RubyGems - devise - Versions diffs - 2.2.8 → 3.0.0.rc - Mend

devise 2.2.8 → 3.0.0.rc

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (61) hide show

checksums.yaml +7 -0
data/.travis.yml +2 -17
data/CHANGELOG.rdoc +4 -20
data/Gemfile +3 -4
data/Gemfile.lock +68 -64
data/README.md +50 -30
data/app/controllers/devise/confirmations_controller.rb +1 -2
data/app/controllers/devise/passwords_controller.rb +1 -1
data/app/controllers/devise/registrations_controller.rb +13 -6
data/app/controllers/devise/sessions_controller.rb +5 -1
data/app/controllers/devise/unlocks_controller.rb +1 -1
data/app/controllers/devise_controller.rb +4 -21
data/devise.gemspec +1 -1
data/gemfiles/{Gemfile.rails-3.1.x → Gemfile.rails-3.2.x} +3 -7
data/gemfiles/{Gemfile.rails-3.1.x.lock → Gemfile.rails-3.2.x.lock} +47 -58
data/lib/devise.rb +8 -10
data/lib/devise/controllers/helpers.rb +11 -0
data/lib/devise/controllers/rememberable.rb +0 -1
data/lib/devise/models/authenticatable.rb +0 -1
data/lib/devise/models/confirmable.rb +5 -0
data/lib/devise/parameter_sanitizer.rb +59 -0
data/lib/devise/rails/warden_compat.rb +2 -9
data/lib/devise/strategies/database_authenticatable.rb +3 -6
data/lib/devise/version.rb +1 -1
data/lib/generators/active_record/devise_generator.rb +1 -4
data/lib/generators/templates/devise.rb +0 -6
data/test/controllers/helpers_test.rb +1 -1
data/test/controllers/internal_helpers_test.rb +13 -3
data/test/controllers/passwords_controller_test.rb +1 -1
data/test/generators/active_record_generator_test.rb +1 -3
data/test/integration/authenticatable_test.rb +3 -17
data/test/integration/http_authenticatable_test.rb +1 -1
data/test/integration/recoverable_test.rb +11 -1
data/test/integration/registerable_test.rb +8 -6
data/test/integration/rememberable_test.rb +13 -15
data/test/models/database_authenticatable_test.rb +0 -13
data/test/models/validatable_test.rb +12 -2
data/test/omniauth/url_helpers_test.rb +4 -1
data/test/orm/active_record.rb +1 -0
data/test/parameter_sanitizer_test.rb +51 -0
data/test/rails_app/Rakefile +0 -4
data/test/rails_app/app/mongoid/shim.rb +2 -3
data/test/rails_app/bin/bundle +3 -0
data/test/rails_app/bin/rails +4 -0
data/test/rails_app/bin/rake +4 -0
data/test/rails_app/config/application.rb +1 -2
data/test/rails_app/config/boot.rb +3 -3
data/test/rails_app/config/environment.rb +2 -2
data/test/rails_app/config/environments/development.rb +23 -7
data/test/rails_app/config/environments/production.rb +68 -17
data/test/rails_app/config/environments/test.rb +18 -15
data/test/rails_app/config/initializers/secret_token.rb +8 -2
data/test/rails_app/config/initializers/session_store.rb +1 -0
data/test/rails_app/config/routes.rb +1 -1
data/test/rails_app/lib/shared_user.rb +0 -1
data/test/routes_test.rb +22 -20
data/test/test_helper.rb +7 -0
data/test/test_models.rb +0 -1
metadata +31 -27
data/lib/devise/hooks/csrf_cleaner.rb +0 -5
data/test/rails_app/script/rails +0 -10

data/app/controllers/devise/sessions_controller.rb CHANGED

@@ -5,7 +5,7 @@ class Devise::SessionsController < DeviseController
   # GET /resource/sign_in
   def new
-    self.resource = build_resource(nil, :unsafe => true)
+    self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
     respond_with(resource, serialize_options(resource))
   end
@@ -34,6 +34,10 @@ class Devise::SessionsController < DeviseController
   protected
+  def sign_in_params
+    devise_parameter_sanitizer.for(:sign_in)
+  end
   def serialize_options(resource)
     methods = resource_class.authentication_keys.dup
     methods = methods.keys if methods.is_a?(Hash)

data/app/controllers/devise/unlocks_controller.rb CHANGED

@@ -3,7 +3,7 @@ class Devise::UnlocksController < DeviseController
   # GET /resource/unlock/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
   # POST /resource/unlock

