devise 4.2.0 → 4.2.1

data/lib/devise.rb

@@ -153,7 +153,11 @@ module Devise
   mattr_accessor :pepper
   @@pepper = nil
 
-  # Used to enable sending notification to user when their password is changed
+  # Used to send notification to the original user email when their email is changed.
+  mattr_accessor :send_email_changed_notification
+  @@send_email_changed_notification = false
+
+  # Used to enable sending notification to user when their password is changed.
   mattr_accessor :send_password_change_notification
   @@send_password_change_notification = false
 

data/lib/devise/controllers/store_location.rb

@@ -29,7 +29,7 @@ module Devise
       # Example:
       #
       #   store_location_for(:user, dashboard_path)
-      #   redirect_to user_omniauth_authorize_path(:facebook)
+      #   redirect_to user_facebook_omniauth_authorize_path
       #
       def store_location_for(resource_or_scope, location)
         session_key = stored_location_key_for(resource_or_scope)

data/lib/devise/failure_app.rb

@@ -2,9 +2,9 @@ require "action_controller/metal"
 
 module Devise
   # Failure application that will be called every time :warden is thrown from
-  # any strategy or hook. Responsible for redirect the user to the sign in
-  # page based on current scope and mapping. If no scope is given, redirect
-  # to the default_url.
+  # any strategy or hook. It is responsible for redirecting the user to the sign
+  # in page based on current scope and mapping. If no scope is given, it
+  # redirects to the default_url.
   class FailureApp < ActionController::Metal
     include ActionController::UrlFor
     include ActionController::Redirecting
@@ -160,12 +160,12 @@ module Devise
       %w(html */*).include? request_format.to_s
     end
 
-    # Choose whether we should respond in a http authentication fashion,
+    # Choose whether we should respond in an HTTP authentication fashion,
     # including 401 and optional headers.
     #
-    # This method allows the user to explicitly disable http authentication
-    # on ajax requests in case they want to redirect on failures instead of
-    # handling the errors on their own. This is useful in case your ajax API
+    # This method allows the user to explicitly disable HTTP authentication
+    # on AJAX requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your AJAX API
     # is the same as your public API and uses a format like JSON (so you
     # cannot mark JSON as a navigational format).
     def http_auth?
@@ -176,7 +176,7 @@ module Devise
       end
     end
 
-    # It does not make sense to send authenticate headers in ajax requests
+    # It doesn't make sense to send authenticate headers in AJAX requests
     # or if the user disabled them.
     def http_auth_header?
       scope_class.http_authenticatable && !request.xhr?
@@ -225,10 +225,10 @@ module Devise
       warden_options[:attempted_path]
     end
 
-    # Stores requested uri to redirect the user after signing in. We cannot use
-    # scoped session provided by warden here, since the user is not authenticated
-    # yet, but we still need to store the uri based on scope, so different scopes
-    # would never use the same uri to redirect.
+    # Stores requested URI to redirect the user after signing in. We can't use
+    # the scoped session provided by warden here, since the user is not
+    # authenticated yet, but we still need to store the URI based on scope, so
+    # different scopes would never use the same URI to redirect.
     def store_location!
       store_location_for(scope, attempted_path) if request.get? && !http_auth?
     end

data/lib/devise/hooks/lockable.rb

@@ -2,6 +2,9 @@
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
+    unless record.failed_attempts.to_i.zero?
+      record.failed_attempts = 0
+      record.save(validate: false)
+    end
   end
 end

data/lib/devise/mailers/helpers.rb

@@ -5,15 +5,16 @@ module Devise
 
       included do
         include Devise::Controllers::ScopedViews
-        attr_reader :scope_name, :resource
       end
 
       protected
 
+      attr_reader :scope_name, :resource
+
       # Configure default email options
-      def devise_mail(record, action, opts={})
+      def devise_mail(record, action, opts = {}, &block)
         initialize_from_record(record)
-        mail headers_for(action, opts)
+        mail headers_for(action, opts), &block
       end
 
       def initialize_from_record(record)

data/lib/devise/models.rb

@@ -12,7 +12,7 @@ module Devise
 
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
+    #   Devise::Models.config(Devise::Models::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

data/lib/devise/models/confirmable.rb

@@ -26,7 +26,9 @@ module Devise
     #     initial account confirmation) to be applied. Requires additional unconfirmed_email
     #     db field to be set up (t.reconfirmable in migrations). Until confirmed, new email is
     #     stored in unconfirmed email column, and copied to email column on successful
-    #     confirmation.
+    #     confirmation. Also, when used in conjunction with `send_email_changed_notification`,
+    #     the notification is sent to the original email when the change is requested,
+    #     not when the unconfirmed email is confirmed.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
     #     You can use this to force the user to confirm within a set period of time.
     #     Confirmable will not generate a new token if a repeat confirmation is requested
@@ -223,7 +225,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -277,6 +279,16 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && self.email.present?
         end
 
