devise 4.4.3 → 4.5.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +12 -11
- data/CHANGELOG.md +23 -1
- data/Gemfile +2 -2
- data/Gemfile.lock +82 -73
- data/README.md +17 -18
- data/app/controllers/devise/registrations_controller.rb +1 -1
- data/app/controllers/devise_controller.rb +1 -1
- data/app/views/devise/passwords/edit.html.erb +1 -1
- data/app/views/devise/registrations/edit.html.erb +3 -3
- data/app/views/devise/registrations/new.html.erb +2 -2
- data/app/views/devise/sessions/new.html.erb +1 -1
- data/gemfiles/Gemfile.rails-4.1-stable.lock +2 -2
- data/gemfiles/Gemfile.rails-4.2-stable.lock +2 -2
- data/gemfiles/Gemfile.rails-5.0-stable.lock +2 -2
- data/gemfiles/Gemfile.rails-5.2-rc1.lock +2 -2
- data/guides/bug_report_templates/integration_test.rb +1 -1
- data/lib/devise/controllers/sign_in_out.rb +3 -0
- data/lib/devise/failure_app.rb +2 -0
- data/lib/devise/models/authenticatable.rb +31 -24
- data/lib/devise/models/database_authenticatable.rb +7 -7
- data/lib/devise/models/trackable.rb +8 -1
- data/lib/devise/parameter_filter.rb +2 -0
- data/lib/devise/parameter_sanitizer.rb +13 -1
- data/lib/devise/secret_key_finder.rb +2 -0
- data/lib/devise/strategies/database_authenticatable.rb +3 -1
- data/lib/devise/version.rb +1 -1
- data/lib/generators/active_record/devise_generator.rb +5 -5
- data/lib/generators/devise/orm_helpers.rb +2 -2
- data/lib/generators/mongoid/devise_generator.rb +5 -5
- data/lib/generators/templates/devise.rb +7 -0
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +5 -1
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +6 -1
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +4 -1
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +11 -3
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +11 -3
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +7 -2
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +4 -1
- data/test/failure_app_test.rb +6 -0
- data/test/integration/confirmable_test.rb +5 -5
- data/test/integration/database_authenticatable_test.rb +13 -0
- data/test/mailers/email_changed_test.rb +2 -2
- data/test/models/confirmable_test.rb +14 -14
- data/test/models/database_authenticatable_test.rb +10 -3
- data/test/models/trackable_test.rb +18 -0
- data/test/parameter_sanitizer_test.rb +28 -0
- data/test/rails_app/config/initializers/devise.rb +5 -0
- data/test/rails_app/lib/lazy_load_test_module.rb +5 -0
- data/test/secret_key_finder_test.rb +24 -0
- metadata +5 -3
@@ -22,7 +22,7 @@ class DeviseController < Devise.parent_controller.constantize
|
|
22
22
|
# Action Controller tests that forces _prefixes to be
|
23
23
|
# loaded before even having a request object.
|
24
24
|
#
|
25
|
-
# This method should be public as it is
|
25
|
+
# This method should be public as it is in ActionPack
|
26
26
|
# itself. Changing its visibility may break other gems.
|
27
27
|
def _prefixes #:nodoc:
|
28
28
|
@_prefixes ||= if self.class.scoped_views? && request && devise_mapping
|
@@ -9,7 +9,7 @@
|
|
9
9
|
<% if @minimum_password_length %>
|
10
10
|
<em>(<%= @minimum_password_length %> characters minimum)</em><br />
|
11
11
|
<% end %>
|
12
|
-
<%= f.password_field :password, autofocus: true, autocomplete: "
