devise 2.1.4 → 2.2.0.rc

data/test/integration/authenticatable_test.rb

@@ -456,7 +456,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert_match '<?xml version="1.0" encoding="UTF-8"?>', response.body
     assert_match /<user>.*<\/user>/m, response.body
     assert_match '<email></email>', response.body
-    assert_match '<password nil="true"></password>', response.body
+    assert_match '<password nil="true"', response.body
   end
 
   test 'sign in stub in json format' do
@@ -483,7 +483,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
 
   test 'sign in with xml format returns xml response' do
     create_user
-    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '12345678'}
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
@@ -493,13 +493,13 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert_response :success
 
     create_user
-    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '12345678'}
     assert_response :success
 
     get new_user_session_path(:format => 'xml')
     assert_response :success
 
-    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '12345678'}
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end

data/test/integration/confirmable_test.rb

@@ -50,6 +50,30 @@ class ConfirmationTest < ActionController::IntegrationTest
     assert user.reload.confirmed?
   end
 
+  test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
+    swap Devise, :confirm_within => 3.days do
+      user = create_user(:confirm => false, :confirmation_sent_at => 4.days.ago)
+      assert_not user.confirmed?
+      visit_user_confirmation_with_token(user.confirmation_token)
+
+      assert_have_selector '#error_explanation'
+      assert_contain /needs to be confirmed within 3 days/
+      assert_not user.reload.confirmed?
+    end
+  end
+
+  test 'user with valid confirmation token should be able to confirm an account before the token has expired' do
+    swap Devise, :confirm_within => 3.days do
+      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
+      assert_not user.confirmed?
+      visit_user_confirmation_with_token(user.confirmation_token)
+
+      assert_contain 'Your account was successfully confirmed.'
+      assert_current_url '/'
+      assert user.reload.confirmed?
+    end
+  end
+
   test 'user should be redirected to a custom path after confirmation' do
     Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
 
@@ -240,6 +264,26 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest
     assert_not admin.reload.pending_reconfirmation?
   end
 
+  test 'admin with previously valid confirmation token should not be able to confirm email after email changed again' do
+    admin = create_admin
+    admin.update_attributes(:email => 'first_test@example.com')
+    assert_equal 'first_test@example.com', admin.unconfirmed_email
+
+    confirmation_token = admin.confirmation_token
+    admin.update_attributes(:email => 'second_test@example.com')
+    assert_equal 'second_test@example.com', admin.unconfirmed_email
+
+    visit_admin_confirmation_with_token(confirmation_token)
+    assert_have_selector '#error_explanation'
+    assert_contain /Confirmation token(.*)invalid/
+
+    visit_admin_confirmation_with_token(admin.confirmation_token)
+    assert_contain 'Your account was successfully confirmed.'
+    assert_current_url '/admin_area/home'
+    assert admin.reload.confirmed?
+    assert_not admin.reload.pending_reconfirmation?
+  end
+
   test 'admin email should be unique also within unconfirmed_email' do
     admin = create_admin
     admin.update_attributes(:email => 'new_admin_test@example.com')

data/test/integration/database_authenticatable_test.rb

@@ -3,44 +3,44 @@ require 'test_helper'
 class DatabaseAuthenticationTest < ActionController::IntegrationTest
   test 'sign in with email of different case should succeed when email is in the list of case insensitive keys' do
     create_user(:email => 'Foo@Bar.com')
-    
+
     sign_in_as_user do
       fill_in 'email', :with => 'foo@bar.com'
     end
-    
+
     assert warden.authenticated?(:user)
   end
 
   test 'sign in with email of different case should fail when email is NOT the list of case insensitive keys' do
     swap Devise, :case_insensitive_keys => [] do
       create_user(:email => 'Foo@Bar.com')
-      
+
       sign_in_as_user do
         fill_in 'email', :with => 'foo@bar.com'
       end
-      
+
       assert_not warden.authenticated?(:user)
     end
   end
-  
+
   test 'sign in with email including extra spaces should succeed when email is in the list of strip whitespace keys' do
     create_user(:email => ' foo@bar.com ')
-    
+
     sign_in_as_user do
       fill_in 'email', :with => 'foo@bar.com'
     end
-    
+
     assert warden.authenticated?(:user)
   end
 
