devise 3.2.4 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

Files changed (178) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +0 -1
  3. data/.travis.yml +33 -17
  4. data/CHANGELOG.md +57 -1033
  5. data/CODE_OF_CONDUCT.md +22 -0
  6. data/CONTRIBUTING.md +2 -0
  7. data/Gemfile +5 -5
  8. data/Gemfile.lock +138 -115
  9. data/MIT-LICENSE +1 -1
  10. data/README.md +124 -65
  11. data/Rakefile +2 -1
  12. data/app/controllers/devise/confirmations_controller.rb +7 -3
  13. data/app/controllers/devise/omniauth_callbacks_controller.rb +8 -4
  14. data/app/controllers/devise/passwords_controller.rb +16 -6
  15. data/app/controllers/devise/registrations_controller.rb +22 -10
  16. data/app/controllers/devise/sessions_controller.rb +42 -14
  17. data/app/controllers/devise/unlocks_controller.rb +5 -2
  18. data/app/controllers/devise_controller.rb +63 -29
  19. data/app/mailers/devise/mailer.rb +4 -0
  20. data/app/views/devise/confirmations/new.html.erb +7 -3
  21. data/app/views/devise/mailer/password_change.html.erb +3 -0
  22. data/app/views/devise/passwords/edit.html.erb +14 -5
  23. data/app/views/devise/passwords/new.html.erb +7 -3
  24. data/app/views/devise/registrations/edit.html.erb +19 -9
  25. data/app/views/devise/registrations/new.html.erb +18 -7
  26. data/app/views/devise/sessions/new.html.erb +16 -7
  27. data/app/views/devise/shared/{_links.erb → _links.html.erb} +2 -2
  28. data/app/views/devise/unlocks/new.html.erb +7 -3
  29. data/bin/test +13 -0
  30. data/config/locales/en.yml +19 -16
  31. data/devise.gemspec +3 -4
  32. data/gemfiles/{Gemfile.rails-3.2-stable → Gemfile.rails-4.1-stable} +6 -6
  33. data/gemfiles/Gemfile.rails-4.1-stable.lock +167 -0
  34. data/gemfiles/{Gemfile.rails-head → Gemfile.rails-4.2-stable} +6 -6
  35. data/gemfiles/Gemfile.rails-4.2-stable.lock +189 -0
  36. data/gemfiles/Gemfile.rails-5.0-beta +37 -0
  37. data/gemfiles/Gemfile.rails-5.0-beta.lock +199 -0
  38. data/lib/devise/controllers/helpers.rb +94 -27
  39. data/lib/devise/controllers/rememberable.rb +9 -2
  40. data/lib/devise/controllers/sign_in_out.rb +2 -9
  41. data/lib/devise/controllers/store_location.rb +11 -3
  42. data/lib/devise/controllers/url_helpers.rb +7 -7
  43. data/lib/devise/encryptor.rb +22 -0
  44. data/lib/devise/failure_app.rb +72 -23
  45. data/lib/devise/hooks/activatable.rb +3 -4
  46. data/lib/devise/hooks/csrf_cleaner.rb +3 -1
  47. data/lib/devise/hooks/timeoutable.rb +13 -8
  48. data/lib/devise/mailers/helpers.rb +1 -1
  49. data/lib/devise/mapping.rb +6 -2
  50. data/lib/devise/models/authenticatable.rb +32 -28
  51. data/lib/devise/models/confirmable.rb +55 -22
  52. data/lib/devise/models/database_authenticatable.rb +32 -19
  53. data/lib/devise/models/lockable.rb +5 -5
  54. data/lib/devise/models/recoverable.rb +44 -20
  55. data/lib/devise/models/rememberable.rb +54 -27
  56. data/lib/devise/models/timeoutable.rb +0 -6
  57. data/lib/devise/models/trackable.rb +5 -3
  58. data/lib/devise/models/validatable.rb +3 -3
  59. data/lib/devise/models.rb +1 -1
  60. data/lib/devise/omniauth/url_helpers.rb +62 -4
  61. data/lib/devise/parameter_sanitizer.rb +176 -61
  62. data/lib/devise/rails/routes.rb +76 -59
  63. data/lib/devise/rails/warden_compat.rb +1 -10
  64. data/lib/devise/rails.rb +2 -11
  65. data/lib/devise/strategies/authenticatable.rb +15 -6
  66. data/lib/devise/strategies/database_authenticatable.rb +5 -4
  67. data/lib/devise/strategies/rememberable.rb +13 -3
  68. data/lib/devise/test_helpers.rb +12 -7
  69. data/lib/devise/token_generator.rb +1 -41
  70. data/lib/devise/version.rb +1 -1
  71. data/lib/devise.rb +150 -58
  72. data/lib/generators/active_record/devise_generator.rb +28 -4
  73. data/lib/generators/active_record/templates/migration.rb +3 -3
  74. data/lib/generators/active_record/templates/migration_existing.rb +3 -3
  75. data/lib/generators/devise/controllers_generator.rb +44 -0
  76. data/lib/generators/devise/install_generator.rb +15 -0
  77. data/lib/generators/devise/orm_helpers.rb +1 -18
  78. data/lib/generators/devise/views_generator.rb +14 -3
  79. data/lib/generators/templates/README +1 -1
  80. data/lib/generators/templates/controllers/README +14 -0
  81. data/lib/generators/templates/controllers/confirmations_controller.rb +28 -0
  82. data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +28 -0
  83. data/lib/generators/templates/controllers/passwords_controller.rb +32 -0
  84. data/lib/generators/templates/controllers/registrations_controller.rb +60 -0
  85. data/lib/generators/templates/controllers/sessions_controller.rb +25 -0
  86. data/lib/generators/templates/controllers/unlocks_controller.rb +28 -0
  87. data/lib/generators/templates/devise.rb +36 -28
  88. data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
  89. data/lib/generators/templates/markerb/password_change.markerb +3 -0
  90. data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
  91. data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
  92. data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +1 -1
