devise 3.2.4 → 4.7.1

data/lib/devise/models/trackable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise/hooks/trackable'
 
 module Devise
@@ -15,21 +17,35 @@ module Devise
         [:current_sign_in_at, :current_sign_in_ip, :last_sign_in_at, :last_sign_in_ip, :sign_in_count]
       end
 
-      def update_tracked_fields!(request)
+      def update_tracked_fields(request)
         old_current, new_current = self.current_sign_in_at, Time.now.utc
         self.last_sign_in_at     = old_current || new_current
         self.current_sign_in_at  = new_current
 
-        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        old_current, new_current = self.current_sign_in_ip, extract_ip_from(request)
         self.last_sign_in_ip     = old_current || new_current
         self.current_sign_in_ip  = new_current
 
         self.sign_in_count ||= 0
         self.sign_in_count += 1
+      end
+
+      def update_tracked_fields!(request)
+        # We have to check if the user is already persisted before running
+        # `save` here because invalid users can be saved if we don't.
+        # See https://github.com/plataformatec/devise/issues/4673 for more details.
+        return if new_record?
 
-        save(validate: false) or raise "Devise trackable could not save #{inspect}." \
-          "Please make sure a model using trackable can be saved at sign in."
+        update_tracked_fields(request)
+        save(validate: false)
       end
+
+      protected
+
+      def extract_ip_from(request)
+        request.remote_ip
+      end
+
     end
   end
 end

data/lib/devise/models/validatable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     # Validatable creates all needed validations for a user email and password.
@@ -10,12 +12,12 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..128.
+    #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
     module Validatable
       # All validations used by this module.
-      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
-                      :validates_confirmation_of, :validates_length_of ].freeze
+      VALIDATIONS = [:validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                     :validates_confirmation_of, :validates_length_of].freeze
 
       def self.required_fields(klass)
         []
@@ -27,8 +29,13 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
-          validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-          validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
+          if Devise.activerecord51?
+            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
+            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
+          else
+            validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
+            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
+          end
 
           validates_presence_of     :password, if: :password_required?
           validates_confirmation_of :password, if: :password_required?

data/lib/devise/models.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     class MissingAttribute < StandardError
@@ -12,7 +14,7 @@ module Devise
 
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::Authenticatable, :stretches, 10)
+    #   Devise::Models.config(Devise::Models::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

data/lib/devise/modules.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_support/core_ext/object/with_options'
 
 Devise.with_options model: true do |d|

data/lib/devise/omniauth/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module OmniAuth
     class StrategyNotFound < NameError

data/lib/devise/omniauth/url_helpers.rb

@@ -1,17 +1,26 @@
+# frozen_string_literal: true
+
 module Devise
   module OmniAuth
     module UrlHelpers
-      def self.define_helpers(mapping)
+      def omniauth_authorize_path(resource_or_scope, provider, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_authorize_path", *args)
+      end
+
+      def omniauth_authorize_url(resource_or_scope, provider, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_authorize_url", *args)
       end
 
-      def omniauth_authorize_path(resource_or_scope, *args)
+      def omniauth_callback_path(resource_or_scope, provider, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        _devise_route_context.send("#{scope}_omniauth_authorize_path", *args)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_callback_path", *args)
       end
 
-      def omniauth_callback_path(resource_or_scope, *args)
+      def omniauth_callback_url(resource_or_scope, provider, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        _devise_route_context.send("#{scope}_omniauth_callback_path", *args)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_callback_url", *args)
       end
     end
   end

data/lib/devise/omniauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 begin
   require "omniauth"
   require "omniauth/version"

data/lib/devise/orm/active_record.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
 require 'orm_adapter/adapters/active_record'
 
-ActiveRecord::Base.extend Devise::Models
+ActiveSupport.on_load(:active_record) do
+  extend Devise::Models
+end

data/lib/devise/orm/mongoid.rb

@@ -1,3 +1,7 @@
-require 'orm_adapter/adapters/mongoid'
+# frozen_string_literal: true
 
