devise 3.5.2 → 3.5.3

data/lib/devise/models/recoverable.rb

@@ -16,10 +16,6 @@ module Devise
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
     #   User.find(1).reset_password('password123', 'password123')
     #
-    #   # only resets the user password, without saving the record
-    #   user = User.find(1)
-    #   user.reset_password('password123', 'password123')
-    #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
     #
@@ -31,8 +27,8 @@ module Devise
       end
 
       included do
-        before_save do
-          if email_changed? || encrypted_password_changed?
+        before_update do
+          if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
             clear_reset_password_token
           end
         end

data/lib/devise/rails/routes.rb

@@ -94,10 +94,24 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, path: 'accounts'
     #
-    #  * singular: setup the singular name for the given resource. This is used as the instance variable
-    #    name in controller, as the name in routes and the scope given to warden.
+    #  * singular: setup the singular name for the given resource. This is used as the helper methods
+    #    names in controller ("authenticate_#{singular}!", "#{singular}_signed_in?", "current_#{singular}"
+    #    and "#{singular}_session"), as the scope name in routes and as the scope given to warden.
     #
-    #      devise_for :users, singular: :user
+    #      devise_for :admins, singular: :manager
+    #
+    #      devise_scope :manager do
+    #        ...
+    #      end
+    #
+    #      class ManagerController < ApplicationController
+    #        before_filter authenticate_manager!
+    #
+    #        def show
+    #          @manager = current_manager
+    #          ...
+    #        end
+    #      end
     #
     #  * path_names: configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.

data/lib/devise/strategies/authenticatable.rb

@@ -27,7 +27,7 @@ module Devise
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
       # An optional block that will be triggered while validating can be optionally
-      # given as parameter. Check Devise::Models::Authenticable.valid_for_authentication?
+      # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #
       # In case the resource can't be validated, it will fail with the given

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.2".freeze
+  VERSION = "3.5.3".freeze
 end

data/lib/generators/devise/views_generator.rb

@@ -47,7 +47,7 @@ module Devise
       def view_directory(name, _target_path = nil)
         directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
           if scope
-            content.gsub "devise/shared/links", "#{scope}/shared/links"
+            content.gsub "devise/shared/links", "#{plural_scope}/shared/links"
           else
             content
           end
@@ -55,7 +55,11 @@ module Devise
       end
 
       def target_path
-        @target_path ||= "app/views/#{scope || :devise}"
+        @target_path ||= "app/views/#{plural_scope || :devise}"
+      end
+
+      def plural_scope
+        @plural_scope ||= scope.presence && scope.underscore.pluralize
       end
     end
 
@@ -83,6 +87,13 @@ module Devise
       source_root File.expand_path("../../templates/simple_form_for", __FILE__)
       desc "Copies simple form enabled views to your application."
       hide!
+
+      def copy_views
+        if options[:views]
+          options[:views].delete('mailer')
+        end
+        super
+      end
     end
 
     class ErbGenerator < Rails::Generators::Base #:nodoc:
@@ -111,7 +122,7 @@ module Devise
       end
 
       def target_path
-        "app/views/#{scope || :devise}/mailer"
+        "app/views/#{plural_scope || :devise}/mailer"
       end
     end
 

data/lib/generators/templates/devise.rb

@@ -105,6 +105,9 @@ Devise.setup do |config|
   # Setup a pepper to generate the encrypted password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'
 
+  # Send a notification email when the user's password is changed
+  # config.send_password_change_notification = false
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -2,4 +2,4 @@ Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %>
+[Confirm my account](<%= confirmation_url(@resource, confirmation_token: @token) %>)

data/lib/generators/templates/markerb/password_change.markerb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -2,7 +2,7 @@ Hello <%= @resource.email %>!
 
 Someone has requested a link to change your password, and you can do this through the link below.
 
-<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %>
+[Change my password](<%= edit_password_url(@resource, reset_password_token: @token) %>)
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -4,4 +4,4 @@ Your account has been locked due to an excessive number of unsuccessful sign in
 
 Click the link below to unlock your account:
 
-<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %>
+[Unlock my account](<%= unlock_url(@resource, unlock_token: @token) %>)

data/test/controllers/helper_methods_test.rb

@@ -0,0 +1,21 @@
+require 'test_helper'
+
+class ApiController < ActionController::Metal
+  include Devise::Controllers::Helpers
+end
+
+class HelperMethodsTest < ActionController::TestCase
+  tests ApiController
+
+  test 'includes Devise::Controllers::Helpers' do
+    assert_includes @controller.class.ancestors, Devise::Controllers::Helpers
+  end
+
+  test 'does not respond_to helper_method' do
+    refute_respond_to @controller.class, :helper_method
+  end
+
+  test 'defines methods like current_user' do
+    assert_respond_to @controller, :current_user
+  end
+end

data/test/failure_app_test.rb

@@ -294,5 +294,22 @@ class FailureTest < ActiveSupport::TestCase
       assert @response.third.body.include?('<h2>Log in</h2>')
       assert @response.third.body.include?('Your account is not activated yet.')
     end
+
+    if Rails.application.config.respond_to?(:relative_url_root)
+      test 'calls the original controller with the proper environment considering the relative url root' do
+        swap Rails.application.config, relative_url_root: "/sample" do
+          env = {
+            "warden.options" => { recall: "devise/sessions#new", attempted_path: "/sample/users/sign_in"},
+            "devise.mapping" => Devise.mappings[:user],
+            "warden" => stub_everything
+          }
+          call_failure(env)
+          assert @response.third.body.include?('<h2>Log in</h2>')
+          assert @response.third.body.include?('Invalid email or password.')
+          assert_equal @request.env["SCRIPT_NAME"], '/sample'
+          assert_equal @request.env["PATH_INFO"], '/users/sign_in'
+        end
+      end
+    end
   end
 end

data/test/generators/views_generator_test.rb

@@ -46,6 +46,13 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_no_file "app/views/devise/mailer/confirmation_instructions.html.erb"
   end
 