  93. data/lib/generators/templates/simple_form_for/registrations/new.html.erb +1 -1
  94. data/lib/generators/templates/simple_form_for/sessions/new.html.erb +2 -2
  95. data/test/controllers/custom_registrations_controller_test.rb +40 -0
  96. data/test/controllers/custom_strategy_test.rb +7 -5
  97. data/test/controllers/helper_methods_test.rb +22 -0
  98. data/test/controllers/helpers_test.rb +41 -1
  99. data/test/controllers/inherited_controller_i18n_messages_test.rb +51 -0
  100. data/test/controllers/internal_helpers_test.rb +19 -15
  101. data/test/controllers/load_hooks_controller_test.rb +19 -0
  102. data/test/controllers/passwords_controller_test.rb +5 -4
  103. data/test/controllers/sessions_controller_test.rb +24 -21
  104. data/test/controllers/url_helpers_test.rb +7 -1
  105. data/test/devise_test.rb +48 -8
  106. data/test/failure_app_test.rb +107 -19
  107. data/test/generators/active_record_generator_test.rb +6 -26
  108. data/test/generators/controllers_generator_test.rb +48 -0
  109. data/test/generators/install_generator_test.rb +14 -3
  110. data/test/generators/views_generator_test.rb +8 -1
  111. data/test/helpers/devise_helper_test.rb +10 -12
  112. data/test/integration/authenticatable_test.rb +37 -21
  113. data/test/integration/confirmable_test.rb +54 -14
  114. data/test/integration/database_authenticatable_test.rb +12 -1
  115. data/test/integration/http_authenticatable_test.rb +4 -5
  116. data/test/integration/lockable_test.rb +10 -9
  117. data/test/integration/omniauthable_test.rb +13 -11
  118. data/test/integration/recoverable_test.rb +28 -15
  119. data/test/integration/registerable_test.rb +41 -33
  120. data/test/integration/rememberable_test.rb +51 -7
  121. data/test/integration/timeoutable_test.rb +23 -22
  122. data/test/integration/trackable_test.rb +3 -3
  123. data/test/mailers/confirmation_instructions_test.rb +10 -10
  124. data/test/mailers/reset_password_instructions_test.rb +8 -8
  125. data/test/mailers/unlock_instructions_test.rb +8 -8
  126. data/test/mapping_test.rb +7 -0
  127. data/test/models/authenticatable_test.rb +11 -1
  128. data/test/models/confirmable_test.rb +91 -42
  129. data/test/models/database_authenticatable_test.rb +26 -6
  130. data/test/models/lockable_test.rb +29 -17
  131. data/test/models/recoverable_test.rb +74 -7
  132. data/test/models/rememberable_test.rb +68 -94
  133. data/test/models/trackable_test.rb +28 -0
  134. data/test/models/validatable_test.rb +9 -17
  135. data/test/models_test.rb +15 -6
  136. data/test/omniauth/url_helpers_test.rb +4 -7
  137. data/test/orm/active_record.rb +6 -1
  138. data/test/parameter_sanitizer_test.rb +103 -53
  139. data/test/rails_app/app/active_record/user.rb +1 -0
  140. data/test/rails_app/app/active_record/user_on_engine.rb +7 -0
  141. data/test/rails_app/app/active_record/user_on_main_app.rb +7 -0
  142. data/test/rails_app/app/active_record/user_without_email.rb +8 -0
  143. data/test/rails_app/app/controllers/admins_controller.rb +1 -6
  144. data/test/rails_app/app/controllers/application_controller.rb +5 -2
  145. data/test/rails_app/app/controllers/application_with_fake_engine.rb +30 -0
  146. data/test/rails_app/app/controllers/custom/registrations_controller.rb +31 -0
  147. data/test/rails_app/app/controllers/home_controller.rb +5 -1
  148. data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +3 -3
  149. data/test/rails_app/app/controllers/users_controller.rb +6 -6
  150. data/test/rails_app/app/mailers/users/from_proc_mailer.rb +3 -0
  151. data/test/rails_app/app/mailers/users/mailer.rb +0 -9
  152. data/test/rails_app/app/mailers/users/reply_to_mailer.rb +4 -0
  153. data/test/rails_app/app/mongoid/user_on_engine.rb +39 -0
  154. data/test/rails_app/app/mongoid/user_on_main_app.rb +39 -0
  155. data/test/rails_app/app/mongoid/user_without_email.rb +33 -0
  156. data/test/rails_app/config/application.rb +3 -3
  157. data/test/rails_app/config/boot.rb +4 -4
  158. data/test/rails_app/config/environments/production.rb +6 -2
  159. data/test/rails_app/config/environments/test.rb +13 -3
  160. data/test/rails_app/config/initializers/devise.rb +15 -16
  161. data/test/rails_app/config/initializers/secret_token.rb +1 -6
  162. data/test/rails_app/config/routes.rb +23 -3
  163. data/test/rails_app/db/migrate/20100401102949_create_tables.rb +2 -2
  164. data/test/rails_app/lib/shared_user.rb +1 -1
  165. data/test/rails_app/lib/shared_user_without_email.rb +26 -0
  166. data/test/rails_app/lib/shared_user_without_omniauth.rb +13 -0
  167. data/test/rails_test.rb +9 -0
  168. data/test/routes_test.rb +33 -16
  169. data/test/support/assertions.rb +2 -3
  170. data/test/support/helpers.rb +13 -6
  171. data/test/support/http_method_compatibility.rb +51 -0
  172. data/test/support/integration.rb +4 -4
  173. data/test/support/webrat/integrations/rails.rb +9 -0
  174. data/test/test_helper.rb +7 -0
  175. data/test/test_helpers_test.rb +43 -38
  176. data/test/test_models.rb +3 -3
  177. metadata +77 -23
  178. data/gemfiles/Gemfile.rails-4.0-stable +0 -29
data/CHANGELOG.md CHANGED
@@ -1,1054 +1,78 @@
1
1
  ### Unreleased
2
2
 
