
     #
     #  # Password routes for Recoverable, if User model has :recoverable configured
-    #      new_user_password GET  /users/password/new(.:format)     {:controller=>"devise/passwords", :action=>"new"}
-    #     edit_user_password GET  /users/password/edit(.:format)    {:controller=>"devise/passwords", :action=>"edit"}
-    #          user_password PUT  /users/password(.:format)         {:controller=>"devise/passwords", :action=>"update"}
-    #                        POST /users/password(.:format)         {:controller=>"devise/passwords", :action=>"create"}
+    #      new_user_password GET    /users/password/new(.:format)     {:controller=>"devise/passwords", :action=>"new"}
+    #     edit_user_password GET    /users/password/edit(.:format)    {:controller=>"devise/passwords", :action=>"edit"}
+    #          user_password PUT    /users/password(.:format)         {:controller=>"devise/passwords", :action=>"update"}
+    #                        POST   /users/password(.:format)         {:controller=>"devise/passwords", :action=>"create"}
     #
     #  # Confirmation routes for Confirmable, if User model has :confirmable configured
-    #  new_user_confirmation GET  /users/confirmation/new(.:format) {:controller=>"devise/confirmations", :action=>"new"}
-    #      user_confirmation GET  /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
-    #                        POST /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
+    #  new_user_confirmation GET    /users/confirmation/new(.:format) {:controller=>"devise/confirmations", :action=>"new"}
+    #      user_confirmation GET    /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
+    #                        POST   /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
     #
     # ==== Options
     #
@@ -183,7 +183,7 @@ module ActionDispatch::Routing
     #      end
     #    end
     #
-    # In order to get Devise to recognize the deactivate action, your devise_for entry should look like this,
+    # In order to get Devise to recognize the deactivate action, your devise_scope entry should look like this:
     #
     #     devise_scope :owner do
     #       post "deactivate", :to => "registrations#deactivate", :as => "deactivate_registration"

data/lib/devise/strategies/database_authenticatable.rb

@@ -6,7 +6,7 @@ module Devise
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
         resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:invalid) unless resource
+        return fail(:not_found_in_database) unless resource
 
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication

data/lib/devise/test_helpers.rb

@@ -45,6 +45,7 @@ module Devise
     def sign_in(resource_or_scope, resource=nil)
       scope    ||= Devise::Mapping.find_scope!(resource_or_scope)
       resource ||= resource_or_scope
+      warden.instance_variable_get(:@users).delete(scope)
       warden.session_serializer.store(resource, scope)
     end
 
@@ -106,8 +107,8 @@ module Devise
         env["warden.options"] = options
         Warden::Manager._run_callbacks(:before_failure, env, options)
 
-        status, headers, body = Devise.warden_config[:failure_app].call(env).to_a
-        @controller.send :render, :status => status, :text => body,
+        status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
+        @controller.send :render, :status => status, :text => response.body,
           :content_type => headers["Content-Type"], :location => headers["Location"]
         nil # causes process return @response
       end

data/lib/devise/time_inflector.rb

@@ -0,0 +1,14 @@
+require "active_support/core_ext/module/delegation"
+
+module Devise
+  class TimeInflector
+    include ActionView::Helpers::DateHelper
+
+    class << self
+      attr_reader :instance
+      delegate :time_ago_in_words, :to => :instance
+    end
+
+    @instance = new
+  end
+end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.1.4".freeze
+  VERSION = "2.2.0.rc".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -27,7 +27,11 @@ module ActiveRecord
   attr_accessible :email, :password, :password_confirmation, :remember_me
 CONTENT
 
-        class_path = class_name.to_s.split("::")
+        class_path = if namespaced?
+          class_name.to_s.split("::")
+        else
+          [class_name]
+        end
 
         indent_depth = class_path.size - 1
         content = content.split("\n").map { |line| "  " * indent_depth + line } .join("\n") << "\n"

data/lib/generators/mongoid/devise_generator.rb

@@ -22,9 +22,6 @@ module Mongoid
   ## Database authenticatable
   field :email,              :type => String, :default => ""
   field :encrypted_password, :type => String, :default => ""
-
-  validates_presence_of :email
-  validates_presence_of :encrypted_password
   
   ## Recoverable
   field :reset_password_token,   :type => String

data/lib/generators/templates/README

@@ -21,11 +21,15 @@ Some setup you must do manually if you haven't yet:
        <p class="notice"><%= notice %></p>
        <p class="alert"><%= alert %></p>
 
-  4. If you are deploying Rails 3.1 on Heroku, you may want to set:
+  4. If you are deploying Rails 3.1+ on Heroku, you may want to set:
 
        config.assets.initialize_on_precompile = false
 
      On config/application.rb forcing your application to not access the DB
      or load models when precompiling your assets.
 
