devise 2.2.3 → 2.2.4

data/lib/devise/models/recoverable.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
 
-    # Recoverable takes care of reseting the user password and send reset instructions.
+    # Recoverable takes care of resetting the user password and send reset instructions.
     #
     # ==Options
     #

data/lib/devise/models/timeoutable.rb

@@ -2,7 +2,7 @@ require 'devise/hooks/timeoutable'
 
 module Devise
   module Models
-    # Timeoutable takes care of veryfing whether a user session has already
+    # Timeoutable takes care of verifyng whether a user session has already
     # expired or not. When a session expires after the configured time, the user
     # will be asked for credentials again, it means, he/she will be redirected
     # to the sign in page.

data/lib/devise/param_filter.rb

@@ -8,16 +8,16 @@ module Devise
     def filter(conditions)
       conditions = stringify_params(conditions.dup)
 
-      @case_insensitive_keys.each do |k|
-        value = conditions[k]
-        next unless value.respond_to?(:downcase)
-        conditions[k] = value.downcase
-      end
+      conditions.merge!(filtered_hash_by_method_for_given_keys(conditions.dup, :downcase, @case_insensitive_keys))
+      conditions.merge!(filtered_hash_by_method_for_given_keys(conditions.dup, :strip, @strip_whitespace_keys))
+
+      conditions
+    end
 
-      @strip_whitespace_keys.each do |k|
+    def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
+      condition_keys.each do |k|
         value = conditions[k]
-        next unless value.respond_to?(:strip)
-        conditions[k] = value.strip
+        conditions[k] = value.send(method) if value.respond_to?(method)
       end
 
       conditions

data/lib/devise/rails/routes.rb

@@ -250,15 +250,11 @@ module ActionDispatch::Routing
     #   end
     #
     #   authenticate :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show"
+    #     root :to => "admin/dashboard#show", :as => :user_root
     #   end
     #
     def authenticate(scope=nil, block=nil)
-      constraint = lambda do |request|
-        request.env["warden"].authenticate!(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
-      end
-
-      constraints(constraint) do
+      constraints_for(:authenticate!, scope, block) do
         yield
       end
     end
@@ -268,25 +264,21 @@ module ActionDispatch::Routing
     # a model and allows extra constraints to be done on the instance.
     #
     #   authenticated :admin do
-    #     root :to => 'admin/dashboard#show'
+    #     root :to => 'admin/dashboard#show', :as => :admin_root
     #   end
     #
     #   authenticated do
-    #     root :to => 'dashboard#show'
+    #     root :to => 'dashboard#show', :as => :authenticated_root
     #   end
     #
     #   authenticated :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show"
+    #     root :to => "admin/dashboard#show", :as => :user_root
     #   end
     #
     #   root :to => 'landing#show'
     #
     def authenticated(scope=nil, block=nil)
-      constraint = lambda do |request|
-        request.env["warden"].authenticate?(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
-      end
-
-      constraints(constraint) do
+      constraints_for(:authenticate?, scope, block) do
         yield
       end
     end
@@ -329,7 +321,7 @@ module ActionDispatch::Routing
     # good and working example.
     #
     #  devise_scope :user do
-    #    match "/some/route" => "some_devise_controller"
+    #    get "/some/route" => "some_devise_controller"
     #  end
     #  devise_for :users
     #
@@ -401,12 +393,14 @@ module ActionDispatch::Routing
         match "#{path_prefix}/:provider",
           :constraints => { :provider => providers },
           :to => "#{controllers[:omniauth_callbacks]}#passthru",
-          :as => :omniauth_authorize
+          :as => :omniauth_authorize,
+          :via => [:get, :post]
 
         match "#{path_prefix}/:action/callback",
           :constraints => { :action => providers },
           :to => controllers[:omniauth_callbacks],
-          :as => :omniauth_callback
+          :as => :omniauth_callback,
+          :via => [:get, :post]
       ensure
         @scope[:path] = path
       end
@@ -426,6 +420,17 @@ module ActionDispatch::Routing
         @scope.merge!(old)
       end
 