|
12
|
+
<%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
|
13
13
|
</div>
|
14
14
|
|
15
15
|
<div class="field">
|
@@ -14,7 +14,7 @@
|
|
14
14
|
|
15
15
|
<div class="field">
|
16
16
|
<%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
|
17
|
-
<%= f.password_field :password, autocomplete: "
|
17
|
+
<%= f.password_field :password, autocomplete: "new-password" %>
|
18
18
|
<% if @minimum_password_length %>
|
19
19
|
<br />
|
20
20
|
<em><%= @minimum_password_length %> characters minimum</em>
|
@@ -23,12 +23,12 @@
|
|
23
23
|
|
24
24
|
<div class="field">
|
25
25
|
<%= f.label :password_confirmation %><br />
|
26
|
-
<%= f.password_field :password_confirmation, autocomplete: "
|
26
|
+
<%= f.password_field :password_confirmation, autocomplete: "new-password" %>
|
27
27
|
</div>
|
28
28
|
|
29
29
|
<div class="field">
|
30
30
|
<%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
|
31
|
-
<%= f.password_field :current_password, autocomplete: "
|
31
|
+
<%= f.password_field :current_password, autocomplete: "current-password" %>
|
32
32
|
</div>
|
33
33
|
|
34
34
|
<div class="actions">
|
@@ -13,12 +13,12 @@
|
|
13
13
|
<% if @minimum_password_length %>
|
14
14
|
<em>(<%= @minimum_password_length %> characters minimum)</em>
|
15
15
|
<% end %><br />
|
16
|
-
<%= f.password_field :password, autocomplete: "
|
16
|
+
<%= f.password_field :password, autocomplete: "new-password" %>
|
17
17
|
</div>
|
18
18
|
|
19
19
|
<div class="field">
|
20
20
|
<%= f.label :password_confirmation %><br />
|
21
|
-
<%= f.password_field :password_confirmation, autocomplete: "
|
21
|
+
<%= f.password_field :password_confirmation, autocomplete: "new-password" %>
|
22
22
|
</div>
|
23
23
|
|
24
24
|
<div class="actions">
|
@@ -21,7 +21,7 @@ GIT
|
|
21
21
|
PATH
|
22
22
|
remote: ..
|
23
23
|
specs:
|
24
|
-
devise (4.
|
24
|
+
devise (4.5.0)
|
25
25
|
bcrypt (~> 3.0)
|
26
26
|
orm_adapter (~> 0.1)
|
27
27
|
railties (>= 4.1.0, < 6.0)
|
@@ -54,7 +54,7 @@ GEM
|
|
54
54
|
thread_safe (~> 0.1)
|
55
55
|
tzinfo (~> 1.1)
|
56
56
|
arel (5.0.1.20140414130214)
|
57
|
-
bcrypt (3.1.
|
57
|
+
bcrypt (3.1.12)
|
58
58
|
bson (3.2.6)
|
59
59
|
builder (3.2.3)
|
60
60
|
concurrent-ruby (1.0.5)
|
@@ -57,7 +57,7 @@ GIT
|
|
57
57
|
PATH
|
58
58
|
remote: ..
|
59
59
|
specs:
|
60
|
-
devise (4.
|
60
|
+
devise (4.5.0)
|
61
61
|
bcrypt (~> 3.0)
|
62
62
|
orm_adapter (~> 0.1)
|
63
63
|
railties (>= 4.1.0, < 6.0)
|
@@ -68,7 +68,7 @@ GEM
|
|
68
68
|
remote: https://rubygems.org/
|
69
69
|
specs:
|
70
70
|
arel (6.0.4)
|
71
|
-
bcrypt (3.1.
|
71
|
+
bcrypt (3.1.12)
|
72
72
|
bson (3.2.6)
|
73
73
|
builder (3.2.3)
|
74
74
|
concurrent-ruby (1.0.5)
|
@@ -10,7 +10,7 @@ GIT
|
|
10
10
|
PATH
|
11
11
|
remote: ..
|
12
12
|
specs:
|
13
|
-
devise (4.
|
13
|
+
devise (4.5.0)
|
14
14
|
bcrypt (~> 3.0)
|
15
15
|
orm_adapter (~> 0.1)
|
16
16
|
railties (>= 4.1.0, < 6.0)
|
@@ -58,7 +58,7 @@ GEM
|
|
58
58
|
minitest (~> 5.1)
|
59
59
|
tzinfo (~> 1.1)
|
60
60
|
arel (7.1.4)
|
61
|
-
bcrypt (3.1.
|
61
|
+
bcrypt (3.1.12)
|
62
62
|
builder (3.2.3)
|
63
63
|
concurrent-ruby (1.0.5)
|
64
64
|
erubis (2.7.0)
|
@@ -10,7 +10,7 @@ GIT
|
|
10
10
|
PATH
|
11
11
|
remote: ..
