devise 3.2.2 → 4.6.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/CHANGELOG.md +242 -978
- data/MIT-LICENSE +1 -1
- data/README.md +371 -100
- data/app/controllers/devise/confirmations_controller.rb +11 -5
- data/app/controllers/devise/omniauth_callbacks_controller.rb +12 -6
- data/app/controllers/devise/passwords_controller.rb +21 -8
- data/app/controllers/devise/registrations_controller.rb +59 -26
- data/app/controllers/devise/sessions_controller.rb +47 -17
- data/app/controllers/devise/unlocks_controller.rb +9 -4
- data/app/controllers/devise_controller.rb +67 -31
- data/app/helpers/devise_helper.rb +12 -19
- data/app/mailers/devise/mailer.rb +10 -0
- data/app/views/devise/confirmations/new.html.erb +9 -5
- data/app/views/devise/mailer/confirmation_instructions.html.erb +1 -1
- data/app/views/devise/mailer/email_changed.html.erb +7 -0
- data/app/views/devise/mailer/password_change.html.erb +3 -0
- data/app/views/devise/mailer/reset_password_instructions.html.erb +1 -1
- data/app/views/devise/mailer/unlock_instructions.html.erb +1 -1
- data/app/views/devise/passwords/edit.html.erb +16 -7
- data/app/views/devise/passwords/new.html.erb +9 -5
- data/app/views/devise/registrations/edit.html.erb +29 -15
- data/app/views/devise/registrations/new.html.erb +20 -9
- data/app/views/devise/sessions/new.html.erb +19 -10
- data/app/views/devise/shared/_error_messages.html.erb +15 -0
- data/app/views/devise/shared/{_links.erb → _links.html.erb} +9 -9
- data/app/views/devise/unlocks/new.html.erb +9 -5
- data/config/locales/en.yml +23 -17
- data/lib/devise/controllers/helpers.rb +112 -32
- data/lib/devise/controllers/rememberable.rb +15 -6
- data/lib/devise/controllers/scoped_views.rb +3 -1
- data/lib/devise/controllers/sign_in_out.rb +42 -26
- data/lib/devise/controllers/store_location.rb +31 -5
- data/lib/devise/controllers/url_helpers.rb +9 -7
- data/lib/devise/delegator.rb +2 -0
- data/lib/devise/encryptor.rb +24 -0
- data/lib/devise/failure_app.rb +125 -39
- data/lib/devise/hooks/activatable.rb +7 -6
- data/lib/devise/hooks/csrf_cleaner.rb +5 -1
- data/lib/devise/hooks/forgetable.rb +2 -0
- data/lib/devise/hooks/lockable.rb +7 -2
- data/lib/devise/hooks/proxy.rb +4 -2
- data/lib/devise/hooks/rememberable.rb +4 -2
- data/lib/devise/hooks/timeoutable.rb +16 -9
- data/lib/devise/hooks/trackable.rb +3 -1
- data/lib/devise/mailers/helpers.rb +15 -12
- data/lib/devise/mapping.rb +8 -2
- data/lib/devise/models/authenticatable.rb +82 -56
- data/lib/devise/models/confirmable.rb +125 -42
- data/lib/devise/models/database_authenticatable.rb +110 -32
- data/lib/devise/models/lockable.rb +30 -17
- data/lib/devise/models/omniauthable.rb +3 -1
- data/lib/devise/models/recoverable.rb +62 -26
- data/lib/devise/models/registerable.rb +4 -0
- data/lib/devise/models/rememberable.rb +62 -33
- data/lib/devise/models/timeoutable.rb +4 -8
- data/lib/devise/models/trackable.rb +20 -4
- data/lib/devise/models/validatable.rb +16 -9
- data/lib/devise/models.rb +3 -1
- data/lib/devise/modules.rb +12 -10
- data/lib/devise/omniauth/config.rb +2 -0
- data/lib/devise/omniauth/url_helpers.rb +14 -5
- data/lib/devise/omniauth.rb +2 -0
- data/lib/devise/orm/active_record.rb +5 -1
- data/lib/devise/orm/mongoid.rb +6 -2
- data/lib/devise/parameter_filter.rb +4 -0
- data/lib/devise/parameter_sanitizer.rb +139 -65
- data/lib/devise/rails/routes.rb +147 -116
- data/lib/devise/rails/warden_compat.rb +3 -10
- data/lib/devise/rails.rb +10 -13
- data/lib/devise/secret_key_finder.rb +27 -0
- data/lib/devise/strategies/authenticatable.rb +20 -9
- data/lib/devise/strategies/base.rb +3 -1
- data/lib/devise/strategies/database_authenticatable.rb +14 -6
- data/lib/devise/strategies/rememberable.rb +15 -3
- data/lib/devise/test/controller_helpers.rb +165 -0
- data/lib/devise/test/integration_helpers.rb +63 -0
- data/lib/devise/test_helpers.rb +7 -124
- data/lib/devise/time_inflector.rb +4 -2
- data/lib/devise/token_generator.rb +3 -41
- data/lib/devise/version.rb +3 -1
- data/lib/devise.rb +111 -84
- data/lib/generators/active_record/devise_generator.rb +49 -12
- data/lib/generators/active_record/templates/migration.rb +9 -7