+      def constraints_for(method_to_apply, scope=nil, block=nil)
+        constraint = lambda do |request|
+          request.env['warden'].send(method_to_apply, :scope => scope) &&
+            (block.nil? || block.call(request.env["warden"].user(scope)))
+        end
+
+        constraints(constraint) do
+          yield
+        end
+      end
+
       def set_omniauth_path_prefix!(path_prefix) #:nodoc:
         if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
           raise "Wrong OmniAuth configuration. If you are getting this exception, it means that either:\n\n" \

data/lib/devise/rails/warden_compat.rb

@@ -12,32 +12,3 @@ module Warden::Mixins::Common
     request.cookie_jar
   end
 end
-
-class Warden::SessionSerializer
-  def serialize(record)
-    klass = record.class
-    array = klass.serialize_into_session(record)
-    array.unshift(klass.name)
-  end
-
-  def deserialize(keys)
-    klass_name, *args = keys
-
-    begin
-      klass = ActiveSupport::Inflector.constantize(klass_name)
-      if klass.respond_to? :serialize_from_session
-        klass.serialize_from_session(*args)
-      else
-        Rails.logger.warn "[Devise] Stored serialized class #{klass_name} seems not to be Devise enabled anymore. Did you do that on purpose?"
-        nil
-      end
-    rescue NameError => e
-      if e.message =~ /uninitialized constant/
-        Rails.logger.debug "[Devise] Trying to deserialize invalid class #{klass_name}"
-        nil
-      else
-        raise
-      end
-    end
-  end
-end

data/lib/devise/strategies/authenticatable.rb

@@ -100,7 +100,7 @@ module Devise
 
       # Extract a hash with attributes:values from the http params.
       def http_auth_hash
-        keys = [authentication_keys.first, :password]
+        keys = [http_authentication_key, :password]
         Hash[*keys.zip(decode_credentials).flatten]
       end
 
@@ -134,24 +134,27 @@ module Devise
         parse_authentication_key_values(request_values, request_keys)
       end
 
-      # Holds the authentication keys.
       def authentication_keys
         @authentication_keys ||= mapping.to.authentication_keys
       end
 
-      # Holds request keys.
+      def http_authentication_key
+        @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
+          when Array then authentication_keys.first
+          when Hash then authentication_keys.keys.first
+        end
+      end
+
       def request_keys
         @request_keys ||= mapping.to.request_keys
       end
 
-      # Returns values from the request object.
       def request_values
         keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
         values = keys.map { |k| self.request.send(k) }
         Hash[keys.zip(values)]
       end
 
-      # Parse authentication keys considering if they should be enforced or not.
       def parse_authentication_key_values(hash, keys)
         keys.each do |key, enforce|
           value = hash[key].presence

data/lib/devise/strategies/token_authenticatable.rb

@@ -7,13 +7,22 @@ module Devise
     #
     #   http://myapp.example.com/?user_token=SECRET
     #
-    # For HTTP, you can pass the token as username and blank password. Since some clients may require
-    # a password, you can pass "X" as password and it will simply be ignored.
+    # For headers, you can use basic authentication passing the token as username and
+    # blank password. Since some clients may require a password, you can pass "X" as
+    # password and it will simply be ignored.
+    #
+    # You may also pass the token using the Token authentication mechanism provided
+    # by Rails: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
+    # The token options are stored in request.env['devise.token_options']
     class TokenAuthenticatable < Authenticatable
       def store?
         super && !mapping.to.skip_session_storage.include?(:token_auth)
       end
 
+      def valid?
+        super || valid_for_token_auth?
+      end
+
       def authenticate!
         resource = mapping.to.find_for_token_authentication(authentication_hash)
         return fail(:invalid_token) unless resource
@@ -36,7 +45,33 @@ module Devise
         false
       end
 