   test 'sign in with email including extra spaces should fail when email is NOT the list of strip whitespace keys' do
     swap Devise, :strip_whitespace_keys => [] do
       create_user(:email => 'foo@bar.com')
-      
+
       sign_in_as_user do
         fill_in 'email', :with => ' foo@bar.com '
       end
-      
+
       assert_not warden.authenticated?(:user)
     end
   end
@@ -53,12 +53,14 @@ class DatabaseAuthenticationTest < ActionController::IntegrationTest
   end
 
   test 'sign in with invalid email should return to sign in form with error message' do
-    sign_in_as_admin do
-      fill_in 'email', :with => 'wrongemail@test.com'
-    end
+    store_translations :en, :devise => { :failure => { :admin => { :not_found_in_database => 'Invalid email address' } } } do
+      sign_in_as_admin do
+        fill_in 'email', :with => 'wrongemail@test.com'
+      end
 
-    assert_contain 'Invalid email or password'
-    assert_not warden.authenticated?(:admin)
+      assert_contain 'Invalid email address'
+      assert_not warden.authenticated?(:admin)
+    end
   end
 
   test 'sign in with invalid pasword should return to sign in form with error message' do
@@ -79,4 +81,4 @@ class DatabaseAuthenticationTest < ActionController::IntegrationTest
       assert_contain 'Invalid credentials'
     end
   end
-end
+end

data/test/integration/http_authenticatable_test.rb

@@ -4,7 +4,7 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
     swap UsersController, :allow_forgery_protection => true do
       create_user
-      post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:123456")}"
+      post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
       assert warden.authenticated?(:user)
       assert_equal "User is authenticated", response.body
     end
@@ -82,7 +82,7 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
 
   private
 
-    def sign_in_as_new_user_with_http(username="user@test.com", password="123456")
+    def sign_in_as_new_user_with_http(username="user@test.com", password="12345678")
       user = create_user
       get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("#{username}:#{password}")}"
       user
@@ -91,7 +91,7 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     # Sign in with oauth2 token. This is just to test that it isn't misinterpreted as basic authentication
     def add_oauth2_header
       user = create_user
-      get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "OAuth #{Base64.encode64("#{user.email}:123456")}"
+      get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "OAuth #{Base64.encode64("#{user.email}:12345678")}"
     end
 
 end

data/test/integration/lockable_test.rb

@@ -221,4 +221,22 @@ class LockTest < ActionController::IntegrationTest
     end
   end
 
+  test "in paranoid mode, when locking a user that exists it should not say that the user was locked" do
+    swap Devise, :paranoid => true, :maximum_attempts => 1 do
+      user = create_user(:locked => false)
+
+      visit new_user_session_path
+      fill_in 'email', :with => user.email
+      fill_in 'password', :with => "abadpassword"
+      click_button 'Sign in'
+
+      fill_in 'email', :with => user.email
+      fill_in 'password', :with => "abadpassword"
+      click_button 'Sign in'
+
+      assert_current_url "/users/sign_in"
+      assert_not_contain "locked"
+    end
+  end
+
 end

data/test/integration/omniauthable_test.rb

@@ -61,8 +61,8 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
 
     assert_difference "User.count" do
       visit "/users/sign_up"
-      fill_in "Password", :with => "123456"
-      fill_in "Password confirmation", :with => "123456"
+      fill_in "Password", :with => "12345678"
+      fill_in "Password confirmation", :with => "12345678"
       click_button "Sign up"
     end
 