|
12
12
|
specs:
|
13
|
-
devise (4.
|
13
|
+
devise (4.5.0)
|
14
14
|
bcrypt (~> 3.0)
|
15
15
|
orm_adapter (~> 0.1)
|
16
16
|
railties (>= 4.1.0, < 6.0)
|
@@ -62,7 +62,7 @@ GEM
|
|
62
62
|
minitest (~> 5.1)
|
63
63
|
tzinfo (~> 1.1)
|
64
64
|
arel (9.0.0)
|
65
|
-
bcrypt (3.1.
|
65
|
+
bcrypt (3.1.12)
|
66
66
|
builder (3.2.3)
|
67
67
|
concurrent-ruby (1.0.5)
|
68
68
|
crass (1.0.3)
|
@@ -19,6 +19,9 @@ module Devise
|
|
19
19
|
# Sign in a user that already was authenticated. This helper is useful for logging
|
20
20
|
# users in after sign up. All options given to sign_in is passed forward
|
21
21
|
# to the set_user method in warden.
|
22
|
+
# If you are using a custom warden strategy and the timeoutable module, you have to
|
23
|
+
# set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
|
24
|
+
# in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
|
22
25
|
#
|
23
26
|
# Examples:
|
24
27
|
#
|
data/lib/devise/failure_app.rb
CHANGED
@@ -134,16 +134,18 @@ module Devise
|
|
134
134
|
# This is an internal method called every time Devise needs
|
135
135
|
# to send a notification/mail. This can be overridden if you
|
136
136
|
# need to customize the e-mail delivery logic. For instance,
|
137
|
-
# if you are using a queue to deliver e-mails (
|
138
|
-
# sidekiq, resque, etc), you must add the delivery to the queue
|
137
|
+
# if you are using a queue to deliver e-mails (active job, delayed
|
138
|
+
# job, sidekiq, resque, etc), you must add the delivery to the queue
|
139
139
|
# just after the transaction was committed. To achieve this,
|
140
140
|
# you can override send_devise_notification to store the
|
141
|
-
# deliveries until the after_commit callback is triggered
|
141
|
+
# deliveries until the after_commit callback is triggered.
|
142
|
+
#
|
143
|
+
# The following example uses Active Job's `deliver_later` :
|
142
144
|
#
|
143
145
|
# class User
|
144
146
|
# devise :database_authenticatable, :confirmable
|
145
147
|
#
|
146
|
-
# after_commit :
|
148
|
+
# after_commit :send_pending_devise_notifications
|
147
149
|
#
|
148
150
|
# protected
|
149
151
|
#
|
@@ -152,38 +154,43 @@ module Devise
|
|
152
154
|
# # delivery until the after_commit callback otherwise
|
153
155
|
# # send now because after_commit will not be called.
|
154
156
|
# if new_record? || changed?
|
155
|
-
#
|
157
|
+
# pending_devise_notifications << [notification, args]
|
156
158
|
# else
|
157
|
-
#
|
158
|
-
# Remove once we move to Rails 4.2+ only.
|
159
|
-
# if message.respond_to?(:deliver_now)
|
160
|
-
# message.deliver_now
|
161
|
-
# else
|
162
|
-
# message.deliver
|
163
|
-
# end
|
159
|
+
# render_and_send_devise_message(notification, *args)
|
164
160
|
# end
|
165
161
|
# end
|
166
162
|
#
|
167
|
-
#
|
168
|
-
#
|
169
|
-
#
|
170
|
-
#
|
171
|
-
#
|
172
|
-
# message.deliver_now
|
173
|
-
# else
|
174
|
-
# message.deliver
|
175
|
-
# end
|
163
|
+
# private
|
164
|
+
#
|
165
|
+
# def send_pending_devise_notifications
|
166
|
+
# pending_devise_notifications.each do |notification, args|
|
167
|
+
# render_and_send_devise_message(notification, *args)
|
176
168
|
# end
|
177
169
|
#
|
178
170
|
# # Empty the pending notifications array because the
|
179
171
|