-      # Try both scoped and non scoped keys.
+      # Check if the model accepts this strategy as token authenticatable.
+      def token_authenticatable?
+        mapping.to.http_authenticatable?(:token_options)
+      end
+
+      # Check if this is strategy is valid for token authentication by:
+      #
+      #   * Validating if the model allows http token authentication;
+      #   * If the http auth token exists;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_token_auth?
+        token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash)
+      end
+
+      # Extract the auth token from the request
+      def auth_token
+        @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request)
+      end
+
+      # Extract a hash with attributes:values from the auth_token
+      def token_auth_hash
+        request.env['devise.token_options'] = auth_token.last
+        { authentication_keys.first => auth_token.first }
+      end
+
+      # Try both scoped and non scoped keys
       def params_auth_hash
         if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
           params[scope]

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.3".freeze
+  VERSION = "2.2.4".freeze
 end

data/lib/generators/devise/views_generator.rb

@@ -18,7 +18,7 @@ module Devise
         public_task :copy_views
       end
 
-      # TODO: Add this to Rails itslef
+      # TODO: Add this to Rails itself
       module ClassMethods
         def hide!
           Rails::Generators.hide_namespace self.namespace
@@ -36,7 +36,13 @@ module Devise
       protected
 
       def view_directory(name, _target_path = nil)
-        directory name.to_s, _target_path || "#{target_path}/#{name}"
+        directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
+          if scope
+            content.gsub "devise/shared/links", "#{scope}/shared/links"
+          else
+            content
+          end
+        end
       end
 
       def target_path

data/lib/generators/templates/devise.rb

@@ -48,10 +48,14 @@ Devise.setup do |config|
   # enable it only for database (email + password) authentication.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication.
+  # enable it only for token authentication. The supported strategies are:
+  # :database      = Support basic authentication with authentication key + password
+  # :token         = Support basic authentication with token authentication key
+  # :token_options = Support token authentication with options as defined in
+  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -125,7 +129,7 @@ Devise.setup do |config|
   config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
+  # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   # config.email_regexp = /\A[^@]+@[^@]+\z/
 
@@ -175,7 +179,9 @@ Devise.setup do |config|
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
   # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
   # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper)
+  # REST_AUTH_SITE_KEY to pepper).
+  #
+  # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
 
   # ==> Configuration for :token_authenticatable

data/lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -22,6 +22,6 @@
 
 <h3>Cancel my account</h3>
 
-<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.</p>
+<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %></p>
 
 <%= link_to "Back", :back %>

data/test/controllers/passwords_controller_test.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class PasswordsControllerTest < ActionController::TestCase
+  tests Devise::PasswordsController
+  include Devise::TestHelpers
+
+  def setup
+    request.env["devise.mapping"] = Devise.mappings[:user]
+
+    @user = create_user
+    @user.send_reset_password_instructions
+  end
+
+  def put_update_with_params
+    put :update, "user" => {
+      "reset_password_token" => @user.reset_password_token, "password" => "123456", "password_confirmation" => "123456"
+    }
+  end
+
+  test 'redirect to after_sign_in_path_for if after_resetting_password_path_for is not overridden' do
+    put_update_with_params
+    assert_redirected_to "http://test.host/"
+  end
+
+  test 'redirect accordingly if after_resetting_password_path_for is overridden' do
+    custom_path = "http://custom.path/"
+    Devise::PasswordsController.any_instance.stubs(:after_resetting_password_path_for).with(@user).returns(custom_path)
+
+    put_update_with_params
+    assert_redirected_to custom_path
+  end
+end

data/test/failure_app_test.rb

@@ -80,9 +80,9 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'setup a default message' do
       call_failure
-      assert_match /You are being/, @response.last.body
-      assert_match /redirected/, @response.last.body
-      assert_match /users\/sign_in/, @response.last.body
+      assert_match(/You are being/, @response.last.body)
+      assert_match(/redirected/, @response.last.body)
+      assert_match(/users\/sign_in/, @response.last.body)
     end
 
     test 'works for any navigational format' do

data/test/generators/views_generator_test.rb

@@ -8,14 +8,17 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
   test "Assert all views are properly created with no params" do
     run_generator
     assert_files
+    assert_shared_links
   end
 