3
- ### 3.2.4
3
+ ### 4.0.0 - 2016-04-18
4
4
 
5
- * enchancements
6
- * `bcrypt` dependency updated due https://github.com/codahale/bcrypt-ruby/pull/86.
7
- * View generator now can generate specific views with the `-v` flag, like `rails g devise:views -v sessions` (by @kayline)
8
-
9
- ### 3.2.3
10
-
11
- * enhancements
12
- * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
13
- You can change this and use your own secret by changing the `devise.rb` initializer.
14
-
15
- * bug fix
16
- * Migrations will be properly generated when using rails 4.1.0.
17
-
18
- ### 3.2.2
19
-
20
- * bug fix
21
- * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
22
- * Keep the query string when storing location (by @csexton)
23
- * Require rails generator base class in devise generators
24
-
25
- ### 3.2.1
26
-
27
- Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
28
-
29
- * enhancements
30
- * Add `store_location_for` helper and ensure it is safe (by @matthewrudy and @homakov)
31
- * Add `yield` around resource methods in Devise controllers (by @edelpero)
32
-
33
- * bug fix
34
- * Bring `password_digest` back to fix compatibility with `devise-encryptable`
35
- * Avoid e-mail enumeration on sign in when in paranoid mode
36
-
37
- ### 3.2.0
38
-
39
- * enhancements
40
- * Previously deprecated token authenticatable and insecure lookups have been removed
41
- * Add a class method so you can encrypt passwords from fixtures (by @tenderlove)
42
- * Send custom message when user enters invalid password and it has only one attempt
43
- to enter correct password before their account will be locked (by @Lightpower)
44
- * Prevent mutation of values assigned to case and whitespace santitized members (by @iamvery)
45
- * Separate redirects and flash messages in `navigational_formats` and `flashing_formats` (by @ssendev)
46
-
47
- * bug fix
48
- * A GET to sign_in page shouldn't extend the session (by @drewish)
49
- * Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful)
50
- * Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev)
51
- * Ensure timeoutable hook respects `Devise.sign_out_all_scopes` configuration
52
-
53
- * deprecations
54
- * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`
55
-
56
- ### 3.1.1
57
-
58
- * bug fix
59
- * Improve default message which asked users to sign in even when they were already signed (by @gregates)
60
- * Improve error message for when the config.secret_key is missing
61
-
62
- ### 3.1.0
63
-
64
- Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
65
-
66
- * backwards incompatible changes
67
- * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_token_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
68
- * The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
69
- * Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
70
-
71
- * deprecations
72
- * Token authentication is deprecated
73
-
74
- * enhancements
75
- * Better security defaults
76
- * Allow easier customization of parameter sanitizer (by @alexpeattie)
77
-
78
- * bug fix
79
- * Do not confirm e-mail after password reset (by @moll)
80
- * Do not sign in after confirmation
81
- * Do not store confirmation, unlock and reset password tokens directly in the database
82
- * Do not compare directly against confirmation, unlock and reset password tokens
83
- * Skip storage for cookies on unverified requests
84
-
85
- ### 3.0.2
86
-
87
- * bug fix
88
- * Skip storage for cookies on unverified requests
89
-
90
- ### 3.0.1
91
-
92
- Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
93
-
94
- * enhancements
95
- * Add after_confirmation callback
96
-
97
- * bug fix
98
- * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
99
- * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
100
-
101
- ### 3.0.0
102
-
103
- * enhancements
104
- * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
105
- * Drop support for Rails < 3.2 and Ruby < 1.9.3
106
- * Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
107
-
108
- * bug fix
109
- * Errors on unlock are now properly reflected on the first `unlock_keys`
110
-
111
- ### 2.2.4
112
-
113
- * enhancements
114
- * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
115
- * Allow to override path after password resetting (by @worker8)
116
- * Add `#skip_confirmation_notification!` method to `Confirmable`. Allows skipping confirmation email without auto-confirming. (by @gregates)
117
- * allow_unconfirmed_access_for config from `:confirmable` module can be set to `nil` that means unconfirmed access for unlimited time. (by @nashby)
118
- * Support Rails' token strategy on authentication (by @robhurring)
119
- * Support explicitly setting the http authentication key via `config.http_authentication_key` (by @neo)
120
-
121
- * bug fix
122
- * Do not redirect when accessing devise API via JSON. (by @sebastianwr)
123
- * Generating scoped devise views now uses the correct scoped shared links partial instead of the default devise one (by @nashby)
124
- * Fix inheriting mailer templates from `Devise::Mailer`
125
- * Fix a bug when procs are used as default mailer in Devise (by @tomasv)
126
-
127
- * backwards incompatible changes
128
- * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
129
-
130
- ### 2.2.3
131
-
132
- Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
133
-
134
- * bug fix
135
- * Require string conversion for all values
136
-
137
- ### 2.2.2
138
-
139
- * bug fix
140
- * Fix bug when checking for reconfirmable in templates
141
-
142
- ### 2.2.1
143
-
144
- * bug fix
145
- * Fix regression with case_insensitive_keys
146
- * Fix regression when password is blank when it is invalid
147
-
148
- ### 2.2.0
149
-
150
- * backwards incompatible changes
151
- * `headers_for` is deprecated, customize the mailer directly instead
152
- * All mailer methods now expect a second argument with delivery options
153
- * Default minimum password length is now 8 (by @carlosgaldino)
154
- * Support alternate sign in error message when email record does not exist (this adds a new I18n key to the locale file) (by @gabetax)
155
- * DeviseController responds only to HTML requests by default (call `DeviseController.respond_to` or `ApplicationController.respond_to` to add new formats)
156
- * Support Mongoid 3 onwards (by @durran)
157
-
158
- * enhancements
159
- * Fix unlockable which could leak account existence on paranoid mode (by @latortuga)
160
- * Confirmable now has a confirm_within option to set a period while the confirmation token is still valid (by @promisedlandt)
161
- * Flash messages in controller now respects `resource_name` (by @latortuga)
162
- * Separate `sign_in` and `sign_up` on RegistrationsController (by @rubynortheast)
163
- * Add autofocus to default views (by @Radagaisus)
164
- * Unlock user on password reset (by @marcinb)
165
- * Allow validation callbacks to apply to virtual attributes (by @latortuga)
166
-
167
- * bug fix
168
- * unconfirmed_email now uses the proper e-mail on salutation
169
- * Fix default email_regexp config to not allow spaces (by @kukula)
170
- * Fix a regression introduced on warden 1.2.1 (by @ejfinneran)
171
- * Properly camelize omniauth strategies (by @saizai)
172
- * Do not set flash messages for non navigational requests on session sign out (by @mathieul)
173
- * Set the proper fields as required on the lockable module (by @nickhoffman)
174
- * Respects Devise mailer default's reply_to (by @mrchrisadams)
175
- * Properly assign resource on `sign_in` related action (by @adammcnamara)
176
- * `update_with_password` doesn't change encrypted password when it is invalid (by @nashby)
177
- * Properly handle namespaced models on Active Record generator (by @nashby)
178
-
179
- ### 2.1.4
180
-
181
- * bugfix
182
- * Do not confirm account after reset password
183
-
184
- ### 2.1.3
185
-
186
- * bugfix
187
- * Require string conversion for all values
188
-
189
- ### 2.1.2
190
-
191
- * enhancements
192
- * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
193
-
194
- * bug fix
195
- * Fix regression on strategy validation on previous release
196
-
197
- ### 2.1.1 (yanked)
198
-
199
- * enhancements
200
- * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
201
- * `Devise.omniauth_path_prefix` is available to configure omniauth path prefix
202
- * Redirect to sign in page when trying to access password#edit without a token (by @gbataille)
203
- * Allow a lambda in authenticate(d) routes helpers to further select the scope
