RubyGems - devise - Versions diffs - 3.5.10 → 4.0.0.rc1 - Mend

devise 3.5.10 → 4.0.0.rc1

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (96) hide show

checksums.yaml +4 -4
data/.travis.yml +9 -9
data/CHANGELOG.md +33 -1188
data/Gemfile +0 -1
data/Gemfile.lock +15 -18
data/MIT-LICENSE +1 -1
data/README.md +20 -10
data/app/controllers/devise/omniauth_callbacks_controller.rb +4 -4
data/app/controllers/devise/passwords_controller.rb +2 -2
data/app/controllers/devise/registrations_controller.rb +2 -2
data/app/controllers/devise/sessions_controller.rb +4 -4
data/app/controllers/devise/unlocks_controller.rb +1 -1
data/app/controllers/devise_controller.rb +11 -7
data/devise.gemspec +2 -3
data/gemfiles/Gemfile.rails-4.1-stable +0 -1
data/gemfiles/Gemfile.rails-4.1-stable.lock +38 -41
data/gemfiles/Gemfile.rails-4.2-stable +0 -1
data/gemfiles/Gemfile.rails-4.2-stable.lock +47 -50
data/gemfiles/Gemfile.rails-5.0-beta +37 -0
data/gemfiles/Gemfile.rails-5.0-beta.lock +242 -0
data/lib/devise.rb +8 -8
data/lib/devise/controllers/helpers.rb +7 -11
data/lib/devise/failure_app.rb +17 -9
data/lib/devise/models/authenticatable.rb +5 -1
data/lib/devise/models/confirmable.rb +3 -4
data/lib/devise/models/database_authenticatable.rb +1 -0
data/lib/devise/models/lockable.rb +1 -5
data/lib/devise/models/rememberable.rb +5 -11
data/lib/devise/parameter_sanitizer.rb +176 -61
data/lib/devise/rails.rb +1 -10
data/lib/devise/rails/routes.rb +25 -14
data/lib/devise/rails/warden_compat.rb +1 -10
data/lib/devise/strategies/rememberable.rb +6 -3
data/lib/devise/test_helpers.rb +9 -4
data/lib/devise/token_generator.rb +1 -41
data/lib/devise/version.rb +1 -1
data/lib/generators/active_record/devise_generator.rb +3 -3
data/lib/generators/active_record/templates/migration.rb +1 -1
data/lib/generators/active_record/templates/migration_existing.rb +1 -1
data/lib/generators/devise/orm_helpers.rb +0 -17
data/lib/generators/templates/controllers/registrations_controller.rb +4 -4
data/lib/generators/templates/controllers/sessions_controller.rb +2 -2
data/lib/generators/templates/devise.rb +4 -5
data/test/controllers/custom_registrations_controller_test.rb +5 -5
data/test/controllers/custom_strategy_test.rb +7 -5
data/test/controllers/helper_methods_test.rb +3 -2
data/test/controllers/helpers_test.rb +1 -1
data/test/controllers/inherited_controller_i18n_messages_test.rb +2 -2
data/test/controllers/internal_helpers_test.rb +8 -10
data/test/controllers/load_hooks_controller_test.rb +1 -1
data/test/controllers/passwords_controller_test.rb +4 -3
data/test/controllers/sessions_controller_test.rb +21 -18
data/test/controllers/url_helpers_test.rb +1 -1
data/test/failure_app_test.rb +19 -14
data/test/generators/active_record_generator_test.rb +0 -26
data/test/helpers/devise_helper_test.rb +1 -1
data/test/integration/authenticatable_test.rb +18 -18
data/test/integration/confirmable_test.rb +5 -5
data/test/integration/database_authenticatable_test.rb +1 -1
data/test/integration/http_authenticatable_test.rb +4 -5
data/test/integration/lockable_test.rb +4 -3
data/test/integration/omniauthable_test.rb +1 -1
data/test/integration/recoverable_test.rb +10 -10
data/test/integration/registerable_test.rb +9 -11
data/test/integration/rememberable_test.rb +7 -43
data/test/integration/timeoutable_test.rb +4 -4
data/test/integration/trackable_test.rb +1 -1
data/test/models/confirmable_test.rb +5 -13
data/test/models/lockable_test.rb +0 -22
data/test/models/rememberable_test.rb +0 -12
data/test/models/validatable_test.rb +2 -10
data/test/omniauth/url_helpers_test.rb +1 -2
data/test/orm/active_record.rb +6 -1
data/test/parameter_sanitizer_test.rb +103 -53
data/test/rails_app/app/active_record/user.rb +3 -0
data/test/rails_app/app/controllers/admins_controller.rb +1 -1
data/test/rails_app/app/controllers/application_controller.rb +2 -2
data/test/rails_app/app/controllers/home_controller.rb +5 -1
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +2 -2
data/test/rails_app/app/controllers/users_controller.rb +5 -5
data/test/rails_app/config/application.rb +1 -1
data/test/rails_app/config/boot.rb +3 -3
data/test/rails_app/config/environments/test.rb +6 -1
data/test/rails_app/config/initializers/secret_token.rb +1 -6
data/test/routes_test.rb +26 -11
data/test/support/http_method_compatibility.rb +51 -0
data/test/support/webrat/integrations/rails.rb +9 -0
data/test/test_helpers_test.rb +3 -3
metadata +13 -31
data/gemfiles/Gemfile.rails-3.2-stable +0 -29
data/gemfiles/Gemfile.rails-3.2-stable.lock +0 -172
data/gemfiles/Gemfile.rails-4.0-stable +0 -30
data/gemfiles/Gemfile.rails-4.0-stable.lock +0 -166
data/script/cached-bundle +0 -49
data/script/s3-put +0 -71
data/test/time_helpers.rb +0 -137

