devise 3.5.1 → 4.8.0

data/app/controllers/devise/confirmations_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Devise::ConfirmationsController < DeviseController
   # GET /resource/confirmation/new
   def new
@@ -22,7 +24,7 @@ class Devise::ConfirmationsController < DeviseController
     yield resource if block_given?
 
     if resource.errors.empty?
-      set_flash_message(:notice, :confirmed) if is_flashing_format?
+      set_flash_message!(:notice, :confirmed)
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }

data/app/controllers/devise/omniauth_callbacks_controller.rb

@@ -1,26 +1,28 @@
+# frozen_string_literal: true
+
 class Devise::OmniauthCallbacksController < DeviseController
-  prepend_before_filter { request.env["devise.skip_timeout"] = true }
+  prepend_before_action { request.env["devise.skip_timeout"] = true }
 
   def passthru
-    render status: 404, text: "Not found. Authentication passthru."
+    render status: 404, plain: "Not found. Authentication passthru."
   end
 
   def failure
-    set_flash_message :alert, :failure, kind: OmniAuth::Utils.camelize(failed_strategy.name), reason: failure_message
+    set_flash_message! :alert, :failure, kind: OmniAuth::Utils.camelize(failed_strategy.name), reason: failure_message
     redirect_to after_omniauth_failure_path_for(resource_name)
   end
 
   protected
 
   def failed_strategy
-    env["omniauth.error.strategy"]
+    request.respond_to?(:get_header) ? request.get_header("omniauth.error.strategy") : request.env["omniauth.error.strategy"]
   end
 
   def failure_message
-    exception = env["omniauth.error"]
+    exception = request.respond_to?(:get_header) ? request.get_header("omniauth.error") : request.env["omniauth.error"]
     error   = exception.error_reason if exception.respond_to?(:error_reason)
     error ||= exception.error        if exception.respond_to?(:error)
-    error ||= env["omniauth.error.type"].to_s
+    error ||= (request.respond_to?(:get_header) ? request.get_header("omniauth.error.type") : request.env["omniauth.error.type"]).to_s
     error.to_s.humanize if error
   end
 

data/app/controllers/devise/passwords_controller.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 class Devise::PasswordsController < DeviseController
-  prepend_before_filter :require_no_authentication
+  prepend_before_action :require_no_authentication
   # Render the #edit only if coming from a reset password email link
-  append_before_filter :assert_reset_token_passed, only: :edit
+  append_before_action :assert_reset_token_passed, only: :edit
 
   # GET /resource/password/new
   def new
@@ -36,21 +38,22 @@ class Devise::PasswordsController < DeviseController
       resource.unlock_access! if unlockable?(resource)
       if Devise.sign_in_after_reset_password
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-        set_flash_message(:notice, flash_message) if is_flashing_format?
+        set_flash_message!(:notice, flash_message)
+        resource.after_database_authentication
         sign_in(resource_name, resource)
-        respond_with resource, location: after_resetting_password_path_for(resource)
       else
-        set_flash_message(:notice, :updated_not_active) if is_flashing_format?
-        respond_with resource, location: new_session_path(resource_name)
+        set_flash_message!(:notice, :updated_not_active)
       end
+      respond_with resource, location: after_resetting_password_path_for(resource)
     else
+      set_minimum_password_length
       respond_with resource
     end
   end
 
   protected
     def after_resetting_password_path_for(resource)
-      after_sign_in_path_for(resource)
+      Devise.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions

data/app/controllers/devise/registrations_controller.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 class Devise::RegistrationsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
-  prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]
+  prepend_before_action :require_no_authentication, only: [:new, :create, :cancel]
+  prepend_before_action :authenticate_scope!, only: [:edit, :update, :destroy]
+  prepend_before_action :set_minimum_password_length, only: [:new, :edit]
 
   # GET /resource/sign_up
   def new
-    build_resource({})
-    set_minimum_password_length
+    build_resource
     yield resource if block_given?
-    respond_with self.resource
+    respond_with resource
   end
 
