devise 3.5.10 → 4.0.0.rc1

data/test/models/lockable_test.rb

@@ -325,26 +325,4 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
-
-  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
-    swap Devise, unlock_strategy: :both do
-      user = create_user
-      assert_equal true, user.unlock_strategy_enabled?(:both)
-      assert_equal true, user.unlock_strategy_enabled?(:time)
-      assert_equal true, user.unlock_strategy_enabled?(:email)
-      assert_equal false, user.unlock_strategy_enabled?(:none)
-      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
-    end
-  end
-
-  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
-    swap Devise, unlock_strategy: :email do
-      user = create_user
-      assert_equal false, user.unlock_strategy_enabled?(:both)
-      assert_equal false, user.unlock_strategy_enabled?(:time)
-      assert_equal true, user.unlock_strategy_enabled?(:email)
-      assert_equal false, user.unlock_strategy_enabled?(:none)
-      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
-    end
-  end
 end

data/test/models/rememberable_test.rb

@@ -16,18 +16,6 @@ class RememberableTest < ActiveSupport::TestCase
     assert user.remember_created_at
   end
 
-  test 'remember_me should not generate a new token if valid token exists' do
-    user = create_user
-    user.singleton_class.send(:attr_accessor, :remember_token)
-    User.to_adapter.expects(:find_first).returns(nil)
-
-    user.remember_me!
-    existing_token = user.remember_token
-
-    user.remember_me!
-    assert_equal existing_token, user.remember_token
-  end
-
   test 'forget_me should not clear remember token if using salt' do
     user = create_user
     user.remember_me!

data/test/models/validatable_test.rb

@@ -57,11 +57,7 @@ class ValidatableTest < ActiveSupport::TestCase
     user = new_user(password: 'new_password', password_confirmation: 'blabla')
     assert user.invalid?
 
-    if Devise.rails4?
-      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
-    else
-      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
-    end
+    assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
   end
 
   test 'should require password when updating/resetting password' do
@@ -79,11 +75,7 @@ class ValidatableTest < ActiveSupport::TestCase
     user.password_confirmation = 'another_password'
     assert user.invalid?
 
-    if Devise.rails4?
-      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
-    else
-      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
-    end
+    assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
   end
 
   test 'should require a password with minimum of 7 characters' do

data/test/omniauth/url_helpers_test.rb

@@ -1,8 +1,7 @@
 require 'test_helper'
 
 class OmniAuthRoutesTest < ActionController::TestCase
-  ExpectedUrlGeneratiorError = Devise.rails4? ?
-    ActionController::UrlGenerationError : ActionController::RoutingError
+  ExpectedUrlGeneratiorError = ActionController::UrlGenerationError
 
   tests ApplicationController
 

data/test/orm/active_record.rb

@@ -5,6 +5,11 @@ ActiveRecord::Base.include_root_in_json = true
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 
 class ActiveSupport::TestCase
-  self.use_transactional_fixtures = true
+  if Rails.version >= '5.0.0'
+    self.use_transactional_tests = true
+  else
+    self.use_transactional_fixtures = true
+  end
+
   self.use_instantiated_fixtures  = false
 end

data/test/parameter_sanitizer_test.rb

@@ -1,81 +1,131 @@
 require 'test_helper'
 require 'devise/parameter_sanitizer'
 
-class BaseSanitizerTest < ActiveSupport::TestCase
+class ParameterSanitizerTest < ActiveSupport::TestCase
   def sanitizer(params)
-    Devise::BaseSanitizer.new(User, :user, params)
+    params = ActionController::Parameters.new(params)
+    Devise::ParameterSanitizer.new(User, :user, params)
   end
 
-  test 'returns chosen params' do
-    sanitizer = sanitizer(user: { "email" => "jose" })
-    assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_in))
+  test 'permits the default parameters for sign in' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose' })
+    sanitized = sanitizer.sanitize(:sign_in)
+
+    assert_equal({ 'email' => 'jose' }, sanitized)
   end
-end
 
-if defined?(ActionController::StrongParameters)
-  require 'active_model/forbidden_attributes_protection'
+  test 'permits the default parameters for sign up' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose', 'role' => 'invalid' })
+    sanitized = sanitizer.sanitize(:sign_up)
 
-  class ParameterSanitizerTest < ActiveSupport::TestCase
-    def sanitizer(params)
-      params = ActionController::Parameters.new(params)
-      Devise::ParameterSanitizer.new(User, :user, params)
-    end
+    assert_equal({ 'email' => 'jose' }, sanitized)
+  end
 