data/lib/devise.rb CHANGED

@@ -12,19 +12,18 @@ module Devise
   autoload :FailureApp,         'devise/failure_app'
   autoload :OmniAuth,           'devise/omniauth'
   autoload :ParameterFilter,    'devise/parameter_filter'
-  autoload :BaseSanitizer,      'devise/parameter_sanitizer'
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
   autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
   autoload :TokenGenerator,     'devise/token_generator'
   module Controllers
-    autoload :Helpers, 'devise/controllers/helpers'
-    autoload :Rememberable, 'devise/controllers/rememberable'
-    autoload :ScopedViews, 'devise/controllers/scoped_views'
-    autoload :SignInOut, 'devise/controllers/sign_in_out'
-    autoload :StoreLocation, 'devise/controllers/store_location'
-    autoload :UrlHelpers, 'devise/controllers/url_helpers'
+    autoload :Helpers,        'devise/controllers/helpers'
+    autoload :Rememberable,   'devise/controllers/rememberable'
+    autoload :ScopedViews,    'devise/controllers/scoped_views'
+    autoload :SignInOut,      'devise/controllers/sign_in_out'
+    autoload :StoreLocation,  'devise/controllers/store_location'
+    autoload :UrlHelpers,     'devise/controllers/url_helpers'
   end
   module Hooks
@@ -36,7 +35,7 @@ module Devise
   end
   module Strategies
-    autoload :Base, 'devise/strategies/base'
+    autoload :Base,            'devise/strategies/base'
     autoload :Authenticatable, 'devise/strategies/authenticatable'
   end
@@ -116,6 +115,7 @@ module Devise
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
+  # TODO: extend_remember_period is no longer used
   # If true, extends the user's remember period when remembered via cookie.
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false