+        # With reconfirmable, notify the original email when the user first
+        # requests the email change, instead of when the change is confirmed.
+        def send_email_changed_notification?
+          if self.class.reconfirmable
+            self.class.send_email_changed_notification && reconfirmation_required?
+          else
+            super
+          end
+        end
+
         # A callback initiated after successfully confirming. This can be
         # used to insert your own logic that is only run after the user successfully
         # confirms.

data/lib/devise/models/database_authenticatable.rb

@@ -14,6 +14,10 @@ module Devise
     #
     #   * +stretches+: the cost given to bcrypt.
     #
+    #   * +send_email_changed_notification+: notify original email when it changes.
+    #
+    #   * +send_password_change_notification+: notify email when password changes.
+    #
     # == Examples
     #
     #    User.find(1).valid_password?('password123')         # returns true/false
@@ -22,6 +26,7 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
+        after_update :send_email_changed_notification, if: :send_email_changed_notification?
         after_update :send_password_change_notification, if: :send_password_change_notification?
 
         attr_reader :password, :current_password
@@ -132,6 +137,12 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
+      # Send notification to user when email changes.
+      def send_email_changed_notification
+        send_devise_notification(:email_changed, to: email_was)
+      end
+
+      # Send notification to user when password changes.
       def send_password_change_notification
         send_devise_notification(:password_change)
       end
@@ -147,12 +158,16 @@ module Devise
         Devise::Encryptor.digest(self.class, password)
       end
 
+      def send_email_changed_notification?
+        self.class.send_email_changed_notification && email_changed?
+      end
+
       def send_password_change_notification?
         self.class.send_password_change_notification && encrypted_password_changed?
       end
 
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches, :send_password_change_notification)
+        Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
 
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on

data/lib/devise/models/recoverable.rb

@@ -33,10 +33,14 @@ module Devise
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
       def reset_password(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-
-        save
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
+        end
       end
 
       # Resets reset password token and send reset password instructions by email.

data/lib/devise/models/rememberable.rb

@@ -74,7 +74,7 @@ module Devise
         elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
-          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
             "or have a remember_token column in your model or implement your own " \
             "rememberable_value in the model with custom logic."

data/lib/devise/rails/routes.rb

@@ -338,7 +338,7 @@ module ActionDispatch::Routing
 
     # Sets the devise scope to be used in the controller. If you have custom routes,
     # you are required to call this method (also aliased as :as) in order to specify
-    # to which controller it is targetted.
+    # to which controller it is targeted.
     #
     #   as :user do
     #     get "sign_in", to: "devise/sessions#new"

data/lib/devise/test/controller_helpers.rb

@@ -65,7 +65,7 @@ module Devise
           scope = resource
           resource = deprecated
 
-          ActiveSupport::Deprecation.warn <<-DEPRECATION
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
             [Devise] sign_in(:#{scope}, resource) on controller tests is deprecated and will be removed from Devise.
             Please use sign_in(resource, scope: :#{scope}) instead.
           DEPRECATION

data/lib/devise/test_helpers.rb

@@ -2,7 +2,7 @@ module Devise
   module TestHelpers
     def self.included(base)
       base.class_eval do
-        ActiveSupport::Deprecation.warn <<-DEPRECATION
+        ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
           [Devise] including `Devise::TestHelpers` is deprecated and will be removed from Devise.
           For controller tests, please include `Devise::Test::ControllerHelpers` instead.
         DEPRECATION

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.2.0".freeze
+  VERSION = "4.2.1".freeze
 end

data/lib/generators/templates/controllers/registrations_controller.rb

@@ -1,6 +1,6 @@
 class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsController
-# before_action :configure_sign_up_params, only: [:create]
-# before_action :configure_account_update_params, only: [:update]
+  # before_action :configure_sign_up_params, only: [:create]
+  # before_action :configure_account_update_params, only: [:update]
 
   # GET /resource/sign_up
   # def new

data/lib/generators/templates/controllers/sessions_controller.rb

@@ -1,5 +1,5 @@
 class <%= @scope_prefix %>SessionsController < Devise::SessionsController
-# before_action :configure_sign_in_params, only: [:create]
+  # before_action :configure_sign_in_params, only: [:create]
 
   # GET /resource/sign_in
   # def new

data/lib/generators/templates/devise.rb

@@ -110,7 +110,10 @@ Devise.setup do |config|
   # Set up a pepper to generate the hashed password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'
 
-  # Send a notification email when the user's password is changed
+  # Send a notification to the original email when the user's email is changed.
+  # config.send_email_changed_notification = false
+
+  # Send a notification email when the user's password is changed.
   # config.send_password_change_notification = false
 
   # ==> Configuration for :confirmable

data/lib/generators/templates/markerb/email_changed.markerb

@@ -0,0 +1,7 @@
+Hello <%= @email %>!
+
+<% if @resource.try(:unconfirmed_email?) %>
+We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.
+<% else %>
+We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
+<% end %>

data/lib/generators/templates/markerb/password_change.markerb

@@ -1,3 +1,3 @@
-<p>Hello <%= @resource.email %>!</p>
+Hello <%= @resource.email %>!
 
