devise 3.1.0 → 3.1.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- data/CHANGELOG.md +13 -0
- data/Gemfile.lock +2 -2
- data/app/controllers/devise/confirmations_controller.rb +2 -0
- data/config/locales/en.yml +1 -1
- data/gemfiles/Gemfile.rails-3.2.x.lock +4 -4
- data/lib/devise/parameter_sanitizer.rb +9 -3
- data/lib/devise/rails/routes.rb +1 -0
- data/lib/devise/strategies/database_authenticatable.rb +6 -3
- data/lib/devise/version.rb +1 -1
- data/test/integration/confirmable_test.rb +11 -1
- data/test/parameter_sanitizer_test.rb +9 -0
- metadata +2 -2
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,16 @@
|
|
1
|
+
== 3.1.2
|
2
|
+
|
3
|
+
Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
|
4
|
+
|
5
|
+
* bug fix
|
6
|
+
* Avoid e-mail enumeration on sign in when in paranoid mode
|
7
|
+
|
8
|
+
== 3.1.1
|
9
|
+
|
10
|
+
* bug fix
|
11
|
+
* Improve default message which asked users to sign in even when they were already signed (by @gregates)
|
12
|
+
* Improve error message for when the `config.secret_key` is missing
|
13
|
+
|
1
14
|
== 3.1.0
|
2
15
|
|
3
16
|
Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
|
data/Gemfile.lock
CHANGED
@@ -12,7 +12,7 @@ GIT
|
|
12
12
|
PATH
|
13
13
|
remote: .
|
14
14
|
specs:
|
15
|
-
devise (3.1.
|
15
|
+
devise (3.1.2)
|
16
16
|
bcrypt-ruby (~> 3.0)
|
17
17
|
orm_adapter (~> 0.1)
|
18
18
|
railties (>= 3.2.6, < 5)
|
@@ -48,7 +48,7 @@ GEM
|
|
48
48
|
tzinfo (~> 0.3.37)
|
49
49
|
arel (4.0.0)
|
50
50
|
atomic (1.1.12)
|
51
|
-
bcrypt-ruby (3.1.
|
51
|
+
bcrypt-ruby (3.1.2)
|
52
52
|
builder (3.1.4)
|
53
53
|
erubis (2.7.0)
|
54
54
|
faraday (0.8.8)
|
@@ -43,6 +43,8 @@ class Devise::ConfirmationsController < DeviseController
|
|
43
43
|
def after_confirmation_path_for(resource_name, resource)
|
44
44
|
if Devise.allow_insecure_sign_in_after_confirmation
|
45
45
|
after_sign_in_path_for(resource)
|
46
|
+
elsif signed_in?
|
47
|
+
signed_in_root_path(resource)
|
46
48
|
else
|
47
49
|
new_session_path(resource_name)
|
48
50
|
end
|
data/config/locales/en.yml
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
en:
|
4
4
|
devise:
|
5
5
|
confirmations:
|
6
|
-
confirmed: "Your account was successfully confirmed.
|
6
|
+
confirmed: "Your account was successfully confirmed."
|
7
7
|
confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
|
8
8
|
send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
|
9
9
|
send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
|
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: ..
|
3
3
|
specs:
|
4
|
-
devise (3.1.
|
4
|
+
devise (3.1.2)
|
5
5
|
bcrypt-ruby (~> 3.0)
|
6
6
|
orm_adapter (~> 0.1)
|
7
7
|
railties (>= 3.2.6, < 5)
|
@@ -39,8 +39,8 @@ GEM
|
|
39
39
|
i18n (~> 0.6, >= 0.6.4)
|
40
40
|
multi_json (~> 1.0)
|
41
41
|
arel (3.0.2)
|
42
|
-
atomic (1.1.
|
43
|
-
bcrypt-ruby (3.1.
|
42
|
+
atomic (1.1.14)
|
43
|
+
bcrypt-ruby (3.1.2)
|
44
44
|
builder (3.0.4)
|
45
45
|
erubis (2.7.0)
|
46
46
|
faraday (0.8.8)
|
@@ -125,7 +125,7 @@ GEM
|
|
125
125
|
tilt (~> 1.1, != 1.3.0)
|
126
126
|
sqlite3 (1.3.7)
|
127
127
|
thor (0.18.1)
|
128
|
-
thread_safe (0.1.