204
- * Removed warnings on Rails 3.2.6 (by @nashby)
205
-
206
- * bug fix
207
- * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn)
208
- * Do not trigger timeout on sign in related actions
209
- * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller)
210
-
211
- * deprecations
212
- * Strategy#validate() no longer validates nil resources
213
-
214
- ### 2.1.0
215
-
216
- * enhancements
217
- * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
218
- * Add `skip_reconfirmation!` to skip reconfirmation
219
- * Devise model generator now works with engines
220
- * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable)
221
-
222
- * deprecations
223
- * Deprecations warnings added on Devise 2.0 are now removed with their features
224
- * All devise modules should now have a `required_fields(klass)` module method to help gathering missing attributes
225
- * `use_salt_as_remember_token` and `apply_schema` does not have any effect since 2.0 and are now deprecated
226
- * `valid_for_authentication?` must now return a boolean
227
-
228
- * bug fix
229
- * Ensure after sign in hook is not called without a resource
230
- * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
231
- * Fixed redirect when authenticated mounted apps (by @hakanensari)
232
- * Ensure the failure app still respects config.relative_url_root
233
- * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium)
234
- * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores)
235
- * Added token expiration on timeout (by @antiarchitect)
236
- * Do not accidentally mark `_prefixes` as private
237
- * Better support for custom strategies on test helpers (by @mattconnolly)
238
- * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
239
- * Reverted moving devise/shared/_links.erb to devise/_links.erb
240
-
241
- ### 2.0.4
242
-
243
- Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
244
-
245
- * bug fix
246
- * Fix when :host is used with devise_for (by @mreinsch)
247
- * Fix a regression that caused Warden to be initialized too late
248
-
249
- ### 2.0.3 (yanked)
250
-
251
- * bug fix
252
- * Ensure warning is not shown by mistake on apps with mounted engines
253
- * Fixes related to remember_token and rememberable_options
254
- * Ensure serializable_hash does not depend on accessible attributes
255
- * Ensure that timeout callback does not run on sign out action
256
-
257
- ### 2.0.2
258
-
259
- * enhancements
260
- * Add devise_i18n_options to customize I18n message
261
-
262
- * bug fix
263
- * Ensure Devise.available_router_name defaults to :main_app
264
- * Set autocomplete to off for password on edit forms
265
- * Better error messages in case a trackable model can't be saved
266
- * Show a warning in case someone gives a pluralized name to devise generator
267
- * Fix test behavior for rspec subject requests (by @sj26)
268
-
269
- ### 2.0.1
270
-
271
- * enhancements
272
- * Improved error messages on deprecation warnings
273
- * Hide Devise's internal generators from `rails g` command
274
-
275
- * bug fix
276
- * Removed tmp and log files from gem
277
-
278
- ### 2.0.0
279
-
280
- * enhancements
281
- * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
282
- * Redirect users to sign in page after unlock (by @nashby)
283
- * Redirect to the previous URL on timeout
284
- * Inherit from the same Devise parent controller (by @sj26)
285
- * Allow parent_controller to be customizable via Devise.parent_controller, useful for engines
286
- * Allow router_name to be customizable via Devise.router_name, useful for engines
287
- * Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81)
288
-
289
- * deprecation
290
- * Devise now only supports Rails 3.1 forward
291
- * Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
292
- * Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
293
- * Usage of Devise.apply_schema is deprecated
294
- * Usage of Devise migration helpers are deprecated
295
- * Usage of Devise.remember_across_browsers was deprecated
296
- * Usage of rememberable with remember_token was removed
297
- * Usage of recoverable without reset_password_sent_at was removed
298
- * Usage of Devise.case_insensitive_keys equals to false was removed
299
- * Move devise/shared/_links.erb to devise/_links.erb
300
- * Deprecated support of nested devise_for blocks
301
- * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
302
- * Protected method render_with_scope was removed.
303
-
304
- ### 1.5.3
305
-
306
- * bug fix
307
- * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
308
- * Ensure passing :format => false to devise_for is not permanent
309
- * Ensure path checker does not check invalid routes
310
-
311
- ### 1.5.2
312
-
313
- * enhancements
314
- * Add support for Rails 3.1 new mass assignment conventions (by @kirs)
315
- * Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest)
316
-
317
- * bug fix
318
- * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)
319
-
320
- ### 1.5.1
321
-
322
- * bug fix
323
- * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.
324
-
325
- ### 1.5.0
326
-
327
- * enhancements
328
- * Timeoutable also skips tracking if skip_trackable is given
329
- * devise_for now accepts :failure_app as an option
330
- * Models can select the proper mailer via devise_mailer method (by @locomotivecms)
331
- * Migration generator now uses the change method (by @nashby)
332
- * Support to markerb templates on the mailer generator (by @sbounmy)
333
- * Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus)
334
-
335
- * bug fix
336
- * Allow idempotent API requests
337
- * Fix bug where logs did not show 401 as status code
338
- * Change paranoid settings to behave as success instead of as failure
339
- * Fix bug where activation messages were shown first than the credentials error message
340
- * Instance variables are expired after sign out
341
-
342
- * deprecation
343
- * redirect_location is deprecated, please use after_sign_in_path_for
344
- * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it
345
-
346
- ### 1.4.9
347
-
348
- * bug fix
349
- * url helpers were not being set under some circumstances
350
-
351
- ### 1.4.8
352
-
353
- * enhancements
354
- * Add docs for assets pipeline and Heroku
355
-
356
- * bug fix
357
- * confirmation_url was not being set under some circumstances
358
-
359
- ### 1.4.7
360
-
361
- * bug fix
362
- * Fix backward incompatible change from 1.4.6 for those using custom controllers
363
-
364
- ### 1.4.6 (yanked)
365
-
366
- * enhancements
367
- * Allow devise_for :skip => :all
368
- * Allow options to be passed to authenticate_user!
369
- * Allow --skip-routes to devise generator
370
- * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
371
-
372
- ### 1.4.5
373
-
374
- * bug fix
375
- * Failure app tries the root path if a session one does not exist
376
- * No need to finalize Devise helpers all the time (by @bradleypriest)
377
- * Reset password shows proper message if user is not active
378
- * `clean_up_passwords` sets the accessors to nil to skip validations
379
-
380
- ### 1.4.4
381
-
382
- * bug fix
383
- * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
384
-
385
- ### 1.4.3
386
-
387
- * enhancements
388
- * Improve Rails 3.1 compatibility
389
- * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility
390
-
391
- * bug fix
392
- * Generator properly generates a change_table migration if a model already exists
393
- * Properly deprecate setup_mail
394
- * Fix encoding issues with email regexp
395
- * Only generate helpers for the used mappings
396
- * Wrap :action constraints in the proper hash
397
-
398
- * deprecations
399
- * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation
400
-
401
- ### 1.4.2
402
-
403
- * bug fix
404
- * Provide a more robust behavior to serializers and add :force_except option
405
-
406
- ### 1.4.1
407
-
408
- * enhancements
409
- * Add :defaults and :format support on router
410
- * Add simple form generators
411
- * Better localization for devise_error_messages! (by @zedtux)
412
-
413
- * bug fix
414
- * Ensure to_xml is properly white listened
415
- * Ensure handle_unverified_request clean up any cached signed-in user
416
-
417
- ### 1.4.0
418
-
419
- * enhancements
420
- * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
421
- * Improve e-mail regexp (by @rodrigoflores)
422
- * Add strip_whitespace_keys and default to e-mail (by @swrobel)