-Mongoid::Document::ClassMethods.send :include, Devise::Models
+ActiveSupport.on_load(:mongoid) do
+  require 'orm_adapter/adapters/mongoid'
+
+  Mongoid::Document::ClassMethods.send :include, Devise::Models
+end

data/lib/devise/parameter_filter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   class ParameterFilter
     def initialize(case_insensitive_keys, strip_whitespace_keys)
@@ -16,6 +18,8 @@ module Devise
 
     def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
       condition_keys.each do |k|
+        next unless conditions.key?(k)
+
         value = conditions[k]
         conditions[k] = value.send(method) if value.respond_to?(method)
       end

data/lib/devise/parameter_sanitizer.rb

@@ -1,99 +1,173 @@
+# frozen_string_literal: true
+
 module Devise
-  class BaseSanitizer
-    attr_reader :params, :resource_name, :resource_class
+  # The +ParameterSanitizer+ deals with permitting specific parameters values
+  # for each +Devise+ scope in the application.
+  #
+  # The sanitizer knows about Devise default parameters (like +password+ and
+  # +password_confirmation+ for the `RegistrationsController`), and you can
+  # extend or change the permitted parameters list on your controllers.
+  #
+  # === Permitting new parameters
+  #
+  # You can add new parameters to the permitted list using the +permit+ method
+  # in a +before_action+ method, for instance.
+  #
+  #    class ApplicationController < ActionController::Base
+  #      before_action :configure_permitted_parameters, if: :devise_controller?
+  #
+  #      protected
+  #
+  #      def configure_permitted_parameters
+  #        # Permit the `subscribe_newsletter` parameter along with the other
+  #        # sign up parameters.
+  #        devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+  #      end
+  #    end
+  #
+  # Using a block yields an +ActionController::Parameters+ object so you can
+  # permit nested parameters and have more control over how the parameters are
+  # permitted in your controller.
+  #
+  #    def configure_permitted_parameters
+  #      devise_parameter_sanitizer.permit(:sign_up) do |user|
+  #        user.permit(newsletter_preferences: [])
+  #      end
+  #    end
+  class ParameterSanitizer
+    DEFAULT_PERMITTED_ATTRIBUTES = {
+      sign_in: [:password, :remember_me],
+      sign_up: [:password, :password_confirmation],
+      account_update: [:password, :password_confirmation, :current_password]
+    }
 
     def initialize(resource_class, resource_name, params)
-      @resource_class = resource_class
-      @resource_name  = resource_name
+      @auth_keys      = extract_auth_keys(resource_class)
       @params         = params
-      @blocks         = Hash.new
-    end
+      @resource_name  = resource_name
+      @permitted      = {}
 
-    def for(kind, &block)
-      if block_given?
-        @blocks[kind] = block
-      else
-        default_for(kind)
+      DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
+        permit(action, keys: keys)
       end
     end
 
-    def sanitize(kind)
-      if block = @blocks[kind]
-        block.call(default_params)
+    # Sanitize the parameters for a specific +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    #
+    # === Examples
+    #
+    #    # Inside the `RegistrationsController#create` action.
+    #    resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
+    #    resource.save
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+ with the permitted
+    # attributes.
+    def sanitize(action)
+      permissions = @permitted[action]
+
+      if permissions.respond_to?(:call)
+        cast_to_hash permissions.call(default_params)
+      elsif permissions.present?
+        cast_to_hash permit_keys(default_params, permissions)
       else
-        default_sanitize(kind)
+        unknown_action!(action)
       end
     end
 
-    private
+    # Add or remove new parameters to the permitted list of an +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    # * +keys:+     - An +Array+ of keys that also should be permitted.
+    # * +except:+   - An +Array+ of keys that shouldn't be permitted.
+    # * +block+     - A block that should be used to permit the action
+    #   parameters instead of the +Array+ based approach. The block will be
+    #   called with an +ActionController::Parameters+ instance.
+    #
+    # === Examples
+    #
+    #   # Adding new parameters to be permitted in the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+    #
+    #   # Removing the `password` parameter from the `account_update` action.
+    #   devise_parameter_sanitizer.permit(:account_update, except: [:password])
+    #
+    #   # Using the block form to completely override how we permit the
+    #   # parameters for the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up) do |user|
+    #     user.permit(:email, :password, :password_confirmation)
+    #   end
+    #
+    #
+    # Returns nothing.
+    def permit(action, keys: nil, except: nil, &block)
+      if block_given?
+        @permitted[action] = block
+      end
 