data/lib/devise/controllers/helpers.rb CHANGED

@@ -30,8 +30,8 @@ module Devise
         #     current_bloggers       # Currently signed in user and admin
         #
         #   Use:
-        #     before_filter :authenticate_blogger!              # Redirects unless either a user or an admin are authenticated
-        #     before_filter ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
+        #     before_action :authenticate_blogger!              # Redirects unless either a user or an admin are authenticated
+        #     before_action ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
         #     current_blogger :user                             # Preferably returns a User if one is signed in
         #
         def devise_group(group_name, opts={})
@@ -84,7 +84,7 @@ module Devise
       end
       # Define authentication filters and accessor helpers based on mappings.
-      # These filters should be used inside the controllers as before_filters,
+      # These filters should be used inside the controllers as before_actions,
       # so you can control the scope of the user who should be signed in to
       # access that specific controller/action.
       # Example:
@@ -104,8 +104,8 @@ module Devise
       #     admin_session       # Session data available only to the admin scope
       #
       #   Use:
-      #     before_filter :authenticate_user!  # Tell devise to use :user map
-      #     before_filter :authenticate_admin! # Tell devise to use :admin map
+      #     before_action :authenticate_user!  # Tell devise to use :user map
+      #     before_action :authenticate_admin! # Tell devise to use :admin map
       #
       def self.define_helpers(mapping) #:nodoc:
         mapping = mapping.name
@@ -145,7 +145,7 @@ module Devise
       # the controllers defined inside devise. Useful if you want to apply a before
       # filter to all controllers, except the ones in devise:
       #
-      #   before_filter :my_filter, unless: :devise_controller?
+      #   before_action :my_filter, unless: :devise_controller?
       def devise_controller?
         is_a?(::DeviseController)
       end
@@ -154,11 +154,7 @@ module Devise
       # lib/devise/parameter_sanitizer.rb for more info. Override this
       # method in your application controller to use your own parameter sanitizer.
       def devise_parameter_sanitizer
-        @devise_parameter_sanitizer ||= if defined?(ActionController::StrongParameters)
-          Devise::ParameterSanitizer.new(resource_class, resource_name, params)
-        else
-          Devise::BaseSanitizer.new(resource_class, resource_name, params)
-        end
+        @devise_parameter_sanitizer ||= Devise::ParameterSanitizer.new(resource_class, resource_name, params)
       end
       # Tell warden that params authentication is allowed for that specific page.

data/lib/devise/failure_app.rb CHANGED

@@ -6,7 +6,6 @@ module Devise
   # page based on current scope and mapping. If no scope is given, redirect
   # to the default_url.
   class FailureApp < ActionController::Metal
-    include ActionController::RackDelegation
     include ActionController::UrlFor
     include ActionController::Redirecting
@@ -22,7 +21,7 @@ module Devise
       @respond.call(env)
     end
-    # Try retrieving the URL options from the parent controller (usually
+    # Try retrieving the URL options from the parent controller (usually
     # ApplicationController). Instance methods are not supported at the moment,
     # so only the class-level attribute is used.
     def self.default_url_options(*args)
@@ -53,18 +52,27 @@ module Devise
     def recall
       config = Rails.application.config
-      if config.try(:relative_url_root)
+      header_info = if config.try(:relative_url_root)
         base_path = Pathname.new(config.relative_url_root)
         full_path = Pathname.new(attempted_path)
-        env["SCRIPT_NAME"] = config.relative_url_root
-        env["PATH_INFO"] = '/' + full_path.relative_path_from(base_path).to_s
+        { "SCRIPT_NAME" => config.relative_url_root,
+          "PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
       else
-        env["PATH_INFO"]  = attempted_path
+        { "PATH_INFO" => attempted_path }
+      end
+      header_info.each do | var, value|
+        if request.respond_to?(:set_header)
+          request.set_header(var, value)
+        else
+          env[var]  = value
+        end
       end
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
-      self.response = recall_app(warden_options[:recall]).call(env)
+      # self.response = recall_app(warden_options[:recall]).call(env)
+      self.response = recall_app(warden_options[:recall]).call(request.env)
     end
     def redirect
@@ -199,11 +207,11 @@ module Devise
     end
     def warden
-      env['warden']
+      request.respond_to?(:get_header) ? request.get_header("warden") : env["warden"]
     end
     def warden_options
-      env['warden.options']
+      request.respond_to?(:get_header) ? request.get_header("warden.options") : env["warden.options"]
     end
     def warden_message