# # after_commit hook can be called multiple times which
|
180
172
|
# # could cause multiple emails to be sent.
|
181
|
-
#
|
173
|
+
# pending_devise_notifications.clear
|
174
|
+
# end
|
175
|
+
#
|
176
|
+
# def pending_devise_notifications
|
177
|
+
# @pending_devise_notifications ||= []
|
182
178
|
# end
|
183
179
|
#
|
184
|
-
# def
|
185
|
-
#
|
180
|
+
# def render_and_send_devise_message(notification, *args)
|
181
|
+
# message = devise_mailer.send(notification, self, *args)
|
182
|
+
#
|
183
|
+
# # Deliver later with Active Job's `deliver_later`
|
184
|
+
# if message.respond_to?(:deliver_later)
|
185
|
+
# message.deliver_later
|
186
|
+
# # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
|
187
|
+
# elsif message.respond_to?(:deliver_now)
|
188
|
+
# message.deliver_now
|
189
|
+
# else
|
190
|
+
# message.deliver
|
191
|
+
# end
|
186
192
|
# end
|
193
|
+
#
|
187
194
|
# end
|
188
195
|
#
|
189
196
|
def send_devise_notification(notification, *args)
|
@@ -73,11 +73,11 @@ module Devise
|
|
73
73
|
end
|
74
74
|
|
75
75
|
result = if valid_password?(current_password)
|
76
|
-
|
76
|
+
update(params, *options)
|
77
77
|
else
|
78
|
-
|
79
|
-
|
80
|
-
|
78
|
+
assign_attributes(params, *options)
|
79
|
+
valid?
|
80
|
+
errors.add(:current_password, current_password.blank? ? :blank : :invalid)
|
81
81
|
false
|
82
82
|
end
|
83
83
|
|
@@ -101,7 +101,7 @@ module Devise
|
|
101
101
|
params.delete(:password)
|
102
102
|
params.delete(:password_confirmation)
|
103
103
|
|
104
|
-
result =
|
104
|
+
result = update(params, *options)
|
105
105
|
clean_up_passwords
|
106
106
|
result
|
107
107
|
end
|
@@ -113,8 +113,8 @@ module Devise
|
|
113
113
|
result = if valid_password?(current_password)
|
114
114
|
destroy
|
115
115
|
else
|
116
|
-
|
117
|
-
|
116
|
+
valid?
|
117
|
+
errors.add(:current_password, current_password.blank? ? :blank : :invalid)
|
118
118
|
false
|
119
119
|
end
|
120
120
|
|
@@ -22,7 +22,7 @@ module Devise
|
|
22
22
|
self.last_sign_in_at = old_current || new_current
|
23
23
|
self.current_sign_in_at = new_current
|
24
24
|
|
25
|
-
old_current, new_current = self.current_sign_in_ip, request
|
25
|
+
old_current, new_current = self.current_sign_in_ip, extract_ip_from(request)
|
26
26
|
self.last_sign_in_ip = old_current || new_current
|
27
27
|
self.current_sign_in_ip = new_current
|
28
28
|
|
@@ -39,6 +39,13 @@ module Devise
|
|
39
39
|
update_tracked_fields(request)
|
40
40
|
save(validate: false)
|
41
41
|
end
|
42
|
+
|
43
|
+
protected
|
44
|
+
|
45
|
+
def extract_ip_from(request)
|
46
|
+
request.remote_ip
|
47
|
+
end
|
48
|
+
|
42
49
|
end
|
43
50
|
end
|
44
51
|
end
|
@@ -18,6 +18,8 @@ module Devise
|
|
18
18
|
|
19
19
|
def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
|
20
20
|
condition_keys.each do |k|
|
21
|
+
next unless conditions.key?(k)
|
22
|
+
|
21
23
|
value = conditions[k]
|
22
24
|
conditions[k] = value.send(method) if value.respond_to?(method)
|
23
25
|
end
|
@@ -135,7 +135,19 @@ module Devise
|
|
135
135
|
end
|
136
136
|
|
137
137
|
def default_params
|
138
|
-
|
138
|
+
if hashable_resource_params?
|
139
|
+
@params.fetch(@resource_name)
|
140
|
+
else
|
141
|
+
empty_params
|
142
|
+
end
|
143
|
+
end
|
144
|
+
|
145
|
+
def hashable_resource_params?