-    def default_for(kind)
-      raise ArgumentError, "a block is expected in Devise base sanitizer"
-    end
+      if keys.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action].concat(keys)
+      end
 
-    def default_sanitize(kind)
-      default_params
+      if except.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action] = @permitted[action] - except
+      end
     end
 
-    def default_params
-      params.fetch(resource_name, {})
-    end
-  end
+    private
 
-  class ParameterSanitizer < BaseSanitizer
-    def initialize(*)
-      super
-      @permitted = Hash.new { |h,k| h[k] = attributes_for(k) }
+    # Cast a sanitized +ActionController::Parameters+ to a +HashWithIndifferentAccess+
+    # that can be used elsewhere.
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+.
+    def cast_to_hash(params)
+      # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
+      params && params.to_h.with_indifferent_access
     end
 
-    def sign_in
-      permit self.for(:sign_in)
+    def default_params
+      if hashable_resource_params?
+        @params.fetch(@resource_name)
+      else
+        empty_params
+      end
     end
 
-    def sign_up
-      permit self.for(:sign_up)
+    def hashable_resource_params?
+      @params[@resource_name].respond_to?(:permit)
     end
 
-    def account_update
-      permit self.for(:account_update)
+    def empty_params
+      ActionController::Parameters.new({})
     end
 
-    private
-
-    # TODO: We do need to flatten so it works with strong_parameters
-    # gem. We should drop it once we move to Rails 4 only support.
-    def permit(keys)
-      default_params.permit(*Array(keys))
+    def permit_keys(parameters, keys)
+      parameters.permit(*keys)
     end
 
-    # Change for(kind) to return the values in the @permitted
-    # hash, allowing the developer to customize at runtime.
-    def default_for(kind)
-      @permitted[kind] || raise("No sanitizer provided for #{kind}")
-    end
+    def extract_auth_keys(klass)
+      auth_keys = klass.authentication_keys
 
-    def default_sanitize(kind)
-      if respond_to?(kind, true)
-        send(kind)
-      else
-        raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
-      end
+      auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
     end
 
-    def attributes_for(kind)
-      case kind
-      when :sign_in
-        auth_keys + [:password, :remember_me]
-      when :sign_up
-        auth_keys + [:password, :password_confirmation]
-      when :account_update
-        auth_keys + [:password, :password_confirmation, :current_password]
-      end
-    end
+    def unknown_action!(action)
+      raise NotImplementedError, <<-MESSAGE.strip_heredoc
+        "Devise doesn't know how to sanitize parameters for '#{action}'".
+        If you want to define a new set of parameters to be sanitized use the
+        `permit` method first:
 
-    def auth_keys
-      @auth_keys ||= @resource_class.authentication_keys.respond_to?(:keys) ?
-                       @resource_class.authentication_keys.keys : @resource_class.authentication_keys
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
+      MESSAGE
     end
   end
 end

data/lib/devise/rails/routes.rb

@@ -1,13 +1,12 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/object/try"
 require "active_support/core_ext/hash/slice"
 