|
128
|
+
thread_safe (0.1.3)
|
129
129
|
atomic
|
130
130
|
tilt (1.4.1)
|
131
131
|
treetop (1.4.14)
|
@@ -47,19 +47,25 @@ module Devise
|
|
47
47
|
end
|
48
48
|
|
49
49
|
def sign_in
|
50
|
-
|
50
|
+
permit self.for(:sign_in)
|
51
51
|
end
|
52
52
|
|
53
53
|
def sign_up
|
54
|
-
|
54
|
+
permit self.for(:sign_up)
|
55
55
|
end
|
56
56
|
|
57
57
|
def account_update
|
58
|
-
|
58
|
+
permit self.for(:account_update)
|
59
59
|
end
|
60
60
|
|
61
61
|
private
|
62
62
|
|
63
|
+
# TODO: We do need to flatten so it works with strong_parameters
|
64
|
+
# gem. We should drop it once we move to Rails 4 only support.
|
65
|
+
def permit(keys)
|
66
|
+
default_params.permit(*Array(keys))
|
67
|
+
end
|
68
|
+
|
63
69
|
# Change for(kind) to return the values in the @permitted
|
64
70
|
# hash, allowing the developer to customize at runtime.
|
65
71
|
def default_for(kind)
|
data/lib/devise/rails/routes.rb
CHANGED
@@ -5,13 +5,16 @@ module Devise
|
|
5
5
|
# Default strategy for signing in a user, based on his email and password in the database.
|
6
6
|
class DatabaseAuthenticatable < Authenticatable
|
7
7
|
def authenticate!
|
8
|
-
resource
|
9
|
-
|
8
|
+
resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
|
9
|
+
encrypted = false
|
10
10
|
|
11
|
-
if validate(resource){ resource.valid_password?(password) }
|
11
|
+
if validate(resource){ encrypted = true; resource.valid_password?(password) }
|
12
12
|
resource.after_database_authentication
|
13
13
|
success!(resource)
|
14
14
|
end
|
15
|
+
|
16
|
+
mapping.to.new.password = password if !encrypted && Devise.paranoid
|
17
|
+
fail(:not_found_in_database) unless resource
|
15
18
|
end
|
16
19
|
end
|
17
20
|
end
|
data/lib/devise/version.rb
CHANGED
@@ -56,7 +56,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
|
|
56
56
|
assert_not user.confirmed?
|
57
57
|
visit_user_confirmation_with_token(user.raw_confirmation_token)
|
58
58
|
|
59
|
-
assert_contain 'Your account was successfully confirmed.
|
59
|
+
assert_contain 'Your account was successfully confirmed.'
|
60
60
|
assert_current_url '/users/sign_in'
|
61
61
|
assert user.reload.confirmed?
|
62
62
|
end
|
@@ -135,6 +135,16 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
|
|
135
135
|
end
|
136
136
|
end
|
137
137
|
|
138
|
+
test 'unconfirmed but signed in user should be redirected to their root path' do
|
139
|
+
swap Devise, :allow_unconfirmed_access_for => 1.day do
|
140
|
+
user = sign_in_as_user(:confirm => false)
|
141
|
+
|
142
|
+
visit_user_confirmation_with_token(user.raw_confirmation_token)
|
143
|
+
assert_contain 'Your account was successfully confirmed.'
|
144
|
+
assert_current_url '/'
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
138
148
|
test 'error message is configurable by resource name' do
|
139
149
|
store_translations :en, :devise => {
|
140
150
|
:failure => { :user => { :unconfirmed => "Not confirmed user" } }
|
@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
|
|
68
68
|
sanitizer.sanitize(:unknown)
|
69
69
|
end
|
70
70
|
end
|
71
|
+
|
72
|
+
test 'passes parameters to filter as arguments to sanitizer' do
|
73
|
+
params = {user: stub}
|
74
|
+
sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
|
75
|
+
|
76
|
+
params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
|
77
|
+
|
78
|
+
sanitizer.sanitize(:sign_in)
|
79
|
+
end
|
71
80
|
end
|
72
81
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.1.
|
4
|
+
version: 3.1.2
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2013-
|
13
|
+
date: 2013-11-13 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: warden
|