data/lib/devise/models/authenticatable.rb CHANGED

@@ -253,7 +253,11 @@ module Devise
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = attributes.slice(*required_attributes).with_indifferent_access
+          attributes = if attributes.respond_to? :permit
+            attributes.slice(*required_attributes).permit!.to_h.with_indifferent_access
+          else
+            attributes.with_indifferent_access.slice(*required_attributes)
+          end
           attributes.delete_if { |key, value| value.blank? }
           if attributes.size == required_attributes.size

data/lib/devise/models/confirmable.rb CHANGED

@@ -40,7 +40,6 @@ module Devise
     #
     module Confirmable
       extend ActiveSupport::Concern
-      include ActionView::Helpers::DateHelper
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
@@ -170,7 +169,6 @@ module Devise
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions
-          skip_reconfirmation!
         end
         # Callback to overwrite if confirmation is required or not.
@@ -255,13 +253,13 @@ module Devise
         end
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
+          postpone = self.class.reconfirmable && email_changed? && email_was.present? && !@bypass_confirmation_postpone && self.email.present?
           @bypass_confirmation_postpone = false
           postpone
         end
         def reconfirmation_required?
-          self.class.reconfirmable && @reconfirmation_required && (self.email.present? || self.unconfirmed_email.present?)
+          self.class.reconfirmable && @reconfirmation_required && self.email.present?
         end
         def send_confirmation_notification?
@@ -316,6 +314,7 @@ module Devise
         # Find a record for confirmation by unconfirmed email field
         def find_by_unconfirmed_email_with_errors(attributes = {})
+          attributes = attributes.slice(*confirmation_keys).permit!.to_h if attributes.respond_to? :permit
           unconfirmed_required_attributes = confirmation_keys.map { |k| k == :email ? :unconfirmed_email : k }
           unconfirmed_attributes = attributes.symbolize_keys
           unconfirmed_attributes[:unconfirmed_email] = unconfirmed_attributes.delete(:email)

data/lib/devise/models/database_authenticatable.rb CHANGED

@@ -39,6 +39,7 @@ module Devise
       # Generates password encryption based on the given value.
       def password=(new_password)
+        attribute_will_change! 'password'
         @password = new_password
         self.encrypted_password = password_digest(@password) if @password.present?
       end

data/lib/devise/models/lockable.rb CHANGED

@@ -155,9 +155,6 @@ module Devise
         end
       module ClassMethods
-        # List of strategies that are enabled/supported if :both is used.
-        BOTH_STRATEGIES = [:time, :email]
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -184,8 +181,7 @@ module Devise
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          self.unlock_strategy == strategy ||
-            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
+          [:both, strategy].include?(self.unlock_strategy)
         end
         # Is the lock enabled for the given lock strategy?

data/lib/devise/models/rememberable.rb CHANGED

@@ -39,7 +39,7 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
-      attr_accessor :remember_me
+      attr_accessor :remember_me, :extend_remember_period
       def self.required_fields(klass)
         [:remember_created_at]
@@ -48,7 +48,7 @@ module Devise
       # TODO: We were used to receive a extend period argument but we no longer do.
       # Remove this for Devise 4.0.
       def remember_me!(*)
-        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_token = self.class.remember_token if respond_to?(:remember_token)
         self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
@@ -62,19 +62,10 @@ module Devise
         save(validate: false)
       end
-      # Remember token should be expired if expiration time not overpass now.
-      def remember_expired?
-        remember_created_at.nil?
-      end
       def remember_expires_at
         self.class.remember_for.from_now
       end
-      def extend_remember_period
-        self.class.extend_remember_period
-      end
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
@@ -156,6 +147,9 @@ module Devise
           end
         end
+        private
+        # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end