- data/lib/generators/active_record/templates/migration_existing.rb +9 -7
- data/lib/generators/devise/controllers_generator.rb +46 -0
- data/lib/generators/devise/devise_generator.rb +7 -5
- data/lib/generators/devise/install_generator.rb +21 -0
- data/lib/generators/devise/orm_helpers.rb +10 -21
- data/lib/generators/devise/views_generator.rb +49 -28
- data/lib/generators/mongoid/devise_generator.rb +21 -19
- data/lib/generators/templates/README +5 -12
- data/lib/generators/templates/controllers/README +14 -0
- data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
- data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
- data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
- data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
- data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
- data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
- data/lib/generators/templates/devise.rb +81 -36
- data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
- data/lib/generators/templates/markerb/email_changed.markerb +7 -0
- data/lib/generators/templates/markerb/password_change.markerb +3 -0
- data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
- data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +6 -2
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +9 -4
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +5 -2
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +14 -6
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +12 -4
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +11 -6
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +5 -2
- metadata +52 -280
- data/.gitignore +0 -10
- data/.travis.yml +0 -20
- data/.yardopts +0 -9
- data/CONTRIBUTING.md +0 -14
- data/Gemfile +0 -31
- data/Gemfile.lock +0 -160
- data/Rakefile +0 -35
- data/devise.gemspec +0 -27
- data/devise.png +0 -0
- data/gemfiles/Gemfile.rails-3.2.x +0 -31
- data/gemfiles/Gemfile.rails-3.2.x.lock +0 -159
- data/test/controllers/custom_strategy_test.rb +0 -62
- data/test/controllers/helpers_test.rb +0 -276
- data/test/controllers/internal_helpers_test.rb +0 -120
- data/test/controllers/passwords_controller_test.rb +0 -31
- data/test/controllers/sessions_controller_test.rb +0 -99
- data/test/controllers/url_helpers_test.rb +0 -59
- data/test/delegator_test.rb +0 -19
- data/test/devise_test.rb +0 -94
- data/test/failure_app_test.rb +0 -232
- data/test/generators/active_record_generator_test.rb +0 -103
- data/test/generators/devise_generator_test.rb +0 -39
- data/test/generators/install_generator_test.rb +0 -13
- data/test/generators/mongoid_generator_test.rb +0 -23
- data/test/generators/views_generator_test.rb +0 -67
- data/test/helpers/devise_helper_test.rb +0 -51
- data/test/integration/authenticatable_test.rb +0 -713
- data/test/integration/confirmable_test.rb +0 -284
- data/test/integration/database_authenticatable_test.rb +0 -84
- data/test/integration/http_authenticatable_test.rb +0 -105
- data/test/integration/lockable_test.rb +0 -239
- data/test/integration/omniauthable_test.rb +0 -133
- data/test/integration/recoverable_test.rb +0 -334
- data/test/integration/registerable_test.rb +0 -349
- data/test/integration/rememberable_test.rb +0 -167
- data/test/integration/timeoutable_test.rb +0 -183
- data/test/integration/trackable_test.rb +0 -92
- data/test/mailers/confirmation_instructions_test.rb +0 -115
- data/test/mailers/reset_password_instructions_test.rb +0 -96
- data/test/mailers/unlock_instructions_test.rb +0 -91
- data/test/mapping_test.rb +0 -127
- data/test/models/authenticatable_test.rb +0 -13
- data/test/models/confirmable_test.rb +0 -454
- data/test/models/database_authenticatable_test.rb +0 -249
- data/test/models/lockable_test.rb +0 -298
- data/test/models/omniauthable_test.rb +0 -7
- data/test/models/recoverable_test.rb +0 -184
- data/test/models/registerable_test.rb +0 -7
- data/test/models/rememberable_test.rb +0 -183
- data/test/models/serializable_test.rb +0 -49
- data/test/models/timeoutable_test.rb +0 -51
- data/test/models/trackable_test.rb +0 -13
- data/test/models/validatable_test.rb +0 -127
- data/test/models_test.rb +0 -144