423
- * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut)
424
- * Added update_without_password to update models but not allowing the password to change (by @fschwahn)
425
- * Added config.paranoid, check the generator for more information (by @rodrigoflores)
426
-
427
- * bug fix
428
- * password_required? should not affect length validation
429
- * User cannot access sign up and similar pages if they are already signed in through a cookie or token
430
- * Do not convert booleans to strings on finders (by @xavier)
431
- * Run validations even if current_password fails (by @crx)
432
- * Devise now honors routes constraints (by @macmartine)
433
- * Do not return the user resource when requesting instructions (by @rodrigoflores)
434
-
435
- ### 1.3.4
436
-
437
- * bug fix
438
- * Do not add formats if html or "*/*"
439
-
440
- ### 1.3.3
441
-
442
- * bug fix
443
- * Explicitly mark the token as expired if so
444
-
445
- ### 1.3.2
446
-
447
- * bug fix
448
- * Fix another regression related to reset_password_sent_at (by @alexdreher)
449
-
450
- ### 1.3.1
451
-
452
- * enhancements
453
- * Improve failure_app responses (by @indirect)
454
- * sessions/new and registrations/new also respond to xml and json now
455
-
456
- * bug fix
457
- * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)
458
-
459
- ### 1.3.0
460
-
461
- * enhancements
462
- * All controllers can now handle different mime types than html using Responders (by @sikachu)
463
- * Added reset_password_within as configuration option to send the token for recovery (by @jdguyot)
464
- * Bump password length to 128 characters (by @k33l0r)
465
- * Add :only as option to devise_for (by @timoschilling)
466
- * Allow to override path after sending password instructions (by @irohiroki)
467
- * require_no_authentication has its own flash message (by @jackdempsey)
468
-
469
- * bug fix
470
- * Fix a bug where configuration options were being included too late
471
- * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger)
472
- * valid_password? should not choke on empty passwords (by @mikel)
473
- * Calling devise more than once does not include previously added modules anymore
474
- * downcase_keys before validation
475
-
476
- * backward incompatible changes
477
- * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
478
-
479
- ### 1.2.1
480
-
481
- * enhancements
482
- * Improve update path messages
483
-
484
- ### 1.2.0
485
-
486
- * bug fix
487
- * Properly ignore path prefix on omniauthable
488
- * Faster uniqueness queries
489
- * Rename active? to active_for_authentication? to avoid conflicts
490
-
491
- ### 1.2.rc2
492
-
493
- * enhancements
494
- * Make friendly_token 20 chars long
495
- * Use secure_compare
496
-
497
- * bug fix
498
- * Fix an issue causing infinite redirects in production
499
- * rails g destroy works properly with devise generators (by @andmej)
500
- * before_failure callbacks should work on test helpers (by @twinge)
501
- * rememberable cookie now is httponly by default (by @JamesFerguson)
502
- * Add missing confirmation_keys (by @JohnPlummer)
503
- * Ensure after_* hooks are called on RegistrationsController
504
- * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
505
- * Ensure stateless token does not trigger timeout (by @pixelauthority)
506
- * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
507
- * Consider namespaces while generating routes
508
- * Custom failure apps no longer ignored in test mode (by @jaghion)
509
- * Do not depend on ActiveModel::Dirty
510
- * Manual sign_in now triggers remember token
511
- * Be sure to halt strategies on failures
512
- * Consider SCRIPT_NAME on Omniauth paths
513
- * Reset failed attempts when lock is expired
514
- * Ensure there is no Mongoid injection
515
-
516
- * deprecations
517
- * Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes)
518
- * Removed --haml and --slim view templates
519
- * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
520
-
521
- ### 1.2.rc
522
-
523
- * deprecations
524
- * cookie_domain is deprecated in favor of cookie_options
525
- * after_update_path_for can no longer be defined in ApplicationController
526
-
527
- * enhancements
528
- * Added OmniAuth support
529
- * Added ORM adapter to abstract ORM iteraction
530
- * sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld)
531
- * Improved Ajax requests handling in failure app (by @spastorino)
532
- * Added request_keys to easily use request specific values (like subdomain) in authentication
533
- * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
534
- * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai)
535
- * Extracted encryptors into :encryptable for better bcrypt support
536
- * :rememberable is now able to use salt as token if no remember_token is provided
537
- * Store the salt in session and expire the session if the user changes their password
538
- * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
539
- * cookie_options uses session_options values by default
540
- * Sign up now checks if the user is active or not and redirect them accordingly, setting the inactive_signed_up message
541
- * Use ActiveModel#to_key instead of #id
542
- * sign_out_all_scopes now destroys the whole session
543
- * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)
544
-
545
- * default behavior changes
546
- * sign_out_all_scopes defaults to true as security measure
547
- * http authenticatable is disabled by default
548
- * Devise does not intercept 401 returned from applications
549
-
550
- * bugfix
551
- * after_sign_in_path_for always receives a resource
552
- * Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo)
553
- * Allow password recovery and account unlocking to change used keys (by @RStankov)
554
- * FailureApp now properly handles nil request.format
555
- * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
556
- * Ensure namespaces has proper scoped views
557
- * Ensure Devise does not set empty flash messages (by @sxross)
558
-
559
- ### 1.1.6
560
-
561
- * Use a more secure e-mail regexp
562
- * Implement Rails 3.0.4 handle unverified request
563
- * Use secure_compare to compare passwords
564
-
565
- ### 1.1.5
566
-
567
- * bugfix
568
- * Ensure to convert keys on indifferent hash
569
-
570
- * defaults
571
- * Set config.http_authenticatable to false to avoid confusion
572
-
573
- ### 1.1.4
574
-
575
- * bugfix
576
- * Avoid session fixation attacks
577
-
578
- ### 1.1.3
579
-
580
- * bugfix
581
- * Add reply-to to e-mail headers by default
582
- * Updated the views generator to respect the rails :template_engine option (by @fredwu)
583
- * Check the type of HTTP Authentication before using Basic headers
584
- * Avoid invalid_salt errors by checking salt presence (by @thibaudgg)
585
- * Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane)
586
- * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
587
- * :default options is now honored in migrations
588
-
589
- ### 1.1.2
590
-
591
- * bugfix
592
- * Compatibility with latest Rails routes schema
593
-
594
- ### 1.1.1
595
-
596
- * bugfix
597
- * Fix a small bug where generated locale file was empty on devise:install
598
-
599
- ### 1.1.0
600
-
601
- * enhancements
602
- * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
603
- * Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk)
604
- * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
605
- * Support `as` or `devise_scope` in the router to specify controller access scope
606
- * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja)
607
-
608
- * bug fix
609
- * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
610
- * Devise should respect script_name and path_info contracts
611
- * Fix a bug when accessing a path with (.:format) (by @klacointe)
612
- * Do not add unlock routes unless unlock strategy is email or both
613
- * Email should be case insensitive
614
- * Store classes as string in session, to avoid serialization and stale data issues
615
-
616
- * deprecations
617
- * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
618
-
619
- ### 1.1.rc2
620
-
621
- * enhancements
622
- * Allow to set cookie domain for the remember token. (by @mantas)
623
- * Added navigational formats to specify when it should return a 302 and when a 401.
624
- * Added authenticate(scope) support in routes (by @wildchild)
625
- * Added after_update_path_for to registrations controller (by @thedelchop)