-    test 'filters some parameters on sign in by default' do
-      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
-      assert_equal({ "email" => "jose", "password" => "invalid", "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
-    end
+  test 'permits the default parameters for account update' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose', 'role' => 'invalid' })
+    sanitized = sanitizer.sanitize(:account_update)
 
-    test 'handles auth keys as a hash' do
-      swap Devise, authentication_keys: {email: true} do
-        sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
-        assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
-      end
-    end
+    assert_equal({ 'email' => 'jose' }, sanitized)
+  end
 
-    test 'filters some parameters on sign up by default' do
-      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
-      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_up))
-    end
+  test 'permits news parameters for an existing action' do
+    sanitizer = sanitizer('user' => { 'username' => 'jose' })
+    sanitizer.permit(:sign_in, keys: [:username])
+    sanitized = sanitizer.sanitize(:sign_in)
+
+    assert_equal({ 'username' => 'jose' }, sanitized)
+  end
 
-    test 'filters some parameters on account update by default' do
-      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
-      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:account_update))
+  test 'permits news parameters for an existing action with a block' do
+    sanitizer = sanitizer('user' => { 'username' => 'jose' })
+    sanitizer.permit(:sign_in) do |user|
+      user.permit(:username)
     end
 
-    test 'allows custom hooks' do
-      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
-      sanitizer.for(:sign_in) { |user| user.permit(:email, :password) }
-      assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
+    sanitized = sanitizer.sanitize(:sign_in)
+
+    assert_equal({ 'username' => 'jose' }, sanitized)
+  end
+
+  test 'permit parameters for new actions' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose@omglol', 'name' => 'Jose' })
+    sanitizer.permit(:invite_user, keys: [:email, :name])
+
+    sanitized = sanitizer.sanitize(:invite_user)
+
+    assert_equal({ 'email' => 'jose@omglol', 'name' => 'Jose' }, sanitized)
+  end
+
+  test 'fails when we do not have any permitted parameters for the action' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose', 'password' => 'invalid' })
+
+    assert_raise NotImplementedError do
+      sanitizer.sanitize(:unknown)
     end
+  end
+
+  test 'removes permitted parameters' do
+    sanitizer = sanitizer('user' => { 'email' => 'jose@omglol', 'username' => 'jose' })
 
-    test 'adding multiple permitted parameters' do
-      sanitizer = sanitizer(user: { "email" => "jose", "username" => "jose1", "role" => "valid" })
-      sanitizer.for(:sign_in).concat([:username, :role])
-      assert_equal({ "email" => "jose", "username" => "jose1", "role" => "valid" }, sanitizer.sanitize(:sign_in))
+    sanitizer.permit(:sign_in, keys: [:username], except: [:email])
+    sanitized = sanitizer.sanitize(:sign_in)
+
+    assert_equal({ 'username' => 'jose' }, sanitized)
+  end
+end
+
+class DeprecatedParameterSanitizerAPITest < ActiveSupport::TestCase
+  class CustomSanitizer < Devise::ParameterSanitizer
+    def sign_in
+      default_params.permit(:username)
     end
+  end
 
-    test 'removing multiple default parameters' do
-      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
-      sanitizer.for(:sign_in).delete(:email)
-      sanitizer.for(:sign_in).delete(:password)
-      assert_equal({ "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
+  def sanitizer(params)
+    params = ActionController::Parameters.new(params)
+    Devise::ParameterSanitizer.new(User, :user, params)
+  end
+
+  test 'overriding instance methods have precedence over the default sanitized attributes' do
+    assert_deprecated do
+      params =  ActionController::Parameters.new(user: { "username" => "jose", "name" => "Jose" })
+      sanitizer = CustomSanitizer.new(User, :user, params)
+
+      sanitized = sanitizer.sanitize(:sign_in)
+
+      assert_equal({ "username" => "jose" }, sanitized)
     end
+  end
 
-    test 'raises on unknown hooks' do
-      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
-      assert_raise NotImplementedError do
-        sanitizer.sanitize(:unknown)
-      end
+  test 'adding new parameters by mutating the Array' do
+    assert_deprecated do
+      sanitizer = sanitizer('user' => { 'username' => 'jose' })
+      sanitizer.for(:sign_in) << :username
+      sanitized = sanitizer.sanitize(:sign_in)
+
+      assert_equal({ 'username' => 'jose' }, sanitized)
     end
+  end
 
-    test 'passes parameters to filter as arguments to sanitizer' do
-      params = {user: stub}
-      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
+   test 'adding new parameters with a block' do
+     assert_deprecated do
+       sanitizer = sanitizer('user' => { 'username' => 'jose' })
+       sanitizer.for(:sign_in) { |user| user.permit(:username) }
 