|
146
|
+
@params[@resource_name].respond_to?(:permit)
|
147
|
+
end
|
148
|
+
|
149
|
+
def empty_params
|
150
|
+
ActionController::Parameters.new({})
|
139
151
|
end
|
140
152
|
|
141
153
|
def permit_keys(parameters, keys)
|
@@ -13,6 +13,8 @@ module Devise
|
|
13
13
|
@application.secrets.secret_key_base
|
14
14
|
elsif @application.config.respond_to?(:secret_key_base) && key_exists?(@application.config)
|
15
15
|
@application.config.secret_key_base
|
16
|
+
elsif @application.respond_to?(:secret_key_base) && key_exists?(@application)
|
17
|
+
@application.secret_key_base
|
16
18
|
end
|
17
19
|
end
|
18
20
|
|
data/lib/devise/version.rb
CHANGED
@@ -54,11 +54,11 @@ module ActiveRecord
|
|
54
54
|
t.datetime :remember_created_at
|
55
55
|
|
56
56
|
## Trackable
|
57
|
-
t.integer :sign_in_count, default: 0, null: false
|
58
|
-
t.datetime :current_sign_in_at
|
59
|
-
t.datetime :last_sign_in_at
|
60
|
-
t.#{ip_column} :current_sign_in_ip
|
61
|
-
t.#{ip_column} :last_sign_in_ip
|
57
|
+
# t.integer :sign_in_count, default: 0, null: false
|
58
|
+
# t.datetime :current_sign_in_at
|
59
|
+
# t.datetime :last_sign_in_at
|
60
|
+
# t.#{ip_column} :current_sign_in_ip
|
61
|
+
# t.#{ip_column} :last_sign_in_ip
|
62
62
|
|
63
63
|
## Confirmable
|
64
64
|
# t.string :confirmation_token
|
@@ -6,9 +6,9 @@ module Devise
|
|
6
6
|
def model_contents
|
7
7
|
buffer = <<-CONTENT
|
8
8
|
# Include default devise modules. Others available are:
|
9
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
9
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
10
10
|
devise :database_authenticatable, :registerable,
|
11
|
-
:recoverable, :rememberable, :
|
11
|
+
:recoverable, :rememberable, :validatable
|
12
12
|
|
13
13
|
CONTENT
|
14
14
|
buffer
|
@@ -34,11 +34,11 @@ module Mongoid
|
|
34
34
|
field :remember_created_at, type: Time
|
35
35
|
|
36
36
|
## Trackable
|
37
|
-
field :sign_in_count, type: Integer, default: 0
|
38
|
-
field :current_sign_in_at, type: Time
|
39
|
-
field :last_sign_in_at, type: Time
|
40
|
-
field :current_sign_in_ip, type: String
|
41
|
-
field :last_sign_in_ip, type: String
|
37
|
+
# field :sign_in_count, type: Integer, default: 0
|
38
|
+
# field :current_sign_in_at, type: Time
|
39
|
+
# field :last_sign_in_at, type: Time
|
40
|
+
# field :current_sign_in_ip, type: String
|
41
|
+
# field :last_sign_in_ip, type: String
|
42
42
|
|
43
43
|
## Confirmable
|
44
44
|
# field :confirmation_token, type: String
|
@@ -280,4 +280,11 @@ Devise.setup do |config|
|
|
280
280
|
# When using OmniAuth, Devise cannot automatically set OmniAuth path,
|
281
281
|
# so you need to do it manually. For the users scope, it would be:
|
282
282
|
# config.omniauth_path_prefix = '/my_engine/users/auth'
|
283
|
+
|
284
|
+
# ==> Turbolinks configuration
|
285
|
+
# If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:
|
286
|
+
#
|
287
|
+
# ActiveSupport.on_load(:devise_failure_app) do
|
288
|
+
# include Turbolinks::Controller
|
289
|
+
# end
|
283
290
|
end
|
@@ -5,7 +5,11 @@
|
|
5
5
|
<%= f.full_error :confirmation_token %>
|
6
6
|
|
7
7
|
<div class="form-inputs">
|
8
|
-
<%= f.input :email,
|
8
|
+
<%= f.input :email,
|
9
|
+
required: true,
|
10
|
+
autofocus: true,
|
11
|
+
value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email),
|
12
|
+
input_html: { autocomplete: "email" } %>
|
9
13
|
</div>
|
10
14
|
|
11
15
|
<div class="form-actions">
|