devise 2.2.8 → 3.0.0.rc

data/lib/devise/strategies/database_authenticatable.rb

@@ -5,16 +5,13 @@ module Devise
     # Default strategy for signing in a user, based on his email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        encrypted = false
+        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        return fail(:not_found_in_database) unless resource
 
-        if validate(resource){ encrypted = true; resource.valid_password?(password) }
+        if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
         end
-
-        mapping.to.new.password = password if !encrypted && Devise.paranoid
-        fail(:not_found_in_database) unless resource
       end
     end
   end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.8".freeze
+  VERSION = "3.0.0.rc".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -22,10 +22,7 @@ module ActiveRecord
       end
 
       def inject_devise_content
-        content = model_contents + <<CONTENT
-  # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me
-CONTENT
+        content = model_contents
 
         class_path = if namespaced?
           class_name.to_s.split("::")

data/lib/generators/templates/devise.rb

@@ -76,12 +76,6 @@ Devise.setup do |config|
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
-  # By default, Devise cleans up the CSRF token on authentication to
-  # avoid CSRF token fixation attacks. This means that, when using AJAX
-  # requests for sign in and sign up, you need to get a new CSRF token
-  # from the server. You can disable this option at your own risk.
-  # config.clean_up_csrf_token_on_authentication = true
-
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.

data/test/controllers/helpers_test.rb

@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:user_return_to] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")

data/test/controllers/internal_helpers_test.rb

@@ -34,10 +34,20 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'get resource params from request params using resource name as key' do
-    user_params = {'name' => 'Shirley Templar'}
-    @controller.stubs(:params).returns(HashWithIndifferentAccess.new({'user' => user_params}))
+    user_params = {'email' => 'shirley@templar.com'}
 
-    assert_equal user_params, @controller.resource_params
+    params = if Devise.rails4?
+      # Stub controller name so strong parameters can filter properly.
+      # DeviseController does not allow any parameters by default.
+      @controller.stubs(:controller_name).returns(:sessions_controller)
+
+      ActionController::Parameters.new({'user' => user_params})
+    else
+      HashWithIndifferentAccess.new({'user' => user_params})
+    end
+    @controller.stubs(:params).returns(params)
+
+    assert_equal user_params, @controller.send(:resource_params)
   end
 
   test 'resources methods are not controller actions' do

data/test/controllers/passwords_controller_test.rb

@@ -7,7 +7,7 @@ class PasswordsControllerTest < ActionController::TestCase
   def setup
     request.env["devise.mapping"] = Devise.mappings[:user]
 
-    @user = create_user.tap(&:confirm!)
+    @user = create_user
     @user.send_reset_password_instructions
   end
 

data/test/generators/active_record_generator_test.rb

@@ -10,13 +10,11 @@ if DEVISE_ORM == :active_record
 
     test "all files are properly created with rails31 migration syntax" do
       run_generator %w(monster)
-      assert_file "app/models/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
       assert_migration "db/migrate/devise_create_monsters.rb", /def change/
     end
 
     test "all files for namespaced model are properly created" do
       run_generator %w(admin/monster)
-      assert_file "app/models/admin/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
       assert_migration "db/migrate/devise_create_admin_monsters.rb", /def change/
     end
 
@@ -68,7 +66,7 @@ if DEVISE_ORM == :active_record
       simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
         run_generator ["monster"]
 
-        assert_file "app/models/rails_engine/monster.rb", /devise/,/attr_accessible (:[a-z_]+(, )?)+/
+        assert_file "app/models/rails_engine/monster.rb", /devise/
       end
     end
   end

data/test/integration/authenticatable_test.rb

@@ -191,7 +191,7 @@ class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
     get dashboard_path
 
     assert_response :success
-    assert_template 'home/admin'
+    assert_template 'home/admin_dashboard'
     assert_contain 'Admin dashboard'
   end
 