data/app/controllers/devise_controller.rb CHANGED

@@ -28,10 +28,6 @@ class DeviseController < Devise.parent_controller.constantize
     devise_mapping.to
   end
-  def resource_params
-    params[resource_name]
-  end
   # Returns a signed in resource from session (if one exists)
   def signed_in_resource
     warden.authenticate(:scope => resource_name)
@@ -93,23 +89,6 @@ MESSAGE
     instance_variable_set(:"@#{resource_name}", new_resource)
   end
-  # Build a devise resource.
-  # Assignment bypasses attribute protection when :unsafe option is passed
-  def build_resource(hash = nil, options = {})
-    hash ||= resource_params || {}
-    if options[:unsafe]
-      self.resource = resource_class.new.tap do |resource|
-        hash.each do |key, value|
-          setter = :"#{key}="
-          resource.send(setter, value) if resource.respond_to?(setter)
-        end
-      end
-    else
-      self.resource = resource_class.new(hash)
-    end
-  end
   # Helper for use in before_filters where no authentication is required.
   #
   # Example:
@@ -186,4 +165,8 @@ MESSAGE
       format.any(*navigational_formats, &block)
     end
   end
+  def resource_params
+    params.fetch(resource_name, {})
+  end
 end

data/devise.gemspec CHANGED

@@ -22,5 +22,5 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.1")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
-  s.add_dependency("railties", "~> 3.1")
+  s.add_dependency("railties", ">= 3.2.6", "< 5")
 end

data/gemfiles/{Gemfile.rails-3.1.x → Gemfile.rails-3.2.x} RENAMED

@@ -1,8 +1,8 @@
 source "https://rubygems.org"
-gem "devise", :path => ".."
+gemspec :path => '..'
-gem "rails", "~> 3.1.0"
+gem "rails", "~> 3.2.6"
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"
@@ -12,10 +12,6 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", :require => false
   gem "mocha", "~> 0.13.1", :require => false
-  platforms :mri_18 do
-    gem "ruby-debug", ">= 0.10.3"
-  end
 end
 platforms :jruby do
@@ -28,7 +24,7 @@ platforms :ruby do
   gem "sqlite3"
 end
-platforms :mri_19 do
+platforms :mri_19, :mri_20 do
   group :mongoid do
     gem "mongoid", "~> 3.0"
   end

data/gemfiles/{Gemfile.rails-3.1.x.lock → Gemfile.rails-3.2.x.lock} RENAMED

@@ -1,60 +1,57 @@
 PATH
   remote: ..
   specs:
-    devise (2.2.8)
+    devise (3.0.0.rc)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
+      railties (>= 3.2.6, < 5)
       warden (~> 1.2.1)
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.1.12)
-      actionpack (= 3.1.12)
-      mail (~> 2.4.4)
-    actionpack (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
+      mail (~> 2.5.3)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      i18n (~> 0.6)
-      rack (~> 1.3.6)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
       rack-cache (~> 1.2)
-      rack-mount (~> 0.8.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.0.4)
-    activemodel (3.1.12)
-      activesupport (= 3.1.12)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
-      i18n (~> 0.6)
-    activerecord (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
-      arel (~> 2.2.3)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+      arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
-    activesupport (3.1.12)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
+      i18n (= 0.6.1)
       multi_json (~> 1.0)
-    arel (2.2.3)
-    bcrypt-ruby (3.1.2)
+    arel (3.0.2)
+    bcrypt-ruby (3.0.1)
     builder (3.0.4)
-    columnize (0.3.6)
     erubis (2.7.0)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
     hike (1.2.2)
     httpauth (0.2.0)
-    i18n (0.6.4)
+    i18n (0.6.1)
+    journey (1.0.4)
     json (1.7.7)
     jwt (0.1.8)
       multi_json (>= 1.5)
-    linecache (0.46)
-      rbx-require-relative (> 0.0.4)
-    mail (2.4.4)
+    mail (2.5.3)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
@@ -62,9 +59,9 @@ GEM
     mime-types (1.23)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.0.23)
-      activemodel (~> 3.1)
-      moped (~> 1.2)
+    mongoid (3.1.3)
+      activemodel (~> 3.2)
+      moped (~> 1.4.2)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
     moped (1.4.5)
@@ -91,11 +88,9 @@ GEM
     origin (1.1.0)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.3.10)
+    rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
-    rack-mount (0.8.3)
-      rack (>= 1.0.0)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -103,43 +98,38 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.1.12)
-      actionmailer (= 3.1.12)
-      actionpack (= 3.1.12)
-      activerecord (= 3.1.12)
-      activeresource (= 3.1.12)
-      activesupport (= 3.1.12)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
       bundler (~> 1.0)
-      railties (= 3.1.12)
-    railties (3.1.12)
-      actionpack (= 3.1.12)
-      activesupport (= 3.1.12)
+      railties (= 3.2.13)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6, < 2.0)
     rake (10.0.4)
-    rbx-require-relative (0.0.9)
     rdoc (3.12.2)
       json (~> 1.4)
-    ruby-debug (0.10.4)
-      columnize (>= 0.1)
-      ruby-debug-base (~> 0.10.4.0)
-    ruby-debug-base (0.10.4)
-      linecache (>= 0.3)
     ruby-openid (2.2.3)
-    sprockets (2.0.4)
+    sprockets (2.2.2)
       hike (~> 1.2)
+      multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
-    thor (0.14.6)
+    thor (0.18.1)
     tilt (1.4.0)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.3)
+    warden (1.2.1)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -160,8 +150,7 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 3.1.0)
+  rails (~> 3.2.6)
   rdoc
-  ruby-debug (>= 0.10.3)
   sqlite3
   webrat (= 0.7.3)