data/test/integration/recoverable_test.rb

@@ -190,15 +190,52 @@ class PasswordTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'does not sign in user automatically after changing its password if it\'s locked' do
-    user = create_user(:locked => true)
+  test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
+    [:none, :time].each do |strategy|
+      swap Devise, :unlock_strategy => strategy do
+        user = create_user(:locked => true)
+        request_forgot_password
+        reset_password :reset_password_token => user.reload.reset_password_token
+
+        assert_contain 'Your password was changed successfully.'
+        assert_not_contain 'You are now signed in.'
+        assert_equal new_user_session_path, @request.path
+        assert !warden.authenticated?(:user)
+      end
+    end
+  end
+
+  test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :email' do
+    swap Devise, :unlock_strategy => :email do
+      user = create_user(:locked => true)
+      request_forgot_password
+      reset_password :reset_password_token => user.reload.reset_password_token
+
+      assert_contain 'Your password was changed successfully.'
+      assert !user.reload.access_locked?
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :both' do
+    swap Devise, :unlock_strategy => :both do
+      user = create_user(:locked => true)
+      request_forgot_password
+      reset_password :reset_password_token => user.reload.reset_password_token
+
+      assert_contain 'Your password was changed successfully.'
+      assert !user.reload.access_locked?
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
+    user = create_user(:confirm => false)
     request_forgot_password
     reset_password :reset_password_token => user.reload.reset_password_token
 
-    assert_contain 'Your password was changed successfully.'
-    assert_not_contain 'You are now signed in.'
-    assert_equal new_user_session_path, @request.path
-    assert !warden.authenticated?(:user)
+    assert warden.authenticated?(:user)
+    assert user.reload.confirmed?
   end
 
   test 'reset password request with valid E-Mail in XML format should return valid response' do

data/test/integration/registerable_test.rb

@@ -144,7 +144,7 @@ class RegistrationTest < ActionController::IntegrationTest
     get edit_user_registration_path
 
     fill_in 'email', :with => 'user.new@example.com'
-    fill_in 'current password', :with => '123456'
+    fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
     assert_current_url '/'
@@ -157,9 +157,9 @@ class RegistrationTest < ActionController::IntegrationTest
     sign_in_as_user
     get edit_user_registration_path
 
-    fill_in 'password', :with => '12345678'
-    fill_in 'password confirmation', :with => '12345678'
-    fill_in 'current password', :with => '123456'
+    fill_in 'password', :with => '1234567890'
+    fill_in 'password confirmation', :with => '1234567890'
+    fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
     assert_contain 'You updated your account successfully.'
@@ -186,15 +186,15 @@ class RegistrationTest < ActionController::IntegrationTest
     sign_in_as_user
     get edit_user_registration_path
 
-    fill_in 'password', :with => 'pas123'
-    fill_in 'password confirmation', :with => 'pas123'
-    fill_in 'current password', :with => '123456'
+    fill_in 'password', :with => 'pass1234'
+    fill_in 'password confirmation', :with => 'pass1234'
+    fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
     assert_current_url '/'
     assert_contain 'You updated your account successfully.'
 
-    assert User.first.valid_password?('pas123')
+    assert User.first.valid_password?('pass1234')
   end
 
   test 'a signed in user should not be able to edit his password with invalid confirmation' do
@@ -203,7 +203,7 @@ class RegistrationTest < ActionController::IntegrationTest
 
     fill_in 'password', :with => 'pas123'
     fill_in 'password confirmation', :with => ''
-    fill_in 'current password', :with => '123456'
+    fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
     assert_contain "Password doesn't match confirmation"
@@ -272,7 +272,7 @@ class RegistrationTest < ActionController::IntegrationTest
 
   test 'a user update information with valid data in XML format should return valid response' do
     user = sign_in_as_user
-    put user_registration_path(:format => 'xml'), :user => { :current_password => '123456', :email => 'user.new@test.com' }
+    put user_registration_path(:format => 'xml'), :user => { :current_password => '12345678', :email => 'user.new@test.com' }
     assert_response :success
     assert_equal user.reload.email, 'user.new@test.com'
   end
@@ -303,8 +303,10 @@ class ReconfirmableRegistrationTest < ActionController::IntegrationTest
 
     assert_current_url '/admin_area/home'
     assert_contain 'but we need to verify your new email address'
+    assert_equal 'admin.new@example.com', Admin.first.unconfirmed_email
 