-  test "Assert all views are properly created with scope param param" do
+  test "Assert all views are properly created with scope param" do
     run_generator %w(users)
     assert_files "users"
+    assert_shared_links "users"
 
     run_generator %w(admins)
     assert_files "admins"
+    assert_shared_links "admins"
   end
 
   test "Assert views with simple form" do
@@ -49,4 +52,16 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_file "app/views/#{scope}/shared/_links.erb"
     assert_file "app/views/#{scope}/unlocks/new.html.erb"
   end
+
+  def assert_shared_links(scope = nil)
+    scope = "devise" if scope.nil?
+    link = /<%= render \"#{scope}\/shared\/links\" %>/
+
+    assert_file "app/views/#{scope}/passwords/edit.html.erb", link
+    assert_file "app/views/#{scope}/passwords/new.html.erb", link
+    assert_file "app/views/#{scope}/confirmations/new.html.erb", link
+    assert_file "app/views/#{scope}/registrations/new.html.erb", link
+    assert_file "app/views/#{scope}/sessions/new.html.erb", link
+    assert_file "app/views/#{scope}/unlocks/new.html.erb", link
+  end
 end

data/test/helpers/devise_helper_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class DeviseHelperTest < ActionController::IntegrationTest
+class DeviseHelperTest < ActionDispatch::IntegrationTest
   setup do
     model_labels = { :models => { :user => "utilisateur" } }
 

data/test/integration/authenticatable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class AuthenticationSanityTest < ActionController::IntegrationTest
+class AuthenticationSanityTest < ActionDispatch::IntegrationTest
   test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
@@ -134,7 +134,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRoutesRestrictions < ActionController::IntegrationTest
+class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
   test 'not signed in should not be able to access private route (authenticate denied)' do
     get private_path
     assert_redirected_to new_admin_session_path
@@ -254,7 +254,7 @@ class AuthenticationRoutesRestrictions < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRedirectTest < ActionController::IntegrationTest
+class AuthenticationRedirectTest < ActionDispatch::IntegrationTest
   test 'redirect from warden shows sign in or sign up message' do
     get admins_path
 
@@ -317,7 +317,7 @@ class AuthenticationRedirectTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationSessionTest < ActionController::IntegrationTest
+class AuthenticationSessionTest < ActionDispatch::IntegrationTest
   test 'destroyed account is signed out' do
     sign_in_as_user
     get '/users'
@@ -333,22 +333,34 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
-  test 'does not explode when invalid user class is stored in session' do
-    klass = User
-    paths = ActiveSupport::Dependencies.autoload_paths.dup
-
+  test 'does not explode when class name is still stored in session' do
+    # In order to test that old sessions do not break with the new scoped
+    # deserialization, we need to serialize the session the old way. This is
+    # done by removing the newly used scoped serialization method
+    # (#user_serialize) and bringing back the old uncsoped #serialize method
+    # that includes the record's class name in the serialization.
     begin
+      Warden::SessionSerializer.class_eval do
+        alias_method :original_serialize, :serialize
+        alias_method :original_user_serialize, :user_serialize
+        remove_method :user_serialize
+
+        def serialize(record)
+          klass = record.class
+          array = klass.serialize_into_session(record)
+          array.unshift(klass.name)
+        end
+      end
+
       sign_in_as_user
       assert warden.authenticated?(:user)
-
-      Object.send :remove_const, :User
-      ActiveSupport::Dependencies.autoload_paths.clear
-
-      visit "/users"
-      assert_not warden.authenticated?(:user)
     ensure
-      Object.const_set(:User, klass)
-      ActiveSupport::Dependencies.autoload_paths.replace(paths)
+      Warden::SessionSerializer.class_eval do
+        alias_method :serialize, :original_serialize
+        remove_method :original_serialize
+        alias_method :user_serialize, :original_user_serialize
+        remove_method :original_user_serialize
+      end
     end
   end
 