-<p>We're contacting you to notify you that your password has been changed.</p>
+We're contacting you to notify you that your password has been changed.

data/test/controllers/helpers_test.rb

@@ -164,8 +164,8 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     @controller.instance_variable_set(:@current_user, user)
     @controller.instance_variable_set(:@current_admin, user)
     @controller.sign_out
-    assert_equal nil, @controller.instance_variable_get(:@current_user)
-    assert_equal nil, @controller.instance_variable_get(:@current_admin)
+    assert_nil @controller.instance_variable_get(:@current_user)
+    assert_nil @controller.instance_variable_get(:@current_admin)
   end
 
   test 'sign out logs out and clears up any signed in user by scope' do
@@ -175,7 +175,7 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     @mock_warden.expects(:clear_strategies_cache!).with(scope: :user).returns(true)
     @controller.instance_variable_set(:@current_user, user)
     @controller.sign_out(:user)
-    assert_equal nil, @controller.instance_variable_get(:@current_user)
+    assert_nil @controller.instance_variable_get(:@current_user)
   end
 
   test 'sign out accepts a resource as argument' do

data/test/integration/authenticatable_test.rb

@@ -245,7 +245,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
     end
   end
 
-  test 'not signed in users should see unautheticated page (unauthenticated accepted)' do
+  test 'not signed in users should see unauthenticated page (unauthenticated accepted)' do
     get join_path
 
     assert_response :success

data/test/mailers/email_changed_test.rb

@@ -0,0 +1,130 @@
+require 'test_helper'
+
+class EmailChangedTest < ActionMailer::TestCase
+  def setup
+    setup_mailer
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'test@example.com'
+    Devise.send_email_changed_notification = true
+  end
+
+  def teardown
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
+    Devise.send_email_changed_notification = false
+  end
+
+  def user
+    @user ||= create_user.tap { |u|
+      @original_user_email = u.email
+      u.update_attributes!(email: 'new-email@example.com')
+    }
+  end
+
+  def mail
+    @mail ||= begin
+      user
+      ActionMailer::Base.deliveries.last
+    end
+  end
+
+  test 'email sent after changing the user email' do
+    assert_not_nil mail
+  end
+
+  test 'content type should be set to html' do
+    assert mail.content_type.include?('text/html')
+  end
+
+  test 'send email changed to the original user email' do
+    mail
+    assert_equal [@original_user_email], mail.to
+  end
+
+  test 'set up sender from configuration' do
+    assert_equal ['test@example.com'], mail.from
+  end
+
+  test 'set up sender from custom mailer defaults' do
+    Devise.mailer = 'Users::Mailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'set up sender from custom mailer defaults with proc' do
+    Devise.mailer = 'Users::FromProcMailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'custom mailer renders parent mailer template' do
+    Devise.mailer = 'Users::Mailer'
+    assert_present mail.body.encoded
+  end
+
+  test 'set up reply to as copy from sender' do
+    assert_equal ['test@example.com'], mail.reply_to
+  end
+
+  test 'set up reply to as different if set in defaults' do
+    Devise.mailer = 'Users::ReplyToMailer'
+    assert_equal ['custom@example.com'], mail.from
+    assert_equal ['custom_reply_to@example.com'], mail.reply_to
+  end
+
+  test 'set up subject from I18n' do
+    store_translations :en, devise: { mailer: { email_changed: { subject: 'Email Has Changed' } } } do
+      assert_equal 'Email Has Changed', mail.subject
+    end
+  end
+
+  test 'subject namespaced by model' do
+    store_translations :en, devise: { mailer: { email_changed: { user_subject: 'User Email Has Changed' } } } do
+      assert_equal 'User Email Has Changed', mail.subject
+    end
+  end
+
+  test 'body should have user info' do
+    body = mail.body.encoded
+    assert_match "Hello #{@original_user_email}", body
+    assert_match "has been changed to #{user.email}", body
+  end
+end
+
+class EmailChangedReconfirmationTest < ActionMailer::TestCase
+  def setup
+    setup_mailer
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'test@example.com'
+    Devise.send_email_changed_notification = true
+  end
+
+  def teardown
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
+    Devise.send_email_changed_notification = false
+  end
+
+  def admin
+    @admin ||= create_admin.tap { |u|
+      @original_admin_email = u.email
+      u.update_attributes!(email: 'new-email@example.com')
+    }
+  end
+
+  def mail
+    @mail ||= begin
+      admin
+      ActionMailer::Base.deliveries[-2]
+    end
+  end
+
+  test 'send email changed to the original user email' do
+    mail
+    assert_equal [@original_admin_email], mail.to
+  end
+
+  test 'body should have unconfirmed user info' do
+    body = mail.body.encoded
+    assert_match admin.email, body
+    assert_match "is being changed to #{admin.unconfirmed_email}", body
+  end
+end