   # POST /resource
@@ -18,11 +20,11 @@ class Devise::RegistrationsController < DeviseController
     yield resource if block_given?
     if resource.persisted?
       if resource.active_for_authentication?
-        set_flash_message :notice, :signed_up if is_flashing_format?
+        set_flash_message! :notice, :signed_up
         sign_up(resource_name, resource)
         respond_with resource, location: after_sign_up_path_for(resource)
       else
-        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+        set_flash_message! :notice, :"signed_up_but_#{resource.inactive_message}"
         expire_data_after_sign_in!
         respond_with resource, location: after_inactive_sign_up_path_for(resource)
       end
@@ -48,15 +50,13 @@ class Devise::RegistrationsController < DeviseController
     resource_updated = update_resource(resource, account_update_params)
     yield resource if block_given?
     if resource_updated
-      if is_flashing_format?
-        flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
-          :update_needs_confirmation : :updated
-        set_flash_message :notice, flash_key
-      end
-      sign_in resource_name, resource, bypass: true
+      set_flash_message_for_update(resource, prev_unconfirmed_email)
+      bypass_sign_in resource, scope: resource_name if sign_in_after_change_password?
+
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
+      set_minimum_password_length
       respond_with resource
     end
   end
@@ -65,7 +65,7 @@ class Devise::RegistrationsController < DeviseController
   def destroy
     resource.destroy
     Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
-    set_flash_message :notice, :destroyed if is_flashing_format?
+    set_flash_message! :notice, :destroyed
     yield resource if block_given?
     respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
@@ -96,8 +96,8 @@ class Devise::RegistrationsController < DeviseController
 
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
-  def build_resource(hash=nil)
-    self.resource = resource_class.new_with_session(hash || {}, session)
+  def build_resource(hash = {})
+    self.resource = resource_class.new_with_session(hash, session)
   end
 
   # Signs in a user on sign up. You can overwrite this method in your own
@@ -109,7 +109,7 @@ class Devise::RegistrationsController < DeviseController
   # The path used after sign up. You need to overwrite this method
   # in your own RegistrationsController.
   def after_sign_up_path_for(resource)
-    after_sign_in_path_for(resource)
+    after_sign_in_path_for(resource) if is_navigational_format?
   end
 
   # The path used after sign up for inactive accounts. You need to overwrite
@@ -124,7 +124,7 @@ class Devise::RegistrationsController < DeviseController
   # The default url to be used after updating a resource. You need to overwrite
   # this method in your own RegistrationsController.
   def after_update_path_for(resource)
-    signed_in_root_path(resource)
+    sign_in_after_change_password? ? signed_in_root_path(resource) : new_session_path(resource_name)
   end
 
   # Authenticates the current scope and gets the current resource from the session.
@@ -144,4 +144,25 @@ class Devise::RegistrationsController < DeviseController
   def translation_scope
     'devise.registrations'
   end
+
+  private
+
+  def set_flash_message_for_update(resource, prev_unconfirmed_email)
+    return unless is_flashing_format?
+
+    flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email)
+                  :update_needs_confirmation
+                elsif sign_in_after_change_password?
+                  :updated
+                else
+                  :updated_but_not_signed_in
+                end
+    set_flash_message :notice, flash_key
+  end
+
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    Devise.sign_in_after_change_password
+  end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 class Devise::SessionsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [:new, :create]
-  prepend_before_filter :allow_params_authentication!, only: :create
-  prepend_before_filter :verify_signed_out_user, only: :destroy
-  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }
+  prepend_before_action :require_no_authentication, only: [:new, :create]
+  prepend_before_action :allow_params_authentication!, only: :create
+  prepend_before_action :verify_signed_out_user, only: :destroy
+  prepend_before_action(only: [:create, :destroy]) { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new
@@ -15,7 +17,7 @@ class Devise::SessionsController < DeviseController
   # POST /resource/sign_in
   def create
     self.resource = warden.authenticate!(auth_options)
-    set_flash_message(:notice, :signed_in) if is_flashing_format?
+    set_flash_message!(:notice, :signed_in)
     sign_in(resource_name, resource)
     yield resource if block_given?
     respond_with resource, location: after_sign_in_path_for(resource)
@@ -24,7 +26,7 @@ class Devise::SessionsController < DeviseController
   # DELETE /resource/sign_out
   def destroy
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out && is_flashing_format?
+    set_flash_message! :notice, :signed_out if signed_out
     yield if block_given?
     respond_to_on_destroy
   end
@@ -58,7 +60,7 @@ class Devise::SessionsController < DeviseController
   # to the after_sign_out path.
   def verify_signed_out_user
     if all_signed_out?
-      set_flash_message :notice, :already_signed_out if is_flashing_format?
+      set_flash_message! :notice, :already_signed_out
 
       respond_to_on_destroy
     end

data/app/controllers/devise/unlocks_controller.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 class Devise::UnlocksController < DeviseController
-  prepend_before_filter :require_no_authentication
+  prepend_before_action :require_no_authentication
 
   # GET /resource/unlock/new
   def new
@@ -24,7 +26,7 @@ class Devise::UnlocksController < DeviseController
     yield resource if block_given?
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked if is_flashing_format?
+      set_flash_message! :notice, :unlocked
       respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
       respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }

data/app/controllers/devise_controller.rb

@@ -1,14 +1,20 @@
+# frozen_string_literal: true
+
 # All Devise controllers are inherited from here.
 class DeviseController < Devise.parent_controller.constantize
   include Devise::Controllers::ScopedViews
 
-  helper DeviseHelper
+  if respond_to?(:helper)
+    helper DeviseHelper
+  end
 
-  helpers = %w(resource scope_name resource_name signed_in_resource
-               resource_class resource_params devise_mapping)
-  helper_method(*helpers)
+  if respond_to?(:helper_method)
+    helpers = %w(resource scope_name resource_name signed_in_resource
+                 resource_class resource_params devise_mapping)
+    helper_method(*helpers)
+  end
 
-  prepend_before_filter :assert_is_devise_resource!
+  prepend_before_action :assert_is_devise_resource!
   respond_to :html if mimes_for_respond_to.empty?
 