data/lib/devise/parameter_sanitizer.rb CHANGED

@@ -1,99 +1,214 @@
 module Devise
-  class BaseSanitizer
-    attr_reader :params, :resource_name, :resource_class
+  # The +ParameterSanitizer+ deals with permitting specific parameters values
+  # for each +Devise+ scope in the application.
+  #
+  # The sanitizer knows about Devise default parameters (like +password+ and
+  # +password_confirmation+ for the `RegistrationsController`), and you can
+  # extend or change the permitted parameters list on your controllers.
+  #
+  # === Permitting new parameters
+  #
+  # You can add new parameters to the permitted list using the +permit+ method
+  # in a +before_action+ method, for instance.
+  #
+  #    class ApplicationController < ActionController::Base
+  #      before_action :configure_permitted_parameters, if: :devise_controller?
+  #
+  #      protected
+  #
+  #      def configure_permitted_parameters
+  #        # Permit the `subscribe_newsletter` parameter along with the other
+  #        # sign up parameters.
+  #        devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+  #      end
+  #    end
+  #
+  # Using a block yields an +ActionController::Parameters+ object so you can
+  # permit nested parameters and have more control over how the parameters are
+  # permitted in your controller.
+  #
+  #    def configure_permitted_parameters
+  #      devise_parameter_sanitizer.permit(:sign_up) do |user|
+  #        user.permit(newsletter_preferences: [])
+  #      end
+  #    end
+  class ParameterSanitizer
+    DEFAULT_PERMITTED_ATTRIBUTES = {
+      sign_in: [:password, :remember_me],
+      sign_up: [:password, :password_confirmation],
+      account_update: [:password, :password_confirmation, :current_password]
+    }
     def initialize(resource_class, resource_name, params)
-      @resource_class = resource_class
-      @resource_name  = resource_name
+      @auth_keys      = extract_auth_keys(resource_class)
       @params         = params
-      @blocks         = Hash.new
+      @resource_name  = resource_name
+      @permitted      = {}
+      DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
+        permit(action, keys: keys)
+      end
     end
-    def for(kind, &block)
-      if block_given?
-        @blocks[kind] = block
+    # Sanitize the parameters for a specific +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    #
+    # === Examples
+    #
+    #    # Inside the `RegistrationsController#create` action.
+    #    resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
+    #    resource.save
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+ with the permitted
+    # attributes.
+    def sanitize(action)
+      permissions = @permitted[action]
+      # DEPRECATED: Remove this branch on Devise 4.1.
+      if respond_to?(action, true)
+        deprecate_instance_method_sanitization(action)
+        return cast_to_hash send(action)
+      end
+      if permissions.respond_to?(:call)
+        cast_to_hash permissions.call(default_params)
+      elsif permissions.present?
+        cast_to_hash permit_keys(default_params, permissions)
       else
-        default_for(kind)
+        unknown_action!(action)
       end
     end
-    def sanitize(kind)
-      if block = @blocks[kind]
-        block.call(default_params)
+    # Add or remove new parameters to the permitted list of an +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    # * +keys:+     - An +Array+ of keys that also should be permitted.
+    # * +except:+   - An +Array+ of keys that shouldn't be permitted.
+    # * +block+     - A block that should be used to permit the action
+    #   parameters instead of the +Array+ based approach. The block will be
+    #   called with an +ActionController::Parameters+ instance.
+    #
+    # === Examples
+    #
+    #   # Adding new parameters to be permitted in the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+    #
+    #   # Removing the `password` parameter from the `account_update` action.
+    #   devise_parameter_sanitizer.permit(:account_update, except: [:password])
+    #
+    #   # Using the block form to completely override how we permit the
+    #   # parameters for the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up) do |user|
+    #     user.permit(:email, :password, :password_confirmation)
+    #   end
+    #
+    #
+    # Returns nothing.
+    def permit(action, keys: nil, except: nil, &block)
+      if block_given?
+        @permitted[action] = block
+      end