+  5. You can copy Devise views (for customization) to your app by running:
+
+       rails g devise:views
+
 ===============================================================================

data/lib/generators/templates/devise.rb

@@ -92,6 +92,14 @@ Devise.setup do |config|
   # the user cannot access the website without confirming his account.
   # config.allow_unconfirmed_access_for = 2.days
 
+  # A period that the user is allowed to confirm their account before their
+  # token becomes invalid. For example, if set to 3.days, the user can confirm
+  # their account within 3 days after the mail was sent, but on the fourth day
+  # their account can't be confirmed with the token any more.
+  # Default is nil, meaning there is no restriction on how long a user can take
+  # before confirming their account.
+  # config.confirm_within = 3.days
+
   # If true, requires any email changes to be confirmed (exactly the same way as
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed new email is stored in
@@ -113,8 +121,8 @@ Devise.setup do |config|
   # config.rememberable_options = {}
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..128.
-  # config.password_length = 6..128
+  # Range for password length. Default is 8..128.
+  config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
@@ -125,7 +133,7 @@ Devise.setup do |config|
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
   # config.timeout_in = 30.minutes
-  
+
   # If true, expires auth token on session timeout.
   # config.expire_auth_token_on_timeout = false
 
@@ -229,4 +237,4 @@ Devise.setup do |config|
   # When using omniauth, Devise cannot automatically set Omniauth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = "/my_engine/users/auth"
-end
+end

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -1,4 +1,4 @@
-Welcome <%= @resource.email %>!
+Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -1,6 +1,6 @@
 Hello <%= @resource.email %>!
 
-Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+Your account has been locked due to an excessive number of unsuccessful sign in attempts.
 
 Click the link below to unlock your account:
 

data/lib/generators/templates/simple_form_for/confirmations/new.html.erb

@@ -2,9 +2,10 @@
 
 <%= simple_form_for(resource, :as => resource_name, :url => confirmation_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= f.error_notification %>
+  <%= f.full_error :confirmation_token %>
 
   <div class="form-inputs">
-    <%= f.input :email, :required => true %>
+    <%= f.input :email, :required => true, :autofocus => true %>
   </div>
 
   <div class="form-actions">

data/lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -7,7 +7,7 @@
   <%= f.full_error :reset_password_token %>
 
   <div class="form-inputs">
-    <%= f.input :password, :label => "New password", :required => true %>
+    <%= f.input :password, :label => "New password", :required => true, :autofocus => true %>
     <%= f.input :password_confirmation, :label => "Confirm your new password", :required => true %>
   </div>
 

data/lib/generators/templates/simple_form_for/passwords/new.html.erb

@@ -4,7 +4,7 @@
   <%= f.error_notification %>
 
   <div class="form-inputs">
-    <%= f.input :email, :required => true %>
+    <%= f.input :email, :required => true, :autofocus => true %>
   </div>
 
   <div class="form-actions">

data/lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -5,6 +5,11 @@
 
   <div class="form-inputs">
     <%= f.input :email, :required => true, :autofocus => true %>
+
+    <% if resource.class.reconfirmable && resource.unconfirmed_email.present? %>
+      <p>Currently waiting confirmation for: <%= resource.unconfirmed_email %></p>
+    <% end %>
+
     <%= f.input :password, :autocomplete => "off", :hint => "leave it blank if you don't want to change it", :required => false %>
     <%= f.input :password_confirmation, :required => false %>
     <%= f.input :current_password, :hint => "we need your current password to confirm your changes", :required => true %>

data/lib/generators/templates/simple_form_for/unlocks/new.html.erb

@@ -2,9 +2,10 @@
 
 <%= simple_form_for(resource, :as => resource_name, :url => unlock_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= f.error_notification %>
+  <%= f.full_error :unlock_token %>
 