- data/test/omniauth/config_test.rb +0 -57
- data/test/omniauth/url_helpers_test.rb +0 -54
- data/test/orm/active_record.rb +0 -10
- data/test/orm/mongoid.rb +0 -13
- data/test/parameter_sanitizer_test.rb +0 -81
- data/test/rails_app/Rakefile +0 -6
- data/test/rails_app/app/active_record/admin.rb +0 -6
- data/test/rails_app/app/active_record/shim.rb +0 -2
- data/test/rails_app/app/active_record/user.rb +0 -6
- data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
- data/test/rails_app/app/controllers/admins_controller.rb +0 -11
- data/test/rails_app/app/controllers/application_controller.rb +0 -9
- data/test/rails_app/app/controllers/home_controller.rb +0 -25
- data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
- data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
- data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
- data/test/rails_app/app/controllers/users_controller.rb +0 -31
- data/test/rails_app/app/helpers/application_helper.rb +0 -3
- data/test/rails_app/app/mailers/users/mailer.rb +0 -12
- data/test/rails_app/app/mongoid/admin.rb +0 -29
- data/test/rails_app/app/mongoid/shim.rb +0 -23
- data/test/rails_app/app/mongoid/user.rb +0 -39
- data/test/rails_app/app/views/admins/index.html.erb +0 -1
- data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
- data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
- data/test/rails_app/app/views/home/index.html.erb +0 -1
- data/test/rails_app/app/views/home/join.html.erb +0 -1
- data/test/rails_app/app/views/home/private.html.erb +0 -1
- data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
- data/test/rails_app/app/views/layouts/application.html.erb +0 -24
- data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
- data/test/rails_app/app/views/users/index.html.erb +0 -1
- data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
- data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
- data/test/rails_app/bin/bundle +0 -3
- data/test/rails_app/bin/rails +0 -4
- data/test/rails_app/bin/rake +0 -4
- data/test/rails_app/config/application.rb +0 -40
- data/test/rails_app/config/boot.rb +0 -14
- data/test/rails_app/config/database.yml +0 -18
- data/test/rails_app/config/environment.rb +0 -5
- data/test/rails_app/config/environments/development.rb +0 -30
- data/test/rails_app/config/environments/production.rb +0 -80
- data/test/rails_app/config/environments/test.rb +0 -36
- data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
- data/test/rails_app/config/initializers/devise.rb +0 -181
- data/test/rails_app/config/initializers/inflections.rb +0 -2
- data/test/rails_app/config/initializers/secret_token.rb +0 -8
- data/test/rails_app/config/initializers/session_store.rb +0 -1
- data/test/rails_app/config/routes.rb +0 -104
- data/test/rails_app/config.ru +0 -4
- data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -71
- data/test/rails_app/db/schema.rb +0 -55
- data/test/rails_app/lib/shared_admin.rb +0 -17
- data/test/rails_app/lib/shared_user.rb +0 -29
- data/test/rails_app/public/404.html +0 -26
- data/test/rails_app/public/422.html +0 -26
- data/test/rails_app/public/500.html +0 -26
- data/test/rails_app/public/favicon.ico +0 -0
- data/test/routes_test.rb +0 -250
- data/test/support/assertions.rb +0 -40
- data/test/support/helpers.rb +0 -70
- data/test/support/integration.rb +0 -92
- data/test/support/locale/en.yml +0 -8
- data/test/support/webrat/integrations/rails.rb +0 -24
- data/test/test_helper.rb +0 -27
- data/test/test_helpers_test.rb +0 -173
- data/test/test_models.rb +0 -33
@@ -1,99 +1,173 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
|
-
|
3
|
-
|
4
|
+
# The +ParameterSanitizer+ deals with permitting specific parameters values
|
5
|
+
# for each +Devise+ scope in the application.
|
6
|
+
#
|
7
|
+
# The sanitizer knows about Devise default parameters (like +password+ and
|
8
|
+
# +password_confirmation+ for the `RegistrationsController`), and you can
|
9
|
+
# extend or change the permitted parameters list on your controllers.
|
10
|
+
#
|
11
|
+
# === Permitting new parameters
|
12
|
+
#
|
13
|
+
# You can add new parameters to the permitted list using the +permit+ method
|