-module ActionDispatch::Routing
-  class RouteSet #:nodoc:
-    # Ensure Devise modules are included only after loading routes, because we
-    # need devise_for mappings already declared to create filters and helpers.
-    def finalize_with_devise!
-      result = finalize_without_devise!
-
+module Devise
+  module RouteSet
+    def finalize!
+      result = super
       @devise_finalized ||= begin
         if Devise.router_name.nil? && defined?(@devise_finalized) && self != Rails.application.try(:routes)
           warn "[DEVISE] We have detected that you are using devise_for inside engine routes. " \
@@ -21,10 +20,16 @@ module ActionDispatch::Routing
         Devise.regenerate_helpers!
         true
       end
-
       result
     end
-    alias_method_chain :finalize!, :devise
+  end
+end
+
+module ActionDispatch::Routing
+  class RouteSet #:nodoc:
+    # Ensure Devise modules are included only after loading routes, because we
+    # need devise_for mappings already declared to create filters and helpers.
+    prepend Devise::RouteSet
   end
 
   class Mapper
@@ -84,20 +89,34 @@ module ActionDispatch::Routing
     #
     # You can configure your routes with some options:
     #
-    #  * class_name: setup a different class to be looked up by devise, if it cannot be
+    #  * class_name: set up a different class to be looked up by devise, if it cannot be
     #    properly found by the route name.
     #
     #      devise_for :users, class_name: 'Account'
     #
-    #  * path: allows you to setup path name that will be used, as rails routes does.
-    #    The following route configuration would setup your route as /accounts instead of /users:
+    #  * path: allows you to set up path name that will be used, as rails routes does.
+    #    The following route configuration would set up your route as /accounts instead of /users:
     #
     #      devise_for :users, path: 'accounts'
     #
-    #  * singular: setup the singular name for the given resource. This is used as the instance variable
-    #    name in controller, as the name in routes and the scope given to warden.
+    #  * singular: set up the singular name for the given resource. This is used as the helper methods
+    #    names in controller ("authenticate_#{singular}!", "#{singular}_signed_in?", "current_#{singular}"
+    #    and "#{singular}_session"), as the scope name in routes and as the scope given to warden.
     #
-    #      devise_for :users, singular: :user
+    #      devise_for :admins, singular: :manager
+    #
+    #      devise_scope :manager do
+    #        ...
+    #      end
+    #
+    #      class ManagerController < ApplicationController
+    #        before_action authenticate_manager!
+    #
+    #        def show
+    #          @manager = current_manager
+    #          ...
+    #        end
+    #      end
     #
     #  * path_names: configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
@@ -116,10 +135,10 @@ module ActionDispatch::Routing
     #  * failure_app: a rack app which is invoked whenever there is a failure. Strings representing a given
     #    are also allowed as parameter.
     #
-    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :delete),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [ :post, :delete ]
+    #      devise_for :users, sign_out_via: [:get, :post]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #
@@ -129,7 +148,8 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, module: "users"
     #
-    #  * skip: tell which controller you want to skip routes from being created:
+    #  * skip: tell which controller you want to skip routes from being created.
+    #    It accepts :all as an option, meaning it will not generate any route at all:
     #
     #      devise_for :users, skip: :sessions
     #
@@ -153,6 +173,8 @@ module ActionDispatch::Routing
     #
     #  * defaults: works the same as Rails' defaults
     #
+    #  * router_name: allows application level router name to be overwritten for the current scope
+    #
     # ==== Scoping
     #
     # Following Rails 3 routes DSL, you can nest devise_for calls inside a scope:
@@ -224,7 +246,7 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name) unless mapping.to.respond_to?(:devise)
         rescue NameError => e
           raise unless mapping.class_name == resource.to_s.classify
-          warn "[WARNING] You provided devise_for #{resource.inspect} but there is " <<
+          warn "[WARNING] You provided devise_for #{resource.inspect} but there is " \
             "no model #{mapping.class_name} defined in your application"
           next
         rescue NoMethodError => e
@@ -234,13 +256,12 @@ module ActionDispatch::Routing
 
         if options[:controllers] && options[:controllers][:omniauth_callbacks]
           unless mapping.omniauthable?
-            msg =  "Mapping omniauth_callbacks on a resource that is not omniauthable\n"
-            msg << "Please add `devise :omniauthable` to the `#{mapping.class_name}` model"
-            raise msg
+            raise ArgumentError, "Mapping omniauth_callbacks on a resource that is not omniauthable\n" \
+              "Please add `devise :omniauthable` to the `#{mapping.class_name}` model"
           end
         end
 