+      if keys.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action].concat(keys)
+      end
+      if except.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action] = @permitted[action] - except
+      end
+    end
+    # DEPRECATED: Remove this method on Devise 4.1.
+    def for(action, &block) # :nodoc:
+      if block_given?
+        deprecate_for_with_block(action)
+        permit(action, &block)
       else
-        default_sanitize(kind)
+        deprecate_for_without_block(action)
+        @permitted[action] or unknown_action!(action)
       end
     end
     private
-    def default_for(kind)
-      raise ArgumentError, "a block is expected in Devise base sanitizer"
-    end
-    def default_sanitize(kind)
-      default_params
+    # Cast a sanitized +ActionController::Parameters+ to a +HashWithIndifferentAccess+
+    # that can be used elsewhere.
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+.
+    def cast_to_hash(params)
+      # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
+      params && params.to_h.with_indifferent_access
     end
     def default_params
-      params.fetch(resource_name, {})
+      @params.fetch(@resource_name, {})
     end
-  end
-  class ParameterSanitizer < BaseSanitizer
-    def initialize(*)
-      super
-      @permitted = Hash.new { |h,k| h[k] = attributes_for(k) }
+    def permit_keys(parameters, keys)
+      parameters.permit(*keys)
     end
-    def sign_in
-      permit self.for(:sign_in)
-    end
+    def extract_auth_keys(klass)
+      auth_keys = klass.authentication_keys
-    def sign_up
-      permit self.for(:sign_up)
+      auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
     end
-    def account_update
-      permit self.for(:account_update)
+    def unknown_action!(action)
+      raise NotImplementedError, <<-MESSAGE.strip_heredoc
+        "Devise doesn't know how to sanitize parameters for '#{action}'".
+        If you want to define a new set of parameters to be sanitized use the
+        `permit` method first:
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, param2, param3])
+      MESSAGE
     end
-    private
+    def deprecate_for_with_block(action)
+      ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        Please use the `permit` method:
-    # TODO: We do need to flatten so it works with strong_parameters
-    # gem. We should drop it once we move to Rails 4 only support.
-    def permit(keys)
-      default_params.permit(*Array(keys))
+          devise_parameter_sanitizer.permit(:#{action}) do |user|
+            # Your block here.
+          end
+      MESSAGE
     end
-    # Change for(kind) to return the values in the @permitted
-    # hash, allowing the developer to customize at runtime.
-    def default_for(kind)
-      @permitted[kind] || raise("No sanitizer provided for #{kind}")
-    end
+    def deprecate_for_without_block(action)
+      ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        Please use the `permit` method to add or remove any key:
-    def default_sanitize(kind)
-      if respond_to?(kind, true)
-        send(kind)
-      else
-        raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
-      end
-    end
+          To add any new key, use the `keys` keyword argument:
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
-    def attributes_for(kind)
-      case kind
-      when :sign_in
-        auth_keys + [:password, :remember_me]
-      when :sign_up
-        auth_keys + [:password, :password_confirmation]
-      when :account_update
-        auth_keys + [:password, :password_confirmation, :current_password]
-      end
+          To remove any existing key, use the `except` keyword argument:
+          devise_parameter_sanitizer.permit(:#{action}, except: [:email])
+      MESSAGE
     end
-    def auth_keys
-      @auth_keys ||= @resource_class.authentication_keys.respond_to?(:keys) ?
-                       @resource_class.authentication_keys.keys : @resource_class.authentication_keys
+    def deprecate_instance_method_sanitization(action)
+      ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
+        [Devise] Parameter sanitization through a "#{self.class.name}##{action}" method is deprecated and it will be removed from Devise 4.1.
+        Please use the `permit` method on your sanitizer `initialize` method.
+          class #{self.class.name} < Devise::ParameterSanitizer
+            def initialize(*)
+              super
+              permit(:#{action}, keys: [:param1, :param2, :param3])
+            end
+          end
+      MESSAGE
     end
   end
 end