-    assert_equal "admin.new@example.com", Admin.first.unconfirmed_email
+    get edit_admin_registration_path
+    assert_contain 'Currently waiting confirmation for: admin.new@example.com'
   end
 
   test 'a signed in admin should not see a reconfirmation message if they did not change their password' do
@@ -321,4 +323,25 @@ class ReconfirmableRegistrationTest < ActionController::IntegrationTest
 
     assert Admin.first.valid_password?('pas123')
   end
+
+  test 'a signed in admin should not see a reconfirmation message if he did not change his email, despite having an unconfirmed email' do
+    sign_in_as_admin
+
+    get edit_admin_registration_path
+    fill_in 'email', :with => 'admin.new@example.com'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    get edit_admin_registration_path
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => 'pas123'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_current_url '/admin_area/home'
+    assert_contain 'You updated your account successfully.'
+
+    assert_equal "admin.new@example.com", Admin.first.unconfirmed_email
+    assert Admin.first.valid_password?('pas123')
+  end
 end

data/test/mailers/confirmation_instructions_test.rb

@@ -50,6 +50,13 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     assert_equal ['test@example.com'], mail.reply_to
   end
 
+  test 'setup reply to as different if set in defaults' do
+    Devise.mailer = 'Users::ReplyToMailer'
+    assert_equal ['custom@example.com'], mail.from
+    assert_equal ['custom_reply_to@example.com'], mail.reply_to
+  end
+
+
   test 'setup subject from I18n' do
     store_translations :en, :devise => { :mailer => { :confirmation_instructions => { :subject => 'Account Confirmation' } } } do
       assert_equal 'Account Confirmation', mail.subject

data/test/models/authenticatable_test.rb

@@ -4,10 +4,4 @@ class AuthenticatableTest < ActiveSupport::TestCase
   test 'required_fields should be an empty array' do
     assert_equal Devise::Models::Validatable.required_fields(User), []
   end
-
-  test 'find_first_by_auth_conditions allows custom filtering parameters' do
-    user = User.create!(:email => "example@example.com", :password => "123456")
-    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }), user
-    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }, :id => user.id + 1), nil
-  end
-end
+end

data/test/models/confirmable_test.rb

@@ -235,6 +235,40 @@ class ConfirmableTest < ActiveSupport::TestCase
       assert_equal "can't be blank", confirm_user.errors[:username].join
     end
   end
+
+  def confirm_user_by_token_with_confirmation_sent_at(confirmation_sent_at)
+    user = create_user
+    user.update_attribute(:confirmation_sent_at, confirmation_sent_at)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
+    assert_equal confirmed_user, user
+    user.reload.confirmed?
+  end
+
+  test 'should accept confirmation email token even after 5 years when no expiration is set' do
+    assert confirm_user_by_token_with_confirmation_sent_at(5.years.ago)
+  end
+
+  test 'should accept confirmation email token after 2 days when expiration is set to 3 days' do
+    swap Devise, :confirm_within => 3.days do
+      assert confirm_user_by_token_with_confirmation_sent_at(2.days.ago)
+    end
+  end
+
+  test 'should not accept confirmation email token after 4 days when expiration is set to 3 days' do
+    swap Devise, :confirm_within => 3.days do
+      assert_not confirm_user_by_token_with_confirmation_sent_at(4.days.ago)
+    end
+  end
+
+  test 'should generate a new token if the previous one has expired' do
+    swap Devise, :confirm_within => 3.days do
+      user = create_user
+      user.update_attribute(:confirmation_sent_at, 4.days.ago)
+      old = user.confirmation_token
+      user.resend_confirmation_token
+      assert_not_equal user.confirmation_token, old
+    end
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase
@@ -260,7 +294,6 @@ class ReconfirmableTest < ActiveSupport::TestCase
     assert_nil admin.confirmation_token
   end
 
-
   test 'should regenerate confirmation token after changing email' do
     admin = create_admin
     assert admin.confirm!
@@ -276,6 +309,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
     assert_email_sent "new_test@example.com" do
       assert admin.update_attributes(:email => 'new_test@example.com')
     end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
   end
 
   test 'should not send confirmation by email after changing password' do