@@ -364,7 +376,7 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationWithScopedViewsTest < ActionController::IntegrationTest
+class AuthenticationWithScopedViewsTest < ActionDispatch::IntegrationTest
   test 'renders the scoped view if turned on and view is available' do
     swap Devise, :scoped_views => true do
       assert_raise Webrat::NotFoundError do
@@ -405,7 +417,7 @@ class AuthenticationWithScopedViewsTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationOthersTest < ActionController::IntegrationTest
+class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
     swap UsersController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
@@ -504,14 +516,26 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
 
-  test 'sign out with xml format returns ok response' do
+  test 'sign out with html redirects' do
+    sign_in_as_user
+    get destroy_user_session_path
+    assert_response :redirect
+    assert_current_url '/'
+
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'html')
+    assert_response :redirect
+    assert_current_url '/'
+  end
+
+  test 'sign out with xml format returns no content' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'xml')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
-  test 'sign out with json format returns empty json response' do
+  test 'sign out with json format returns no content' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'json')
     assert_response :no_content
@@ -519,7 +543,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 
   test 'sign out with non-navigational format via XHR does not redirect' do
-    swap Devise, :navigational_formats => ['*/*', :html] do 
+    swap Devise, :navigational_formats => ['*/*', :html] do
       sign_in_as_user
       xml_http_request :get, destroy_user_session_path, {}, { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
       assert_response :no_content
@@ -529,7 +553,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
 
   # Belt and braces ... Perhaps this test is not necessary?
   test 'sign out with navigational format via XHR does redirect' do
-    swap Devise, :navigational_formats => ['*/*', :html] do 
+    swap Devise, :navigational_formats => ['*/*', :html] do
       sign_in_as_user
       xml_http_request :get, destroy_user_session_path, {}, { "HTTP_ACCEPT" => "text/html,*/*" }
       assert_response :redirect
@@ -538,7 +562,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationKeysTest < ActionController::IntegrationTest
+class AuthenticationKeysTest < ActionDispatch::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, :authentication_keys => [:subdomain] do
       sign_in_as_user
@@ -555,7 +579,7 @@ class AuthenticationKeysTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRequestKeysTest < ActionController::IntegrationTest
+class AuthenticationRequestKeysTest < ActionDispatch::IntegrationTest
   test 'request keys are used on authentication' do
     host! 'foo.bar.baz'
 
@@ -596,7 +620,7 @@ class AuthenticationRequestKeysTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+class AuthenticationSignOutViaTest < ActionDispatch::IntegrationTest
   def sign_in!(scope)
     sign_in_as_admin(:visit => send("new_#{scope}_session_path"))
     assert warden.authenticated?(scope)
@@ -650,3 +674,26 @@ class AuthenticationSignOutViaTest < ActionController::IntegrationTest
     assert warden.authenticated?(:sign_out_via_delete_or_post)
   end
 end
+
+class DoubleAuthenticationRedirectTest < ActionDispatch::IntegrationTest
+  test 'signed in as user redirects when visiting user sign in page' do
+    sign_in_as_user
+    get new_user_session_path(:format => :html)
+    assert_redirected_to '/'
+  end
+
+  test 'signed in as admin redirects when visiting admin sign in page' do
+    sign_in_as_admin
+    get new_admin_session_path(:format => :html)
+    assert_redirected_to '/admin_area/home'
+  end
+
+  test 'signed in as both user and admin redirects when visiting admin sign in page' do
+    sign_in_as_user
+    sign_in_as_admin
+    get new_user_session_path(:format => :html)
+    assert_redirected_to '/'
+    get new_admin_session_path(:format => :html)
+    assert_redirected_to '/admin_area/home'
+  end
+end