-      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
+       sanitized = sanitizer.sanitize(:sign_in)
+
+       assert_equal({ 'username' => 'jose' }, sanitized)
+     end
+   end
+
+  test 'removing multiple default parameters' do
+    assert_deprecated do
+      sanitizer = sanitizer('user' => { 'email' => 'jose', 'password' => 'invalid', 'remember_me' => '1' })
+      sanitizer.for(:sign_in).delete(:email)
+      sanitizer.for(:sign_in).delete(:password)
+      sanitized = sanitizer.sanitize(:sign_in)
 
-      sanitizer.sanitize(:sign_in)
+      assert_equal({ 'remember_me' => '1' }, sanitized)
     end
   end
 end

data/test/rails_app/app/active_record/user.rb

@@ -1,6 +1,9 @@
 require 'shared_user'
+require 'active_model/serializers/xml' if Devise.rails5?
+require 'active_model-serializers' if Devise.rails5?
 
 class User < ActiveRecord::Base
   include Shim
   include SharedUser
+  include ActiveModel::Serializers::Xml if Devise.rails5?
 end

data/test/rails_app/app/controllers/admins_controller.rb

@@ -1,5 +1,5 @@
 class AdminsController < ApplicationController
-  before_filter :authenticate_admin!
+  before_action :authenticate_admin!
 
   def index
   end

data/test/rails_app/app/controllers/application_controller.rb

@@ -3,8 +3,8 @@
 
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_filter :current_user, unless: :devise_controller?
-  before_filter :authenticate_user!, if: :devise_controller?
+  before_action :current_user, unless: :devise_controller?
+  before_action :authenticate_user!, if: :devise_controller?
   respond_to *Mime::SET.map(&:to_sym)
 
   devise_group :commenter, contains: [:user, :admin]

data/test/rails_app/app/controllers/home_controller.rb

@@ -20,6 +20,10 @@ class HomeController < ApplicationController
   end
 
   def unauthenticated
-    render text: "unauthenticated", status: :unauthorized
+    if Devise.rails5?
+      render body: "unauthenticated", status: :unauthorized
+    else
+      render text: "unauthenticated", status: :unauthorized
+    end
   end
 end

data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -1,6 +1,6 @@
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def facebook
-    data = env["omniauth.auth"]
+    data = request.respond_to?(:get_header) ? request.get_header("omniauth.auth") : env["omniauth.auth"]
     session["devise.facebook_data"] = data["extra"]["user_hash"]
     render json: data
   end
@@ -9,6 +9,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     user = User.to_adapter.find_first(email: 'user@test.com')
     user.remember_me = true
     sign_in user
-    render text: ""
+    render (Devise.rails5? ? :body : :text) => ""
   end
 end

data/test/rails_app/app/controllers/users_controller.rb

@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
-  prepend_before_filter :current_user, only: :exhibit
-  before_filter :authenticate_user!, except: [:accept, :exhibit]
+  prepend_before_action :current_user, only: :exhibit
+  before_action :authenticate_user!, except: [:accept, :exhibit]
   respond_to :html, :xml
 
   def index
@@ -13,7 +13,7 @@ class UsersController < ApplicationController
   end
 
   def update_form
-    render text: 'Update'
+    render (Devise.rails5? ? :body : :text) => 'Update'
   end
 
   def accept
@@ -21,11 +21,11 @@ class UsersController < ApplicationController
   end
 
   def exhibit
-    render text: current_user ? "User is authenticated" : "User is not authenticated"
+    render (Devise.rails5? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
   end
 
   def expire
     user_session['last_request_at'] = 31.minutes.ago.utc
-    render text: 'User will be expired on next request'
+    render (Devise.rails5? ? :body : :text) => 'User will be expired on next request'
   end
 end

data/test/rails_app/config/application.rb

@@ -28,7 +28,7 @@ module RailsApp
 
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters << :password
-    config.assets.enabled = false
+    # config.assets.enabled = false
 
     config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
 

data/test/rails_app/config/boot.rb

@@ -3,9 +3,9 @@ unless defined?(DEVISE_ORM)
 end
 
 module Devise
-  # Detection for minor differences between Rails 3.2 and 4 in tests.
-  def self.rails4?
-    Rails.version.start_with? '4'
+  # Detection for minor differences between Rails 4 and 5 in tests.
+  def self.rails5?
+    Rails.version.start_with? '5'
   end
 end
 

data/test/rails_app/config/environments/test.rb

@@ -19,7 +19,12 @@ RailsApp::Application.configure do
   else
     config.serve_static_assets = true
   end
-  config.static_cache_control = "public, max-age=3600"
+
+  if Rails.version >= "5.0.0"
+    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
+  else
+    config.static_cache_control = "public, max-age=3600"
+  end
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true