14
|
+
# in a +before_action+ method, for instance.
|
15
|
+
#
|
16
|
+
# class ApplicationController < ActionController::Base
|
17
|
+
# before_action :configure_permitted_parameters, if: :devise_controller?
|
18
|
+
#
|
19
|
+
# protected
|
20
|
+
#
|
21
|
+
# def configure_permitted_parameters
|
22
|
+
# # Permit the `subscribe_newsletter` parameter along with the other
|
23
|
+
# # sign up parameters.
|
24
|
+
# devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
|
25
|
+
# end
|
26
|
+
# end
|
27
|
+
#
|
28
|
+
# Using a block yields an +ActionController::Parameters+ object so you can
|
29
|
+
# permit nested parameters and have more control over how the parameters are
|
30
|
+
# permitted in your controller.
|
31
|
+
#
|
32
|
+
# def configure_permitted_parameters
|
33
|
+
# devise_parameter_sanitizer.permit(:sign_up) do |user|
|
34
|
+
# user.permit(newsletter_preferences: [])
|
35
|
+
# end
|
36
|
+
# end
|
37
|
+
class ParameterSanitizer
|
38
|
+
DEFAULT_PERMITTED_ATTRIBUTES = {
|
39
|
+
sign_in: [:password, :remember_me],
|
40
|
+
sign_up: [:password, :password_confirmation],
|
41
|
+
account_update: [:password, :password_confirmation, :current_password]
|
42
|
+
}
|
4
43
|
|
5
44
|
def initialize(resource_class, resource_name, params)
|
6
|
-
@
|
7
|
-
@resource_name = resource_name
|
45
|
+
@auth_keys = extract_auth_keys(resource_class)
|
8
46
|
@params = params
|
9
|
-
@
|
10
|
-
|
47
|
+
@resource_name = resource_name
|
48
|
+
@permitted = {}
|
11
49
|
|
12
|
-
|
13
|
-
|
14
|
-
@blocks[kind] = block
|
15
|
-
else
|
16
|
-
default_for(kind)
|
50
|
+
DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
|
51
|
+
permit(action, keys: keys)
|
17
52
|
end
|
18
53
|
end
|
19
54
|
|
20
|
-
|
21
|
-
|
22
|
-
|
55
|
+
# Sanitize the parameters for a specific +action+.
|
56
|
+
#
|
57
|
+
# === Arguments
|
58
|
+
#
|
59
|
+
# * +action+ - A +Symbol+ with the action that the controller is
|
60
|
+
# performing, like +sign_up+, +sign_in+, etc.
|
61
|
+
#
|
62
|
+
# === Examples
|
63
|
+
#
|
64
|
+
# # Inside the `RegistrationsController#create` action.
|
65
|
+
# resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
|
66
|
+
# resource.save
|
67
|
+
#
|
68
|
+
# Returns an +ActiveSupport::HashWithIndifferentAccess+ with the permitted
|
69
|
+
# attributes.
|
70
|
+
def sanitize(action)
|
71
|
+
permissions = @permitted[action]
|
72
|
+
|
73
|
+
if permissions.respond_to?(:call)
|
74
|
+
cast_to_hash permissions.call(default_params)
|
75
|
+
elsif permissions.present?
|
76
|
+
cast_to_hash permit_keys(default_params, permissions)
|
23
77
|
else
|
24
|
-
|
78
|
+
unknown_action!(action)
|
25
79
|
end
|
26
80
|
end
|
27
81
|
|
28
|
-
|
82
|
+
# Add or remove new parameters to the permitted list of an +action+.
|
83
|
+
#
|
84
|
+
# === Arguments
|
85
|
+
#
|
86
|
+
# * +action+ - A +Symbol+ with the action that the controller is
|
87
|
+
# performing, like +sign_up+, +sign_in+, etc.
|
88
|
+
# * +keys:+ - An +Array+ of keys that also should be permitted.
|
89
|
+
# * +except:+ - An +Array+ of keys that shouldn't be permitted.
|
90
|
+
# * +block+ - A block that should be used to permit the action
|
91
|
+
# parameters instead of the +Array+ based approach. The block will be
|
92
|
+
# called with an +ActionController::Parameters+ instance.
|
93
|
+
#
|
94
|
+
# === Examples
|
95
|
+
#
|
96
|
+
# # Adding new parameters to be permitted in the `sign_up` action.
|
97
|
+
# devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
|
98
|
+
#
|
99
|
+
# # Removing the `password` parameter from the `account_update` action.
|
100
|
+
# devise_parameter_sanitizer.permit(:account_update, except: [:password])
|
101
|
+
#
|
102
|
+
# # Using the block form to completely override how we permit the
|
103
|
+
# # parameters for the `sign_up` action.
|
104
|
+
# devise_parameter_sanitizer.permit(:sign_up) do |user|
|
105
|
+
# user.permit(:email, :password, :password_confirmation)
|
106
|
+
# end
|
107
|
+
#
|
108
|
+
#
|
109
|
+
# Returns nothing.
|
110
|
+
def permit(action, keys: nil, except: nil, &block)
|
111
|
+
if block_given?