-        routes  = mapping.used_routes
+        routes = mapping.used_routes
 
         devise_scope mapping.name do
           with_devise_exclusive_scope mapping.fullpath, mapping.name, options do
@@ -319,7 +340,7 @@ module ActionDispatch::Routing
 
     # Sets the devise scope to be used in the controller. If you have custom routes,
     # you are required to call this method (also aliased as :as) in order to specify
-    # to which controller it is targetted.
+    # to which controller it is targeted.
     #
     #   as :user do
     #     get "sign_in", to: "devise/sessions#new"
@@ -400,59 +421,57 @@ module ActionDispatch::Routing
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
         if mapping.fullpath =~ /:[a-zA-Z_]/
           raise <<-ERROR
-Devise does not support scoping omniauth callbacks under a dynamic segment
+Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
-`skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
-
-    match "/users/auth/:provider",
-      constraints: { provider: /google|facebook/ },
-      to: "devise/omniauth_callbacks#passthru",
-      as: :omniauth_authorize,
-      via: [:get, :post]
-
-    match "/users/auth/:action/callback",
-      constraints: { action: /google|facebook/ },
-      to: "devise/omniauth_callbacks",
-      as: :omniauth_callback,
-      via: [:get, :post]
+`skip: :omniauth_callbacks` to the `devise_for` call and extract omniauth
+options to another `devise_for` call outside the scope. Here is an example:
+
+    devise_for :users, only: :omniauth_callbacks, controllers: {omniauth_callbacks: 'users/omniauth_callbacks'}
+
+    scope '/(:locale)', locale: /ru|en/ do
+      devise_for :users, skip: :omniauth_callbacks
+    end
 ERROR
         end
-
-        path, @scope[:path] = @scope[:path], nil
+        current_scope = @scope.dup
+        if @scope.respond_to? :new
+          @scope = @scope.new path: nil
+        else
+          @scope[:path] = nil
+        end
         path_prefix = Devise.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
 
         set_omniauth_path_prefix!(path_prefix)
 
-        providers = Regexp.union(mapping.to.omniauth_providers.map(&:to_s))
+        mapping.to.omniauth_providers.each do |provider|
+          match "#{path_prefix}/#{provider}",
+            to: "#{controllers[:omniauth_callbacks]}#passthru",
+            as: "#{provider}_omniauth_authorize",
+            via: [:get, :post]
 
-        match "#{path_prefix}/:provider",
-          constraints: { provider: providers },
-          to: "#{controllers[:omniauth_callbacks]}#passthru",
-          as: :omniauth_authorize,
-          via: [:get, :post]
-
-        match "#{path_prefix}/:action/callback",
-          constraints: { action: providers },
-          to: controllers[:omniauth_callbacks],
-          as: :omniauth_callback,
-          via: [:get, :post]
+          match "#{path_prefix}/#{provider}/callback",
+            to: "#{controllers[:omniauth_callbacks]}##{provider}",
+            as: "#{provider}_omniauth_callback",
+            via: [:get, :post]
+        end
       ensure
-        @scope[:path] = path
+        @scope = current_scope
       end
 
-      DEVISE_SCOPE_KEYS = [:as, :path, :module, :constraints, :defaults, :options]
-
       def with_devise_exclusive_scope(new_path, new_as, options) #:nodoc:
-        old = {}
-        DEVISE_SCOPE_KEYS.each { |k| old[k] = @scope[k] }
+        current_scope = @scope.dup
 
-        new = { as: new_as, path: new_path, module: nil }
-        new.merge!(options.slice(:constraints, :defaults, :options))
+        exclusive = { as: new_as, path: new_path, module: nil }
+        exclusive.merge!(options.slice(:constraints, :defaults, :options))
 
-        @scope.merge!(new)
+        if @scope.respond_to? :new
+          @scope = @scope.new exclusive
+        else
+          exclusive.each_pair { |key, value| @scope[key] = value }
+        end
         yield
       ensure
-        @scope.merge!(old)
+        @scope = current_scope
       end
 
       def constraints_for(method_to_apply, scope=nil, block=nil)