   <div class="form-inputs">
-    <%= f.input :email, :required => true %>
+    <%= f.input :email, :required => true, :autofocus => true %>
   </div>
 
   <div class="form-actions">

data/test/controllers/internal_helpers_test.rb

@@ -95,6 +95,12 @@ class HelpersTest < ActionController::TestCase
     assert_equal 'devise custom options', flash[:notice]
   end
 
+  test 'allows custom i18n options to override resource_name' do
+    I18n.expects(:t).with("custom_resource_name.confirmed", anything)
+    @controller.stubs(:devise_i18n_options).returns(:resource_name => "custom_resource_name")
+    @controller.send :set_flash_message, :notice, :confirmed
+  end
+
   test 'navigational_formats not returning a wild card' do
     MyController.send(:public, :navigational_formats)
     Devise.navigational_formats = [:"*/*", :html]

data/test/controllers/sessions_controller_test.rb

@@ -13,6 +13,34 @@ class SessionsControllerTest < ActionController::TestCase
     end
   end
 
+  test "#create delete the url stored in the session if the requested format is navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    request.session["user_return_to"] = 'foo.bar'
+
+    user = create_user
+    user.confirm!
+    post :create, :user => {
+      :email => user.email,
+      :password => user.password
+    }
+
+    assert_nil request.session["user_return_to"]
+  end
+
+  test "#create doesn't delete the url stored in the session if the requested format is not navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    request.session["user_return_to"] = 'foo.bar'
+
+    user = create_user
+    user.confirm!
+    post :create, :format => 'json', :user => {
+      :email => user.email,
+      :password => user.password
+    }
+
+    assert_equal 'foo.bar', request.session["user_return_to"]
+  end
+
   test "#create doesn't raise exception after Warden authentication fails when TestHelpers included" do
     request.env["devise.mapping"] = Devise.mappings[:user]
     post :create, :user => {
@@ -23,6 +51,20 @@ class SessionsControllerTest < ActionController::TestCase
     assert_template "devise/sessions/new"
   end
 
+  test "#destroy doesn't set the flash if the requested format is not navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    user = create_user
+    user.confirm!
+    post :create, :format => 'json', :user => {
+      :email => user.email,
+      :password => user.password
+    }
+
+    delete :destroy, :format => 'json'
+    assert flash[:notice].blank?, "flash[:notice] should be blank, not #{flash[:notice].inspect}"
+    assert_equal 204, @response.status
+  end
+
   if defined?(ActiveRecord) && ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
     test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
       request.env["devise.mapping"] = Devise.mappings[:user]
@@ -40,4 +82,4 @@ class SessionsControllerTest < ActionController::TestCase
       end
     end
   end
-end
+end

data/test/devise_test.rb

@@ -68,5 +68,16 @@ class DeviseTest < ActiveSupport::TestCase
     end
     assert_not Devise.secure_compare("size_1", "size_four")
   end
-  
+
+  test 'Devise.email_regexp should match valid email addresses' do
+    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua"]
+    non_valid_emails = ["rex", "test@go,com", "test user@example.com", "test_user@example server.com"]
+
+    valid_emails.each do |email|
+      assert_match Devise.email_regexp, email
+    end
+    non_valid_emails.each do |email|
+      assert_no_match Devise.email_regexp, email
+    end
+  end
 end

data/test/generators/active_record_generator_test.rb

@@ -14,6 +14,12 @@ if DEVISE_ORM == :active_record
       assert_migration "db/migrate/devise_create_monsters.rb", /def change/
     end
 
+    test "all files for namespaced model are properly created" do
+      run_generator %w(admin/monster)
+      assert_file "app/models/admin/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
+      assert_migration "db/migrate/devise_create_admin_monsters.rb", /def change/
+    end
+
     test "update model migration when model exists" do
       run_generator %w(monster)
       assert_file "app/models/monster.rb"
@@ -66,4 +72,4 @@ if DEVISE_ORM == :active_record
       end
     end
   end
-end
+end