|
112
|
+
@permitted[action] = block
|
113
|
+
end
|
29
114
|
|
30
|
-
|
31
|
-
|
32
|
-
|
115
|
+
if keys.present?
|
116
|
+
@permitted[action] ||= @auth_keys.dup
|
117
|
+
@permitted[action].concat(keys)
|
118
|
+
end
|
33
119
|
|
34
|
-
|
35
|
-
|
120
|
+
if except.present?
|
121
|
+
@permitted[action] ||= @auth_keys.dup
|
122
|
+
@permitted[action] = @permitted[action] - except
|
123
|
+
end
|
36
124
|
end
|
37
125
|
|
38
|
-
|
39
|
-
params.fetch(resource_name, {})
|
40
|
-
end
|
41
|
-
end
|
126
|
+
private
|
42
127
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
128
|
+
# Cast a sanitized +ActionController::Parameters+ to a +HashWithIndifferentAccess+
|
129
|
+
# that can be used elsewhere.
|
130
|
+
#
|
131
|
+
# Returns an +ActiveSupport::HashWithIndifferentAccess+.
|
132
|
+
def cast_to_hash(params)
|
133
|
+
# TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
|
134
|
+
params && params.to_h.with_indifferent_access
|
47
135
|
end
|
48
136
|
|
49
|
-
def
|
50
|
-
|
137
|
+
def default_params
|
138
|
+
if hashable_resource_params?
|
139
|
+
@params.fetch(@resource_name)
|
140
|
+
else
|
141
|
+
empty_params
|
142
|
+
end
|
51
143
|
end
|
52
144
|
|
53
|
-
def
|
54
|
-
|
145
|
+
def hashable_resource_params?
|
146
|
+
@params[@resource_name].respond_to?(:permit)
|
55
147
|
end
|
56
148
|
|
57
|
-
def
|
58
|
-
|
149
|
+
def empty_params
|
150
|
+
ActionController::Parameters.new({})
|
59
151
|
end
|
60
152
|
|
61
|
-
|
62
|
-
|
63
|
-
# TODO: We do need to flatten so it works with strong_parameters
|
64
|
-
# gem. We should drop it once we move to Rails 4 only support.
|
65
|
-
def permit(keys)
|
66
|
-
default_params.permit(*Array(keys))
|
153
|
+
def permit_keys(parameters, keys)
|
154
|
+
parameters.permit(*keys)
|
67
155
|
end
|
68
156
|
|
69
|
-
|
70
|
-
|
71
|
-
def default_for(kind)
|
72
|
-
@permitted[kind] || raise("No sanitizer provided for #{kind}")
|
73
|
-
end
|
157
|
+
def extract_auth_keys(klass)
|
158
|
+
auth_keys = klass.authentication_keys
|
74
159
|
|
75
|
-
|
76
|
-
if respond_to?(kind, true)
|
77
|
-
send(kind)
|
78
|
-
else
|
79
|
-
raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
|
80
|
-
end
|
160
|
+
auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
|
81
161
|
end
|
82
162
|
|
83
|
-
def
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
auth_keys + [:password, :password_confirmation]
|
89
|
-
when :account_update
|
90
|
-
auth_keys + [:password, :password_confirmation, :current_password]
|
91
|
-
end
|
92
|
-
end
|
163
|
+
def unknown_action!(action)
|
164
|
+
raise NotImplementedError, <<-MESSAGE.strip_heredoc
|
165
|
+
"Devise doesn't know how to sanitize parameters for '#{action}'".
|
166
|
+
If you want to define a new set of parameters to be sanitized use the
|
167
|
+
`permit` method first:
|
93
168
|
|
94
|
-
|
95
|
-
|
96
|
-
@resource_class.authentication_keys.keys : @resource_class.authentication_keys
|
169
|
+
devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
|
170
|
+
MESSAGE
|
97
171
|
end
|
98
172
|
end
|
99
173
|
end
|