626
- * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer"
627
-
628
- * bug fix
629
- * Fix a bug where session was timing out on sign out
630
-
631
- * deprecations
632
- * bcrypt is now the default encryptor
633
- * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject
634
- * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
635
- * Generators now use Rails 3 syntax (devise:install) instead of devise_install
636
-
637
- ### 1.1.rc1
638
-
639
- * enhancements
640
- * Rails 3 compatibility
641
- * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions"
642
- * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise
643
- * Use metal for failure app
644
- * HTML e-mails now have proper formatting
645
- * Allow to give :skip and :controllers in routes
646
- * Move trackable logic to the model
647
- * E-mails now use any template available in the filesystem. Easy to create multipart e-mails
648
- * E-mails asks headers_for in the model to set the proper headers
649
- * Allow to specify haml in devise_views
650
- * Compatibility with Mongoid
651
- * Make config.devise available on config/application.rb
652
- * TokenAuthenticatable now works with HTTP Basic Auth
653
- * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself
654
- * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3
655
- * :activatable is included by default in your models
656
-
657
- * bug fix
658
- * Fix a bug with STI
659
-
660
- * deprecations
661
- * Rails 3 compatible only
662
- * Removed support for MongoMapper
663
- * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new"
664
- * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead
665
- * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options
666
- * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
667
- * :as and :scope in routes is deprecated. Use :path and :singular instead
668
-
669
- ### 1.0.8
670
-
671
- * enhancements
672
- * Support for latest MongoMapper
673
- * Added anybody_signed_in? helper (by @SSDany)
674
-
675
- * bug fix
676
- * confirmation_required? is properly honored on active? calls. (by @paulrosania)
677
-
678
- ### 1.0.7
679
-
680
- * bug fix
681
- * Ensure password confirmation is always required
682
-
683
- * deprecations
684
- * authenticatable was deprecated and renamed to database_authenticatable
685
- * confirmable is not included by default on generation
686
-
687
- ### 1.0.6
688
-
689
- * bug fix
690
- * Do not allow unlockable strategies based on time to access a controller.
691
- * Do not send unlockable email several times.
692
- * Allow controller to upstram custom! failures to Warden.
693
-
694
- ### 1.0.5
695
-
696
- * bug fix
697
- * Use prepend_before_filter in require_no_authentication.
698
- * require_no_authentication on unlockable.
699
- * Fix a bug when giving an association proxy to devise.
700
- * Do not use lock! on lockable since it's part of ActiveRecord API.
701
-
702
- ### 1.0.4
703
-
704
- * bug fix
705
- * Fixed a bug when deleting an account with rememberable
706
- * Fixed a bug with custom controllers
707
-
708
- ### 1.0.3
709
-
710
- * enhancements
711
- * HTML e-mails now have proper formatting
712
- * Do not remove MongoMapper options in find
713
-
714
- ### 1.0.2
715
-
716
- * enhancements
717
- * Allows you set mailer content type (by @glennr)
718
-
719
- * bug fix
720
- * Uses the same content type as request on http authenticatable 401 responses
721
-
722
- ### 1.0.1
723
-
724
- * enhancements
725
- * HttpAuthenticatable is not added by default automatically.
726
- * Avoid mass assignment error messages with current password.
727
-
728
- * bug fix
729
- * Fixed encryptors autoload
730
-
731
- ### 1.0.0
732
-
733
- * deprecation
734
- * :old_password in update_with_password is deprecated, use :current_password instead
735
-
736
- * enhancements
737
- * Added Registerable
738
- * Added Http Basic Authentication support
739
- * Allow scoped_views to be customized per controller/mailer class
740
- * Allow authenticatable to used in change_table statements
741
-
742
- ### 0.9.2
743
-
744
- * bug fix
745
- * Ensure inactive user cannot sign in
746
- * Ensure redirect to proper url after sign up
747
-
748
- * enhancements
749
- * Added gemspec to repo
750
- * Added token authenticatable (by @grimen)
751
-
752
- ### 0.9.1
753
-
754
- * bug fix
755
- * Allow bigger salt size (by @jgeiger)
756
- * Fix relative url root
757
-
758
- ### 0.9.0
759
-
760
- * deprecation
761
- * devise :all is deprecated
762
- * :success and :failure flash messages are now :notice and :alert
763
-
764
- * enhancements
765
- * Added devise lockable (by @mhfs)
766
- * Warden 0.9.0 compatibility
767
- * Mongomapper 0.6.10 compatibility
768
- * Added Devise.add_module as hooks for extensions (by @grimen)
769
- * Ruby 1.9.1 compatibility (by @grimen)
770
-
771
- * bug fix
772
- * Accept path prefix not starting with slash
773
- * url helpers should rely on find_scope!
774
-
775
- ### 0.8.2
776
-
777
- * enhancements
778
- * Allow Devise.mailer_sender to be a proc (by @grimen)
779
-
780
- * bug fix
781
- * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)
782
-
783
- ### 0.8.1
784
-
785
- * enhancements
786
- * Move salt to encryptors
787
- * Devise::Lockable
788
- * Moved view links into partial and I18n'ed them
789
-
790
- * bug fix
791
- * Bcrypt generator was not being loaded neither setting the proper salt
792
-
793
- ### 0.8.0
794
-
795
- * enhancements
796
- * Warden 0.8.0 compatibility
797
- * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work
798
- * Added :bcrypt encryptor (by @capotej)
799
-
800
- * bug fix
801
- * sign_in_count is also increased when user signs in via password change, confirmation, etc..
802
- * More DataMapper compatibility (by @lancecarlson)
803
-
804
- * deprecation
805
- * Removed DeviseMailer.sender
806
-
807
- ### 0.7.5
808
-
809
- * enhancements
810
- * Set a default value for mailer to avoid find_template issues
811
- * Add models configuration to MongoMapper::EmbeddedDocument as well
812
-
813
- ### 0.7.4
814
-
815
- * enhancements
816
- * Extract Activatable from Confirmable
817
- * Decouple Serializers from Devise modules
818
-
819
- ### 0.7.3
820
-
821
- * bug fix
822
- * Give scope to the proper model validation
823
-
824
- * enhancements
825
- * Mail views are scoped as well
826
- * Added update_with_password for authenticatable
827
- * Allow render_with_scope to accept :controller option
828
-
829
- ### 0.7.2
830
-
831
- * deprecation
832
- * Renamed reset_confirmation! to resend_confirmation!
833
- * Copying locale is part of the installation process
834
-
835
- * bug fix
836
- * Fixed render_with_scope to work with all controllers
837
- * Allow sign in with two different users in Devise::TestHelpers
838
-
839
- ### 0.7.1
840
-
841
- * enhancements
842
- * Small enhancements for other plugins compatibility (by @grimen)
843
-
844
- ### 0.7.0
845
-
846
- * deprecations
847
- * :authenticatable is not included by default anymore
848
-
849
- * enhancements
850
- * Improve loading process
851
- * Extract SessionSerializer from Authenticatable
852
-
853
- ### 0.6.3
854
-
855
- * bug fix
856
- * Added trackable to migrations
857
- * Allow inflections to work
858
-
859
- ### 0.6.2
860
-
861
- * enhancements
862
- * More DataMapper compatibility
863
- * Devise::Trackable - track sign in count, timestamps and ips
864
-
865
- ### 0.6.1
866
-
867
- * enhancements
868
- * Devise::Timeoutable - timeout sessions without activity
869
- * DataMapper now accepts conditions
870
-
871
- ### 0.6.0
872
-
873
- * deprecations
874
- * :authenticatable is still included by default, but yields a deprecation warning
875
-
876
- * enhancements
877
- * Added DataMapper support
878
- * Remove store_location from authenticatable strategy and add it to failure app
879
- * Allow a strategy to be placed after authenticatable
880
- * Do not rely attribute? methods, since they are not added on Datamapper
881
-
882
- ### 0.5.6
883
-
884
- * enhancements
885
- * Do not send nil to build (DataMapper compatibility)
886
- * Allow to have scoped views
887
-
888
- ### 0.5.5
889
-
890
- * enhancements
891
- * Allow overwriting find for authentication method
892
- * Remove Ruby 1.8.7 dependency
893
-
894
- ### 0.5.4
5
+ * bug fixes
6
+ * Fix the `extend_remember_period` configuration. When set to `false` it does
7
+ not update the cookie expiration anymore.(by @ulissesalmeida)
895
8
 