data/lib/devise.rb CHANGED

@@ -6,12 +6,14 @@ require 'set'
 require 'securerandom'
 module Devise
-  autoload :Delegator,     'devise/delegator'
-  autoload :FailureApp,    'devise/failure_app'
-  autoload :OmniAuth,      'devise/omniauth'
-  autoload :ParamFilter,   'devise/param_filter'
-  autoload :TestHelpers,   'devise/test_helpers'
-  autoload :TimeInflector, 'devise/time_inflector'
+  autoload :Delegator,          'devise/delegator'
+  autoload :FailureApp,         'devise/failure_app'
+  autoload :OmniAuth,           'devise/omniauth'
+  autoload :ParamFilter,        'devise/param_filter'
+  autoload :BaseSanitizer,      'devise/parameter_sanitizer'
+  autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
+  autoload :TestHelpers,        'devise/test_helpers'
+  autoload :TimeInflector,      'devise/time_inflector'
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -221,10 +223,6 @@ module Devise
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
-  # Set if we should clean up the CSRF Token on authentication
-  mattr_accessor :clean_up_csrf_token_on_authentication
-  @@clean_up_csrf_token_on_authentication = true
   def self.encryptor=(value)
     warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
   end

data/lib/devise/controllers/helpers.rb CHANGED

@@ -80,6 +80,17 @@ module Devise
         is_a?(DeviseController)
       end
+      # Setup a param sanitizer to filter parameters using strong_parameters. See
+      # lib/devise/parameter_sanitizer.rb for more info. Override this
+      # method in your application controller to use your own parameter sanitizer.
+      def devise_parameter_sanitizer
+        @devise_parameter_sanitizer ||= if defined?(ActionController::StrongParameters)
+          Devise::ParameterSanitizer.new(resource_class, resource_name, params)
+        else
+          Devise::BaseSanitizer.new(resource_class, resource_name, params)
+        end
+      end
       # Tell warden that params authentication is allowed for that specific page.
       def allow_params_authentication!
         request.env["devise.allow_params_authentication"] = true

data/lib/devise/controllers/rememberable.rb CHANGED

@@ -21,7 +21,6 @@ module Devise
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
-        return if env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!(resource.extend_remember_period)
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

data/lib/devise/models/authenticatable.rb CHANGED

@@ -1,5 +1,4 @@
 require 'devise/hooks/activatable'
-require 'devise/hooks/csrf_cleaner'
 module Devise
   module Models

data/lib/devise/models/confirmable.rb CHANGED

@@ -215,6 +215,11 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

data/lib/devise/parameter_sanitizer.rb ADDED

@@ -0,0 +1,59 @@
+module Devise
+  class BaseSanitizer
+    attr_reader :params, :resource_name, :resource_class
+    def initialize(resource_class, resource_name, params)
+      @resource_class = resource_class
+      @resource_name  = resource_name
+      @params         = params
+      @blocks         = Hash.new
+    end
+    def for(kind, &block)
+      if block_given?
+        @blocks[kind] = block
+      else
+        block = @blocks[kind]
+        block ? block.call(default_params) : fallback_for(kind)
+      end
+    end
+    private
+    def fallback_for(kind)
+      default_params
+    end
+    def default_params
+      params.fetch(resource_name, {})
+    end
+  end
+  class ParameterSanitizer < BaseSanitizer
+    private
+    def fallback_for(kind)
+      if respond_to?(kind, true)
+        send(kind)
+      else
+        raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"
+      end
+    end
+    def sign_in
+      default_params.permit(auth_keys)
+    end
+    def sign_up
+      default_params.permit(auth_keys + [:password, :password_confirmation])
+    end
+    def account_update
+      default_params.permit(auth_keys + [:password, :password_confirmation, :current_password])
+    end
+    def auth_keys
+      resource_class.authentication_keys
+    end
+  end
+end

data/lib/devise/rails/warden_compat.rb CHANGED

@@ -3,16 +3,9 @@ module Warden::Mixins::Common
     @request ||= ActionDispatch::Request.new(env)
   end
-  NULL_STORE =
-    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
-      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
+  # This is called internally by Warden on logout
   def reset_session!
-    # Calling reset_session on NULL_STORE causes it fail.
-    # This is a bug that needs to be fixed in Rails.
-    unless NULL_STORE && request.session.is_a?(NULL_STORE)
-      request.reset_session
-    end
+    request.reset_session
   end
   def cookies