   # Override prefixes to consider the scoped view.
@@ -16,7 +22,7 @@ class DeviseController < Devise.parent_controller.constantize
   # Action Controller tests that forces _prefixes to be
   # loaded before even having a request object.
   #
-  # This method should be public as it is is in ActionPack
+  # This method should be public as it is in ActionPack
   # itself. Changing its visibility may break other gems.
   def _prefixes #:nodoc:
     @_prefixes ||= if self.class.scoped_views? && request && devise_mapping
@@ -89,10 +95,10 @@ MESSAGE
     instance_variable_set(:"@#{resource_name}", new_resource)
   end
 
-  # Helper for use in before_filters where no authentication is required.
+  # Helper for use in before_actions where no authentication is required.
   #
   # Example:
-  #   before_filter :require_no_authentication, only: :new
+  #   before_action :require_no_authentication, only: :new
   def require_no_authentication
     assert_is_devise_resource!
     return unless is_navigational_format?
@@ -106,7 +112,7 @@ MESSAGE
     end
 
     if authenticated && resource = warden.user(resource_name)
-      flash[:alert] = I18n.t("devise.failure.already_authenticated")
+      set_flash_message(:alert, 'already_authenticated', scope: 'devise.failure')
       redirect_to after_sign_in_path_for(resource)
     end
   end
@@ -123,13 +129,13 @@ MESSAGE
     end
 
     if notice
-      set_flash_message :notice, notice if is_flashing_format?
+      set_flash_message! :notice, notice
       true
     end
   end
 
   # Sets the flash message with :key, using I18n. By default you are able
-  # to setup your messages using specific resource scope, and if no message is
+  # to set up your messages using specific resource scope, and if no message is
   # found we look to the default scope. Set the "now" options key to a true
   # value to populate the flash.now hash in lieu of the default flash hash (so
   # the flash message will be available to the current action instead of the
@@ -154,6 +160,13 @@ MESSAGE
     end
   end
 
+  # Sets flash message if is_flashing_format? equals true
+  def set_flash_message!(key, kind, options = {})
+    if is_flashing_format?
+      set_flash_message(key, kind, options)
+    end
+  end
+
   # Sets minimum password length to show to user
   def set_minimum_password_length
     if devise_mapping.validatable?
@@ -171,7 +184,7 @@ MESSAGE
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
     options = devise_i18n_options(options)
-    I18n.t("#{options[:resource_name]}.#{kind}", options)
+    I18n.t("#{options[:resource_name]}.#{kind}", **options)
   end
 
   # Controllers inheriting DeviseController are advised to override this

data/app/helpers/devise_helper.rb

@@ -1,25 +1,30 @@
+# frozen_string_literal: true
+
 module DeviseHelper
-  # A simple way to show error messages for the current devise resource. If you need
-  # to customize this method, you can either overwrite it in your application helpers or
-  # copy the views to your application.
-  #
-  # This method is intended to stay simple and it is unlikely that we are going to change
-  # it to add more behavior or options.
+  # Retain this method for backwards compatibility, deprecated in favor of modifying the
+  # devise/shared/error_messages partial.
   def devise_error_messages!
-    return "" if resource.errors.empty?
+    ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+      [Devise] `DeviseHelper#devise_error_messages!` is deprecated and will be
+      removed in the next major version.
+
+      Devise now uses a partial under "devise/shared/error_messages" to display
+      error messages by default, and make them easier to customize. Update your
+      views changing calls from:
+
+          <%= devise_error_messages! %>
 
-    messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join
-    sentence = I18n.t("errors.messages.not_saved",
-                      count: resource.errors.count,
-                      resource: resource.class.model_name.human.downcase)
+      to:
 
-    html = <<-HTML
-    <div id="error_explanation">
-      <h2>#{sentence}</h2>
-      <ul>#{messages}</ul>
-    </div>
-    HTML
+          <%= render "devise/shared/error_messages", resource: resource %>
+
+      To start customizing how errors are displayed, you can copy the partial
+      from devise to your `app/views` folder. Alternatively, you can run
+      `rails g devise:views` which will copy all of them again to your app.
+    DEPRECATION
+
+    return "" if resource.errors.empty?
 