896
9
  * deprecations
897
- * Deprecate :singular in devise_for and use :scope instead
898
-
899
- * enhancements
900
- * Create after_sign_in_path_for and after_sign_out_path_for hooks to be
901
- overwriten in ApplicationController
902
- * Create sign_in_and_redirect and sign_out_and_redirect helpers
903
- * Warden::Manager.default_scope is automatically configured to the first given scope
10
+ * Added a warning of default value change in Devise 4.1 for users that uses
11
+ the the default configuration of the following configurations: (by @ulissesalmeida)
12
+ * `strip_whitespace_keys` - The default will be `[:email]`.
13
+ * `skip_session_storage` - The default will be `[:http_auth]`.
14
+ * `sign_out_via` - The default will be `:delete`.
15
+ * `reconfirmable` - The default will be `true`.
16
+ * `email_regexp` - The default will be `/\A[^@\s]+@[^@\s]+\z/`.
17
+ * Removed deprecated argument of `Devise::Models::Rememberable#remember_me!` (by @ulissesalmeida)
18
+ * Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in!
19
+ (by @bogdanvlviv)
904
20
 
905
- ### 0.5.3
906
-
907
- * bug fix
908
- * MongoMapper now converts DateTime to Time
909
- * Ensure all controllers are unloadable
910
-
911
- * enhancements
912
- * Moved friendly_token to Devise
913
- * Added Devise.all, so you can freeze your app strategies
914
- * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
915
- in cases you don't want it be handlded automatically
916
-
917
- ### 0.5.2
918
-
919
- * enhancements
920
- * Improved sign_in and sign_out helpers to accepts resources
921
- * Added stored_location_for as a helper
922
- * Added test helpers
923
-
924
- ### 0.5.1
925
-
926
- * enhancements
927
- * Added serializers based on Warden ones
928
- * Allow authentication keys to be set
929
-
930
- ### 0.5.0
931
-
932
- * bug fix
933
- * Fixed a bug where remember me module was not working properly
21
+ ### 4.0.0.rc2 - 2016-03-09
934
22
 
