devise 3.2.2 → 3.2.3

data/gemfiles/Gemfile.rails-head

@@ -0,0 +1,29 @@
+source "https://rubygems.org"
+
+gemspec :path => '..'
+
+gem "rails", github: 'rails/rails'
+gem "omniauth", "~> 1.0.0"
+gem "omniauth-oauth2", "~> 1.0.0"
+gem "rdoc"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid", "~> 1.0.1"
+  gem "webrat", "0.7.3", :require => false
+  gem "mocha", "~> 0.14", :require => false
+end
+
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", github: "mongoid/mongoid", branch: "master"
+end

data/lib/devise.rb

@@ -236,12 +236,12 @@ module Devise
   @@parent_mailer = "ActionMailer::Base"
 
   # The router Devise should use to generate routes. Defaults
-  # to :main_app. Should be overriden by engines in order
+  # to :main_app. Should be overridden by engines in order
   # to provide custom routes.
   mattr_accessor :router_name
   @@router_name = nil
 
-  # Set the omniauth path prefix so it can be overriden when
+  # Set the omniauth path prefix so it can be overridden when
   # Devise is used in a mountable engine
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
@@ -274,7 +274,7 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
-  # When true, warn user if he just used next-to-last attempt of authentication
+  # When true, warn user if they just used next-to-last attempt of authentication
   mattr_accessor :last_attempt_warning
   @@last_attempt_warning = false
 

data/lib/devise/controllers/helpers.rb

@@ -98,7 +98,7 @@ module Devise
         request.env["devise.allow_params_authentication"] = true
       end
 
-      # The scope root url to be used when he's signed in. By default, it first
+      # The scope root url to be used when they're signed in. By default, it first
       # tries to find a resource_root_path, otherwise it uses the root_path.
       def signed_in_root_path(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)

data/lib/devise/controllers/scoped_views.rb

@@ -14,4 +14,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/controllers/sign_in_out.rb

@@ -100,4 +100,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/hooks/activatable.rb

@@ -1,6 +1,6 @@
-# Deny user access whenever his account is not active yet. All strategies that inherits from
+# Deny user access whenever their account is not active yet. All strategies that inherits from
 # Devise::Strategies::Authenticatable and uses the validate already check if the user is active_for_authentication?
-# before actively signing him in. However, we need this as hook to validate the user activity
+# before actively signing them in. However, we need this as hook to validate the user activity
 # in each request and in case the user is using other strategies beside Devise ones.
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
@@ -8,4 +8,4 @@ Warden::Manager.after_set_user do |record, warden, options|
     warden.logout(scope)
     throw :warden, :scope => scope, :message => record.inactive_message
   end
-end
+end

data/lib/devise/hooks/proxy.rb

@@ -18,4 +18,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/hooks/rememberable.rb

@@ -4,4 +4,4 @@ Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
      record.remember_me && warden.authenticated?(scope)
     Devise::Hooks::Proxy.new(warden).remember_me(record)
   end
-end
+end

data/lib/devise/models/authenticatable.rb

@@ -56,7 +56,7 @@ module Devise
       BLACKLIST_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
         :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
         :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
-        :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at, :authentication_token]
+        :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
 
       included do
         class_attribute :devise_modules, :instance_writer => false
@@ -127,7 +127,7 @@ module Devise
       end
 
       # This is an internal method called every time Devise needs
-      # to send a notification/mail. This can be overriden if you
+      # to send a notification/mail. This can be overridden if you
       # need to customize the e-mail delivery logic. For instance,
       # if you are using a queue to deliver e-mails (delayed job,
       # sidekiq, resque, etc), you must add the delivery to the queue

data/lib/devise/models/confirmable.rb

@@ -9,7 +9,7 @@ module Devise
     #
     # Confirmable adds the following options to +devise+:
     #
-    #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access his account
+    #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access their account
     #     before confirming it. After this period, the user access is denied. You can
     #     use this to let your user access some features of your application without
     #     confirming the account, but blocking it after a certain period (ie 7 days).
@@ -152,7 +152,7 @@ module Devise
       protected
 
         # A callback method used to deliver confirmation
-        # instructions on creation. This can be overriden
+        # instructions on creation. This can be overridden
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions

data/lib/devise/models/lockable.rb

@@ -34,10 +34,13 @@ module Devise
       end
 
       # Lock a user setting its locked_at to actual time.
-      def lock_access!
+      # * +opts+: Hash options if you don't want to send email
+      #   when you lock access, you could pass the next hash
+      #   `{ :send_instructions => false } as option`.
+      def lock_access!(opts = { })
         self.locked_at = Time.now.utc
 