data/test/rails_app/config/initializers/secret_token.rb

@@ -1,8 +1,3 @@
 config = Rails.application.config
 
-if Devise.rails4?
-  config.secret_key_base = 'd588e99efff13a86461fd6ab82327823ad2f8feb5dc217ce652cdd9f0dfc5eb4b5a62a92d24d2574d7d51dfb1ea8dd453ea54e00cf672159a13104a135422a10'
-else
-  config.secret_token = 'ea942c41850d502f2c8283e26bdc57829f471bb18224ddff0a192c4f32cdf6cb5aa0d82b3a7a7adbeb640c4b06f3aa1cd5f098162d8240f669b39d6b49680571'
-  config.session_store :cookie_store, key: "_my_app"
-end
+config.secret_key_base = 'd588e99efff13a86461fd6ab82327823ad2f8feb5dc217ce652cdd9f0dfc5eb4b5a62a92d24d2574d7d51dfb1ea8dd453ea54e00cf672159a13104a135422a10'

data/test/routes_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-ExpectedRoutingError = Devise.rails4? ? MiniTest::Assertion : ActionController::RoutingError
+ExpectedRoutingError = MiniTest::Assertion
 
 class DefaultRoutingTest < ActionController::TestCase
   test 'map new user session' do
@@ -202,37 +202,52 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for sessions' do
-    assert_recognizes({controller: 'devise/sessions', action: 'new'}, {path: '/htmlonly_admin/sign_in', method: :get})
+    expected_params = {controller: 'devise/sessions', action: 'new'}
+    expected_params[:format] = false if Devise.rails5?
+
+    assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in', method: :get})
     assert_raise ExpectedRoutingError do
-      assert_recognizes({controller: 'devise/sessions', action: 'new'}, {path: '/htmlonly_admin/sign_in.xml', method: :get})
+      assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in.xml', method: :get})
     end
   end
 
   test 'map with format false for passwords' do
-    assert_recognizes({controller: 'devise/passwords', action: 'create'}, {path: '/htmlonly_admin/password', method: :post})
+    expected_params = {controller: 'devise/passwords', action: 'create'}
+    expected_params[:format] = false if Devise.rails5?
+
+    assert_recognizes(expected_params, {path: '/htmlonly_admin/password', method: :post})
     assert_raise ExpectedRoutingError do
-      assert_recognizes({controller: 'devise/passwords', action: 'create'}, {path: '/htmlonly_admin/password.xml', method: :post})
+      assert_recognizes(expected_params, {path: '/htmlonly_admin/password.xml', method: :post})
     end
   end
 
   test 'map with format false for registrations' do
-    assert_recognizes({controller: 'devise/registrations', action: 'new'}, {path: '/htmlonly_admin/sign_up', method: :get})
+    expected_params = {controller: 'devise/registrations', action: 'new'}
+    expected_params[:format] = false if Devise.rails5?
+
+    assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up', method: :get})
     assert_raise ExpectedRoutingError do
-      assert_recognizes({controller: 'devise/registrations', action: 'new'}, {path: '/htmlonly_admin/sign_up.xml', method: :get})
+      assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up.xml', method: :get})
     end
   end
 
   test 'map with format false for confirmations' do
-    assert_recognizes({controller: 'devise/confirmations', action: 'show'}, {path: '/htmlonly_users/confirmation', method: :get})
+    expected_params = {controller: 'devise/confirmations', action: 'show'}
+    expected_params[:format] = false if Devise.rails5?
+
+    assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation', method: :get})
     assert_raise ExpectedRoutingError do
-      assert_recognizes({controller: 'devise/confirmations', action: 'show'}, {path: '/htmlonly_users/confirmation.xml', method: :get})
+      assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation.xml', method: :get})
     end
   end
 
   test 'map with format false for unlocks' do
-    assert_recognizes({controller: 'devise/unlocks', action: 'show'}, {path: '/htmlonly_users/unlock', method: :get})
+    expected_params = {controller: 'devise/unlocks', action: 'show'}
+    expected_params[:format] = false if Devise.rails5?
+
+    assert_recognizes(expected_params, {path: '/htmlonly_users/unlock', method: :get})
     assert_raise ExpectedRoutingError do
-      assert_recognizes({controller: 'devise/unlocks', action: 'show'}, {path: '/htmlonly_users/unlock.xml', method: :get})
+      assert_recognizes(expected_params, {path: '/htmlonly_users/unlock.xml', method: :get})
     end
   end