@@ -203,7 +203,7 @@ class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
     get dashboard_path
 
     assert_response :success
-    assert_template 'home/user'
+    assert_template 'home/user_dashboard'
     assert_contain 'User dashboard'
   end
 
@@ -327,20 +327,6 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
     assert_redirected_to new_user_session_path
   end
 
-  test 'refreshes _csrf_token' do
-    ApplicationController.allow_forgery_protection = true
-
-    begin
-      get new_user_session_path
-      token = request.session[:_csrf_token]
-
-      sign_in_as_user
-      assert_not_equal request.session[:_csrf_token], token
-    ensure
-      ApplicationController.allow_forgery_protection = false
-    end
-  end
-
   test 'allows session to be set for a given scope' do
     sign_in_as_user
     get '/users'
@@ -433,7 +419,7 @@ end
 
 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
-    swap ApplicationController, :allow_forgery_protection => true do
+    swap UsersController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 

data/test/integration/http_authenticatable_test.rb

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap ApplicationController, :allow_forgery_protection => true do
+    swap UsersController, :allow_forgery_protection => true do
       create_user
       post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
       assert warden.authenticated?(:user)

data/test/integration/recoverable_test.rb

@@ -153,7 +153,8 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
-    assert_contain 'Password doesn\'t match confirmation'
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_not user.reload.valid_password?('987654321')
   end
 
@@ -229,6 +230,15 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
+    user = create_user(:confirm => false)
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert warden.authenticated?(:user)
+    assert user.reload.confirmed?
+  end
+
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}

data/test/integration/registerable_test.rb

@@ -17,7 +17,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:admin)
     assert_current_url "/admin_area/home"
 
-    admin = Admin.last :order => "id"
+    admin = Admin.order(:id).last
     assert_equal admin.email, 'new_user@test.com'
   end
 
@@ -56,7 +56,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
 
     assert_not warden.authenticated?(:user)
 
-    user = User.last :order => "id"
+    user = User.order(:id).last
     assert_equal user.email, 'new_user@test.com'
     assert_not user.confirmed?
   end
@@ -100,7 +100,8 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_template 'registrations/new'
     assert_have_selector '#error_explanation'
     assert_contain "Email is invalid"
-    assert_contain "Password doesn't match confirmation"
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_contain "2 errors prohibited"
     assert_nil User.first
 
@@ -206,7 +207,8 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
-    assert_contain "Password doesn't match confirmation"
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_not User.first.valid_password?('pas123')
   end
 
@@ -251,7 +253,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<admin>)
 
-    admin = Admin.last :order => "id"
+    admin = Admin.order(:id).last
     assert_equal admin.email, 'new_user@test.com'
   end
 
@@ -260,7 +262,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
 
-    user = User.last :order => "id"
+    user = User.order(:id).last
     assert_equal user.email, 'new_user@test.com'
   end
 

data/test/integration/rememberable_test.rb

@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_nil request.cookies["remember_user_cookie"]
   end
 
-  test 'handle unverified requests gets rid of caches' do
-    swap ApplicationController, :allow_forgery_protection => true do
+  test 'handles unverified requests gets rid of caches' do
+    swap UsersController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 
@@ -42,21 +42,9 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'handle unverified requests does not create cookies on sign in' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      get new_user_session_path
-      assert request.session[:_csrf_token]
-
-      post user_session_path, :authenticity_token => "oops", :user =>
-           { :email => "jose.valim@gmail.com", :password => "123456", :remember_me => "1" }
-      assert_not warden.authenticated?(:user)
-      assert_not request.cookies['remember_user_token']
-    end
-  end
-
   test 'generate remember token after sign in' do
     sign_in_as_user :remember_me => true
-    assert request.cookies['remember_user_token']
+    assert request.cookies["remember_user_token"]
   end
 
   test 'generate remember token after sign in setting cookie options' do
@@ -102,6 +90,16 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_redirected_to root_path
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user

data/test/models/database_authenticatable_test.rb

@@ -123,13 +123,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.reload.valid_password?('pass4321')
   end
 