+  test "Assert mailer specific directory with simple form" do
+    run_generator %w(-v mailer -b simple_form_for)
+    assert_file "app/views/devise/mailer/confirmation_instructions.html.erb"
+    assert_file "app/views/devise/mailer/reset_password_instructions.html.erb"
+    assert_file "app/views/devise/mailer/unlock_instructions.html.erb"
+  end
+
   test "Assert specified directories with scope" do
     run_generator %w(users -v sessions)
     assert_file "app/views/users/sessions/new.html.erb"

data/test/integration/omniauthable_test.rb

@@ -20,9 +20,11 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
       "credentials" => {"token" => 'plataformatec'},
       "extra" => {"user_hash" => FACEBOOK_INFO}
     }
+    OmniAuth.config.add_camelization 'facebook', 'FaceBook'
   end
 
   teardown do
+    OmniAuth.config.camelizations.delete('facebook')
     OmniAuth.config.test_mode = false
   end
 
@@ -40,7 +42,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "can access omniauth.auth in the env hash" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     json = ActiveSupport::JSON.decode(response.body)
 
@@ -54,7 +56,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign up" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -75,7 +77,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on cancel" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -86,7 +88,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign in" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -96,13 +98,13 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "sign in and send remember token if configured" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
     assert_nil warden.cookies["remember_user_token"]
 
     stub_action!(:sign_in_facebook) do
       create_user
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
       assert warden.authenticated?(:user)
       assert warden.cookies["remember_user_token"]
     end
@@ -118,16 +120,16 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
     OmniAuth.config.mock_auth[:facebook] = :access_denied
     visit "/users/auth/facebook/callback?error=access_denied"
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Access denied".'
+    assert_contain 'Could not authenticate you from FaceBook because "Access denied".'
   end
 
   test "handles other exceptions from OmniAuth" do
     OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Invalid credentials".'
+    assert_contain 'Could not authenticate you from FaceBook because "Invalid credentials".'
   end
 end

data/test/integration/timeoutable_test.rb

@@ -24,6 +24,18 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_equal old_last_request, last_request_at
   end
 
+  test 'does not set last request at in user session after each request if timeoutable is disabled' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    new_time = 2.seconds.from_now
+    Time.stubs(:now).returns(new_time)
+
+    get users_path, {}, 'devise.skip_timeoutable' => true
+    assert_equal old_last_request, last_request_at
+  end
+
   test 'does not time out user session before default limit time' do
     sign_in_as_user
     assert_response :success

data/test/models/confirmable_test.rb

@@ -250,6 +250,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.reload.active_for_authentication?
   end
 
+  test 'should not break when a user tries to reset their password in the case where confirmation is not required and confirm_within is set' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      user.instance_eval { def confirmation_required?; false end }
+      user.confirmation_sent_at = nil
+      user.save
+      assert user.reload.confirm!
+    end
+  end
+
   test 'should find a user to send email instructions for the user confirm its email by authentication_keys' do
     swap Devise, authentication_keys: [:username, :email] do
       user = create_user

data/test/models/database_authenticatable_test.rb

@@ -3,6 +3,10 @@ require 'test_models'
 require 'digest/sha1'
 
 class DatabaseAuthenticatableTest < ActiveSupport::TestCase
+  def setup
+    setup_mailer
+  end
+
   test 'should downcase case insensitive keys when saving' do
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
@@ -225,6 +229,22 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "can't be blank", user.errors[:current_password].join
   end
 
+  test 'should not email on password change' do
+    user = create_user
+    assert_email_not_sent do
+      assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+    end
+  end
+
+  test 'should email on password change when configured' do
+    swap Devise, send_password_change_notification: true do
+      user = create_user
+      assert_email_sent user.email do
+        assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+      end
+    end
+  end
+
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")

data/test/models/lockable_test.rb

@@ -14,7 +14,7 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test "should increment failed_attempts on successfull validation if the user is already locked" do
+  test "should increment failed_attempts on successful validation if the user is already locked" do
     user = create_user
     user.confirm
 

data/test/models/recoverable_test.rb

@@ -42,6 +42,17 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil user.reset_password_token
   end
 
+  test 'should not clear reset password token for new user' do
+    user = new_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+
+    user.save
+    assert_present user.reset_password_token
+  end
+
   test 'should clear reset password token if changing password' do
     user = create_user
     assert_nil user.reset_password_token
@@ -65,6 +76,18 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil user.reset_password_token
   end
 
+  test 'should clear reset password successfully even if there is no email' do
+    user = create_user_without_email
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
   test 'should not clear reset password token if record is invalid' do
     user = create_user
     user.send_reset_password_instructions

data/test/models_test.rb

@@ -92,13 +92,20 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 end
 
+module StubModelFilters
+  def stub_filter(name)
+    define_singleton_method(name) { |*| nil }
+  end
+end
+
 class CheckFieldsTest < ActiveSupport::TestCase
   test 'checks if the class respond_to the required fields' do
     Player = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -113,9 +120,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute and shows the missing attribute if the class doesn\'t respond_to one of the attributes' do
     Clown = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -130,9 +138,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute with all the missing attributes if there is more than one' do
     Magician = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
     end