935
23
  * enhancements
936
- * Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs)
937
- * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
938
- * Added support for MongoMapper (by @shingara)
939
-
940
- ### 0.4.3
941
-
942
- * bug fix
943
- * Authentication just fails if user cannot be serialized from session, without raising errors;
944
- * Default configuration values should not overwrite user values;
945
-
946
- ### 0.4.2
947
-
948
- * deprecations
949
- * Renamed mail_sender to mailer_sender
950
-
951
- * enhancements
952
- * skip_before_filter added in Devise controllers
953
- * Use home_or_root_path on require_no_authentication as well
954
- * Added devise_controller?, useful to select or reject filters in ApplicationController
955
- * Allow :path_prefix to be given to devise_for
956
- * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)
957
-
958
- ### 0.4.1
959
-
960
- * bug fix
961
- * Ensure options can be set even if models were not loaded
962
-
963
- ### 0.4.0
24
+ * Introduced `DeviseController#set_flash_message!` for conditional flash
25
+ messages setting to reduce complexity.
26
+ * `rails g devise:install` will fail if the app does not have a ORM configured
27
+ (by @arjunsharma)
28
+ * Support to Rails 5 versioned migrations added.
964
29
 
965
30
  * deprecations
966
- * Notifier is deprecated, use DeviseMailer instead. Remember to rename
967
- app/views/notifier to app/views/devise_mailer and I18n key from
968
- devise.notifier to devise.mailer
969
- * :authenticable calls are deprecated, use :authenticatable instead
31
+ * omniauth routes are no longer defined with a wildcard `:provider` parameter,
32
+ and provider specific routes are defined instead, so route helpers like `user_omniauth_authorize_path(:github)` are deprecated in favor of `user_github_authorize_path`.
33
+ You can still use `omniauth_authorize_path(:user, :github)` if you need to
34
+ call the helpers dynamically.
970
35
 
971
- * enhancements
972
- * Allow devise to be more agnostic and do not require ActiveRecord to be loaded
973
- * Allow Warden::Manager to be configured through Devise
974
- * Created a generator which creates an initializer
975
-
976
- ### 0.3.0
36
+ ### 4.0.0.rc1 - 2016-01-02
977
37
 
978
- * bug fix
979
- * Allow yml messages to be configured by not using engine locales
38
+ * Support added to Rails 5 (by @twalpole).
39
+ * Devise no longer supports Rails 3.2 and 4.0.
40
+ * Devise no longer supports Ruby 1.9 and 2.0.
980
41
 
981
42
  * deprecations
982
- * Renamed confirm_in to confirm_within
983
- * Do not send confirmation messages when user changes their e-mail
984
- * Renamed authenticable to authenticatable and added deprecation warnings
985
-
986
- ### 0.2.3
987
-
988
- * enhancements
989
- * Ensure fail! works inside strategies
990
- * Make unauthenticated message (when you haven't signed in) different from invalid message
991
-
992
- * bug fix
993
- * Do not redirect on invalid authenticate
994
- * Allow model configuration to be set to nil
43
+ * The `devise_parameter_sanitize` API has changed:
44
+ The `for` method was deprecated in favor of `permit`:
995
45
 
996
- ### 0.2.2
997
-
998
- * bug fix
999
- * Fix a bug when using customized resources
1000
-
1001
- ### 0.2.1
1002
-
1003
- * refactor
1004
- * Clean devise_views generator to use devise existing views
1005
-
1006
- * enhancements
1007
- * Create instance variables (like @user) for each devise controller
1008
- * Use Devise::Controller::Helpers only internally
1009
-
1010
- * bug fix
1011
- * Fix a bug with Mongrel and Ruby 1.8.6
1012
-
1013
- ### 0.2.0
1014
-
1015
- * enhancements
1016
- * Allow option :null => true in authenticable migration
1017
- * Remove attr_accessible calls from devise modules
1018
- * Customizable time frame for rememberable with :remember_for config
1019
- * Customizable time frame for confirmable with :confirm_in config
1020
- * Generators for creating a resource and copy views
1021
-
1022
- * optimize
1023
- * Do not load hooks or strategies if they are not used
1024
-
1025
- * bug fixes
1026
- * Fixed requiring devise strategies
1027
-
1028
- ### 0.1.1
1029
-
1030
- * bug fixes
1031
- * Fixed requiring devise mapping
46
+ ```ruby
47
+ def configure_permitted_parameters
48
+ devise_parameter_sanitizer.for(:sign_up) << :subscribe_newsletter
49
+ # Should become the following.
50
+ devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
51
+ end
52
+ ```
1032
53
 
1033
- ### 0.1.0
54
+ The customization through instance methods on the sanitizer implementation
55
+ should be done through it's `initialize` method:
1034
56
 
1035
- * Devise::Authenticable
1036
- * Devise::Confirmable
1037
- * Devise::Recoverable
1038
- * Devise::Validatable
1039
- * Devise::Migratable
1040
- * Devise::Rememberable
57
+ ```ruby
58
+ class User::ParameterSanitizer < Devise::ParameterSanitizer
59
+ def sign_up
60
+ default_params.permit(:username, :email)
61
+ end
62
+ end
1041
63
 
1042
- * SessionsController
1043
- * PasswordsController
1044
- * ConfirmationsController
64
+ # The `sign_up` method can be a `permit` call on the sanitizer `initialize`.
1045
65
 
1046
- * Create an example app
1047
- * devise :all, :except => :rememberable
1048
- * Use sign_in and sign_out in SessionsController
66
+ class User::ParameterSanitizer < Devise::ParameterSanitizer
67
+ def initialize(*)
68
+ super
69
+ permit(:sign_up, keys: [:username, :email])
70
+ end
71
+ end
72
+ ```
1049
73
 
1050
- * Mailer subjects namespaced by model
1051
- * Allow stretches and pepper per model
74
+ You can check more examples and explanations on the [README section](/plataformatec/devise#strong-parameters)
75
+ and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb).
1052
76
 
1053
- * Store session[:return_to] in session
1054
- * Sign user in automatically after confirming or changing it's password
77
+ Please check [3-stable](https://github.com/plataformatec/devise/blob/3-stable/CHANGELOG.md)
78
+ for previous changes.