-  test 'should update password with valid current password and :as option' do
-    user = create_user
-    assert user.update_with_password(:current_password => '12345678',
-      :password => 'pass4321', :password_confirmation => 'pass4321', :as => :admin)
-    assert user.reload.valid_password?('pass4321')
-  end
-
   test 'should add an error to current password when it is invalid' do
     user = create_user
     assert_not user.update_with_password(:current_password => 'other',
@@ -182,12 +175,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_equal 'new@example.com', user.email
   end
 
-  test 'should update the user without password with :as option' do
-    user = create_user
-    user.update_without_password(:email => 'new@example.com', :as => :admin)
-    assert_equal 'new@example.com', user.email
-  end
-
   test 'should not update password without password' do
     user = create_user
     user.update_without_password(:password => 'pass4321', :password_confirmation => 'pass4321')

data/test/models/validatable_test.rb

@@ -56,7 +56,12 @@ class ValidatableTest < ActiveSupport::TestCase
   test 'should require confirmation to be set when creating a new record' do
     user = new_user(:password => 'new_password', :password_confirmation => 'blabla')
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
   test 'should require password when updating/resetting password' do
@@ -73,7 +78,12 @@ class ValidatableTest < ActiveSupport::TestCase
     user = create_user
     user.password_confirmation = 'another_password'
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
   test 'should require a password with minimum of 6 characters' do

data/test/omniauth/url_helpers_test.rb

@@ -1,6 +1,9 @@
 require 'test_helper'
 
 class OmniAuthRoutesTest < ActionController::TestCase
+  ExpectedUrlGeneratiorError = Devise.rails4? ?
+    ActionController::UrlGenerationError : ActionController::RoutingError
+
   tests ApplicationController
 
   def assert_path(action, provider, with_param=true)
@@ -30,7 +33,7 @@ class OmniAuthRoutesTest < ActionController::TestCase
   test 'should generate authorization path' do
     assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
 
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedUrlGeneratiorError do
       @controller.omniauth_authorize_path(:user, :github)
     end
   end

data/test/orm/active_record.rb

@@ -1,5 +1,6 @@
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
+ActiveRecord::Base.include_root_in_json = true
 
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 

data/test/parameter_sanitizer_test.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+require 'devise/parameter_sanitizer'
+
+class BaseSanitizerTest < ActiveSupport::TestCase
+  def sanitizer
+    Devise::BaseSanitizer.new(User, :user, { user: { "email" => "jose" } })
+  end
+
+  test 'returns chosen params' do
+    assert_equal({ "email" => "jose" }, sanitizer.for(:sign_in))
+  end
+end
+
+if defined?(ActionController::StrongParameters)
+  require 'active_model/forbidden_attributes_protection'
+
+  class ParameterSanitizerTest < ActiveSupport::TestCase
+    def sanitizer(params)
+      params = ActionController::Parameters.new(params)
+      Devise::ParameterSanitizer.new(User, :user, params)
+    end
+
+    test 'filters some parameters on sign in by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:sign_in))
+    end
+
+    test 'filters some parameters on sign up by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:sign_up))
+    end
+
+    test 'filters some parameters on account update by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:account_update))
+    end
+
+    test 'allows custom hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      sanitizer.for(:sign_in) { |user| user.permit(:email, :password) }
+      assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.for(:sign_in))
+    end
+
+    test 'raises on unknown hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      assert_raise NotImplementedError do
+        sanitizer.for(:unknown)
+      end
+    end
+  end
+end

data/test/rails_app/Rakefile

@@ -3,8 +3,4 @@
 
 require File.expand_path('../config/application', __FILE__)
 
-require 'rake'
-require 'rake/testtask'
-require 'rake/rdoctask'
-
 Rails.application.load_tasks