-    html.html_safe
+    render "devise/shared/error_messages", resource: resource
   end
 end

data/app/mailers/devise/mailer.rb

@@ -1,20 +1,30 @@
+# frozen_string_literal: true
+
 if defined?(ActionMailer)
   class Devise::Mailer < Devise.parent_mailer.constantize
     include Devise::Mailers::Helpers
 
-    def confirmation_instructions(record, token, opts={})
+    def confirmation_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :confirmation_instructions, opts)
     end
 
-    def reset_password_instructions(record, token, opts={})
+    def reset_password_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :reset_password_instructions, opts)
     end
 
-    def unlock_instructions(record, token, opts={})
+    def unlock_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :unlock_instructions, opts)
     end
+
+    def email_changed(record, opts = {})
+      devise_mail(record, :email_changed, opts)
+    end
+
+    def password_change(record, opts = {})
+      devise_mail(record, :password_change, opts)
+    end
   end
 end

data/app/views/devise/confirmations/new.html.erb

@@ -1,11 +1,11 @@
 <h2>Resend confirmation instructions</h2>
 
 <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true, value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email) %> 
+    <%= f.email_field :email, autofocus: true, autocomplete: "email", value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email) %>
   </div>
 
   <div class="actions">

data/app/views/devise/mailer/email_changed.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @email %>!</p>
+
+<% if @resource.try(:unconfirmed_email?) %>
+  <p>We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.</p>
+<% else %>
+  <p>We're contacting you to notify you that your email has been changed to <%= @resource.email %>.</p>
+<% end %>

data/app/views/devise/mailer/password_change.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/app/views/devise/passwords/edit.html.erb

@@ -1,20 +1,20 @@
 <h2>Change your password</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <%= f.hidden_field :reset_password_token %>
 
   <div class="field">
     <%= f.label :password, "New password" %><br />
     <% if @minimum_password_length %>
-    <em>(<%= @minimum_password_length %> characters minimum)</em>
-    <% end %><br />
-    <%= f.password_field :password, autofocus: true, autocomplete: "off" %>
+      <em>(<%= @minimum_password_length %> characters minimum)</em><br />
+    <% end %>
+    <%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
   </div>
 
   <div class="field">
     <%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

data/app/views/devise/passwords/new.html.erb

@@ -1,11 +1,11 @@
 <h2>Forgot your password?</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
   </div>
 
   <div class="actions">

data/app/views/devise/registrations/edit.html.erb

@@ -1,11 +1,11 @@
 <h2>Edit <%= resource_name.to_s.humanize %></h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
   </div>
 
   <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %>
@@ -14,17 +14,21 @@
 
   <div class="field">
     <%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
-    <%= f.password_field :password, autocomplete: "off" %>
+    <%= f.password_field :password, autocomplete: "new-password" %>
+    <% if @minimum_password_length %>
+      <br />
+      <em><%= @minimum_password_length %> characters minimum</em>
+    <% end %>
   </div>
 
   <div class="field">
     <%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="field">
     <%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
-    <%= f.password_field :current_password, autocomplete: "off" %>
+    <%= f.password_field :current_password, autocomplete: "current-password" %>
   </div>
 
   <div class="actions">

data/app/views/devise/registrations/new.html.erb

@@ -1,11 +1,11 @@
 <h2>Sign up</h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
   </div>
 
   <div class="field">
@@ -13,12 +13,12 @@
     <% if @minimum_password_length %>
     <em>(<%= @minimum_password_length %> characters minimum)</em>
     <% end %><br />
-    <%= f.password_field :password, autocomplete: "off" %>
+    <%= f.password_field :password, autocomplete: "new-password" %>
   </div>
 
   <div class="field">
     <%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

data/app/views/devise/sessions/new.html.erb

@@ -3,20 +3,20 @@
 <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
   <div class="field">
     <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
   </div>
 
   <div class="field">
     <%= f.label :password %><br />
-    <%= f.password_field :password, autocomplete: "off" %>
+    <%= f.password_field :password, autocomplete: "current-password" %>
   </div>
 
-  <% if devise_mapping.rememberable? -%>
+  <% if devise_mapping.rememberable? %>
     <div class="field">
       <%= f.check_box :remember_me %>
       <%= f.label :remember_me %>
     </div>
-  <% end -%>
+  <% end %>
 
   <div class="actions">
     <%= f.submit "Log in" %>

data/app/views/devise/shared/_error_messages.html.erb

@@ -0,0 +1,15 @@
+<% if resource.errors.any? %>
+  <div id="error_explanation">
+    <h2>
+      <%= I18n.t("errors.messages.not_saved",
+                 count: resource.errors.count,
+                 resource: resource.class.model_name.human.downcase)
+       %>
+    </h2>
+    <ul>
+      <% resource.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>