-        if unlock_strategy_enabled?(:email)
+        if unlock_strategy_enabled?(:email) && opts.fetch(:send_instructions, true)
           send_unlock_instructions
         else
           save(:validate => false)
@@ -124,11 +127,11 @@ module Devise
       protected
 
         def attempts_exceeded?
-          self.failed_attempts > self.class.maximum_attempts
+          self.failed_attempts >= self.class.maximum_attempts
         end
 
         def last_attempt?
-          self.failed_attempts == self.class.maximum_attempts
+          self.failed_attempts == self.class.maximum_attempts - 1
         end
 
         # Tells if the lock is expired if :time unlock strategy is active

data/lib/devise/models/rememberable.rb

@@ -17,7 +17,7 @@ module Devise
     #
     #   * +remember_for+: the time you want the user will be remembered without
     #     asking for credentials. After this time the user will be blocked and
-    #     will have to enter his credentials again. This configuration is also
+    #     will have to enter their credentials again. This configuration is also
     #     used to calculate the expires time for the cookie created to remember
     #     the user. By default remember_for is 2.weeks.
     #

data/lib/devise/models/timeoutable.rb

@@ -2,9 +2,9 @@ require 'devise/hooks/timeoutable'
 
 module Devise
   module Models
-    # Timeoutable takes care of verifyng whether a user session has already
+    # Timeoutable takes care of verifying whether a user session has already
     # expired or not. When a session expires after the configured time, the user
-    # will be asked for credentials again, it means, he/she will be redirected
+    # will be asked for credentials again, it means, they will be redirected
     # to the sign in page.
     #
     # == Options

data/lib/devise/modules.rb

@@ -25,4 +25,4 @@ Devise.with_options :model => true do |d|
 
   # Stats for last, so we make sure the user is really signed in
   d.add_module :trackable
-end
+end

data/lib/devise/orm/active_record.rb

@@ -1,3 +1,3 @@
 require 'orm_adapter/adapters/active_record'
 
-ActiveRecord::Base.extend Devise::Models
+ActiveRecord::Base.extend Devise::Models

data/lib/devise/orm/mongoid.rb

@@ -1,3 +1,3 @@
 require 'orm_adapter/adapters/mongoid'
 
-Mongoid::Document::ClassMethods.send :include, Devise::Models
+Mongoid::Document::ClassMethods.send :include, Devise::Models

data/lib/devise/rails.rb

@@ -29,7 +29,13 @@ module Devise
       end
     end
 
-    initializer "devise.secret_key" do
+    config.after_initialize do |app|
+      if app.respond_to?(:secrets)
+        Devise.secret_key ||= app.secrets.secret_key_base
+      elsif app.config.respond_to?(:secret_key_base)
+        Devise.secret_key ||= app.config.secret_key_base
+      end
+
       Devise.token_generator ||=
         if secret_key = Devise.secret_key
           Devise::TokenGenerator.new(

data/lib/devise/rails/routes.rb

@@ -102,8 +102,11 @@ module ActionDispatch::Routing
     #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
     #
-    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout',
-    #        :password => 'secret', :confirmation => 'verification', registration: 'register }
+    #      devise_for :users, path_names: {
+    #        sign_in: 'login', sign_out: 'logout',
+    #        password: 'secret', confirmation: 'verification',
+    #        registration: 'register', edit: 'edit/profile'
+    #      }
     #
     #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
     #    However, if you want them to point to custom controller, you should do:
@@ -229,6 +232,14 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name)
         end
 
+        if options[:controllers] && options[:controllers][:omniauth_callbacks]
+          unless mapping.omniauthable?
+            msg =  "Mapping omniauth_callbacks on a resource that is not omniauthable\n"
+            msg << "Please add `devise :omniauthable` to the `#{mapping.class_name}` model"
+            raise msg
+          end
+        end
+
         routes  = mapping.used_routes
 
         devise_scope mapping.name do
@@ -370,6 +381,7 @@ module ActionDispatch::Routing
       def devise_registration(mapping, controllers) #:nodoc:
         path_names = {
           :new => mapping.path_names[:sign_up],
+          :edit => mapping.path_names[:edit],
           :cancel => mapping.path_names[:cancel]
         }
 
@@ -393,13 +405,13 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing
 `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
 
     match "/users/auth/:provider",
-      :constraints => { :provider => /\A(google|facebook)\z/ },
+      :constraints => { :provider => /google|facebook/ },
       :to => "devise/omniauth_callbacks#passthru",
       :as => :omniauth_authorize,
       :via => [:get, :post]
 
     match "/users/auth/:action/callback",
-      :constraints => { :action => /\A(google|facebook)\z/ },
+      :constraints => { :action => /google|facebook/ },
       :to => "devise/omniauth_callbacks",
       :as => :omniauth_callback,
       :via => [:get, :post]

data/lib/devise/strategies/authenticatable.rb

@@ -49,7 +49,7 @@ module Devise
         valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
       end
 
-      # Check if this is strategy is valid for http authentication by:
+      # Check if this is a valid strategy for http authentication by:
       #
       #   * Validating if the model allows params authentication;
       #   * If any of the authorization headers were sent;
@@ -59,7 +59,7 @@ module Devise
         http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
       end
 
-      # Check if this is strategy is valid for params authentication by:
+      # Check if this is a valid strategy for params authentication by:
       #
       #   * Validating if the model allows params authentication;
       #   * If the request hits the sessions controller through POST;
@@ -102,9 +102,9 @@ module Devise
         params_auth_hash.is_a?(Hash)
       end
 
-      # Check if password is present and is not equal to "X" (default value for token).
+      # Check if password is present.
       def valid_password?
-        password.present? && password != "X"
+        password.present?
       end
 
       # Helper to decode credentials from HTTP.

data/lib/devise/strategies/base.rb

@@ -17,4 +17,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/strategies/database_authenticatable.rb

@@ -2,7 +2,7 @@ require 'devise/strategies/authenticatable'
 
 module Devise
   module Strategies
-    # Default strategy for signing in a user, based on his email and password in the database.
+    # Default strategy for signing in a user, based on their email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
         resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)

data/lib/devise/time_inflector.rb

@@ -11,4 +11,4 @@ module Devise
 
     @instance = new
   end
-end
+end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.2.2".freeze
+  VERSION = "3.2.3".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -11,9 +11,9 @@ module ActiveRecord
 
       def copy_devise_migration
         if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
-          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}"
+          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}.rb"
         else
-          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
+          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}.rb"
         end
       end
 

data/lib/generators/devise/install_generator.rb

@@ -20,6 +20,10 @@ module Devise
       def show_readme
         readme "README" if behavior == :invoke
       end
+
+      def rails_4?
+        Rails::VERSION::MAJOR == 4
+      end
     end
   end
 end

data/lib/generators/templates/README

@@ -2,8 +2,8 @@
 
 Some setup you must do manually if you haven't yet:
 
-  1. Ensure you have defined default url options in your environments files. Here 
-     is an example of default_url_options appropriate for a development environment 
+  1. Ensure you have defined default url options in your environments files. Here
+     is an example of default_url_options appropriate for a development environment
      in config/environments/development.rb:
 
        config.action_mailer.default_url_options = { :host => 'localhost:3000' }

data/lib/generators/templates/devise.rb

@@ -4,7 +4,11 @@ Devise.setup do |config|
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
+<% if rails_4? -%>
+  # config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% else -%>
   config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% end -%>
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
@@ -99,10 +103,10 @@ Devise.setup do |config|
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
-  # confirming his account. For instance, if set to 2.days, the user will be
-  # able to access the website for two days without confirming his account,
+  # confirming their account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming their account,
   # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming his account.
+  # the user cannot access the website without confirming their account.
   # config.allow_unconfirmed_access_for = 2.days
 
   # A period that the user is allowed to confirm their account before their
@@ -134,7 +138,7 @@ Devise.setup do |config|
   # config.rememberable_options = {}
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 8..128.
+  # Range for password length.
   config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that

data/test/controllers/internal_helpers_test.rb

@@ -113,8 +113,11 @@ class HelpersTest < ActionController::TestCase
 
   test 'navigational_formats not returning a wild card' do
     MyController.send(:public, :navigational_formats)
-    Devise.navigational_formats = [:"*/*", :html]
-    assert_not @controller.navigational_formats.include?(:"*/*")
+
+    swap Devise, :navigational_formats => ['*/*', :html] do
+      assert_not @controller.navigational_formats.include?("*/*")
+    end
+
     MyController.send(:protected, :navigational_formats)
   end
 end

data/test/controllers/sessions_controller_test.rb

@@ -5,17 +5,21 @@ class SessionsControllerTest < ActionController::TestCase
   include Devise::TestHelpers
 
   test "#create doesn't raise unpermitted params when sign in fails" do
-    ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
-      flunk "Unpermitted params: #{payload}"
+    begin
+      subscriber = ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
+        flunk "Unpermitted params: #{payload}"
+      end
+      request.env["devise.mapping"] = Devise.mappings[:user]
+      request.session["user_return_to"] = 'foo.bar'
+      create_user
+      post :create, :user => {
+        :email => "wrong@email.com",
+        :password => "wrongpassword"
+      }
+      assert_equal 200, @response.status
+    ensure
+      ActiveSupport::Notifications.unsubscribe(subscriber)
     end
-    request.env["devise.mapping"] = Devise.mappings[:user]
-    request.session["user_return_to"] = 'foo.bar'
-    create_user
-    post :create, :user => {
-      :email => "wrong@email.com",
-      :password => "wrongpassword"
-    }
-    assert_equal 200, @response.status
   end
 
   test "#create works even with scoped views" do